Forum Discussion

Pavan_Gelli's avatar
Pavan_Gelli
Copper Contributor
Dec 17, 2019

How to export incidents in azure sentinel

Hi Team,   I have need to export the incidents to excel. Is this possible ?   Basically i want to summarize the no of incidents triggered for curtain time period and do further analysis on this. ...
KheenanH's avatar
KheenanH
Copper Contributor
Nov 14, 2023

I looked at my previous export and that message "Connection to a custom network indicator" appears to be ok. I just have so many results that it felt broken. It looks to be fine. Is it possible to keep the CompromisedEntity?

How can we keep this format and yet let me pick the date range for the query?

 

update - got the entity part, is there a completed//solved column?

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Nov 14, 2023

KheenanH 

 

A date range you can do with a "between" here is an example

SecurityAlert
//| where TimeGenerated > ago(5h)
| where TimeGenerated between( datetime(2023-11-01 09:00) .. datetime(2023-11-02 09:00) )

Please see a blog I did for other examples:
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/how-to-align-your-analytics-with-time-windows-in-azure-sentinel/ba-p/1667574



You can add "compromisedenity" to the summarise

e.g.

| summarize AlertCount=dcount(AlertIds), arg_max(TimeGenerated,Title,
Severity,
Status,
Owner,
ModifiedBy,
CreatedTime,
FirstModifiedTime,
LastModifiedTime,
ProductName,
CompromisedEntity,
Tags= tostring(parse_json(Labels).labelName),
Comments=tostring(parse_json(Comments).message))
by IncidentNumber