cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to export incidents in azure sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1070077%22%20slang%3D%22en-US%22%3EHow%20to%20export%20incidents%20in%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070077%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20need%20to%20export%20the%20incidents%20to%20excel.%20Is%20this%20possible%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBasically%20i%20want%20to%20summarize%20the%20no%20of%20incidents%20triggered%20for%20curtain%20time%20period%20and%20do%20further%20analysis%20on%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1070077%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%20Incidents%20Export%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1070327%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20export%20incidents%20in%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070327%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F419828%22%20target%3D%22_blank%22%3E%40Pavan_Gelli%3C%2FA%3E%26nbsp%3Bwould%20be%20doing%20a%20query%20against%20SecurityAlert%20work%3F%26nbsp%3B%20It%20shows%20the%20alerts%20but%20not%20the%20actual%20incidents%20but%20the%20numbers%20should%20be%20close%20if%20you%20don't%20need%20the%20exact%20information%20from%20the%20incident.%20If%20you%20query%20in%20the%20Logs%20screen%20you%20can%20export%20your%20results.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073911%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20export%20incidents%20in%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073911%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F419828%22%20target%3D%22_blank%22%3E%40Pavan_Gelli%3C%2FA%3E%26nbsp%3BOnce%20you%20have%20the%20KQL%20query%20you%20want%2C%20run%20it%20and%20then%20choose%20the%20Export%20menu.%20Is%20this%20what%20your're%20talking%20about%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162532i72F8F07477051F7A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22export.jpg%22%20title%3D%22export.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1077858%22%20slang%3D%22en-US%22%3ERE%3A%20How%20to%20export%20incidents%20in%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1077858%22%20slang%3D%22en-US%22%3EJust%20saw%20this%20great%20post%20on%20LinkedIn%20about%20it.%20%3CA%20href%3D%22https%3A%2F%2Fazsec.azurewebsites.net%2F2019%2F12%2F16%2Fextract-all-azure-sentinel-incidents%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazsec.azurewebsites.net%2F2019%2F12%2F16%2Fextract-all-azure-sentinel-incidents%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1091796%22%20slang%3D%22en-US%22%3ERE%3A%20How%20to%20export%20incidents%20in%20azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1091796%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20close%20all%20key%20vault%20incidents.%20But%20i%20dont%20see%20way%20to%20do%20this%20using%20PS%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Pavan_Gelli
New Contributor

‎Dec 17 2019 05:44 AM - last edited on ‎Nov 02 2021 05:45 PM by

‎Dec 17 2019 05:44 AM - last edited on ‎Nov 02 2021 05:45 PM by

How to export incidents in azure sentinel

Hi Team,

 

I have need to export the incidents to excel. Is this possible ?

 

Basically i want to summarize the no of incidents triggered for curtain time period and do further analysis on this.

 

Thanks

5,972 Views
0 Likes
4 Replies
Reply
4 Replies
Gary Bushey

‎Dec 17 2019 08:07 AM

‎Dec 17 2019 08:07 AM

Re: How to export incidents in azure sentinel

@Pavan_Gelli would be doing a query against SecurityAlert work?  It shows the alerts but not the actual incidents but the numbers should be close if you don't need the exact information from the incident. If you query in the Logs screen you can export your results.

0 Likes
Reply
rodtrent

‎Dec 19 2019 04:45 AM - edited ‎Jan 03 2020 01:00 PM

‎Dec 19 2019 04:45 AM - edited ‎Jan 03 2020 01:00 PM

Re: How to export incidents in azure sentinel

@Pavan_Gelli Once you have the KQL query you want, run it and then choose the Export menu. Is this what you're talking about?

 

export.jpg

0 Likes
Reply
Gary Bushey

‎Dec 22 2019 09:00 AM

‎Dec 22 2019 09:00 AM

RE: How to export incidents in azure sentinel

Just saw this great post on LinkedIn about it. https://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/
1 Like
Reply
Pavan_Gelli1910

‎Jan 05 2020 11:08 PM

‎Jan 05 2020 11:08 PM

RE: How to export incidents in azure sentinel

I want close all key vault incidents. But i dont see way to do this using PS @Gary Bushey 

0 Likes
Reply