cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

howto find number of events contributing to incidents in last one month in sentinel.

deepak198486
Copper Contributor

‎Mar 21 2023 07:37 AM

‎Mar 21 2023 07:37 AM

howto find number of events contributing to incidents in last one month in sentinel.

how to find number of events contributing to incidents in last one month in sentinel.

Labels:
1,521 Views
0 Likes
3 Replies
Reply
3 Replies
Clive_Watson

‎Mar 21 2023 08:54 AM

‎Mar 21 2023 08:54 AM

Re: howto find number of events contributing to incidents in last one month in sentinel.

@deepak198486 

 

If by Events you mean Alerts then this would work?

SecurityIncident
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
(
    SecurityAlert
    | summarize AlertCount=dcount(SystemAlertId) by SystemAlertId
) on $left.AlertIds == $right.SystemAlertId
| summarize count(AlertCount) by IncidentNumber, bin(TimeGenerated,1d)

e,g,  Incident 186 had 4 Alerts 

Clive_Watson_0-1679414028725.png

 




or do you mean Events as in an EventID or specific issue?

0 Likes
Reply
deepak198486

‎Mar 21 2023 09:14 AM

‎Mar 21 2023 09:14 AM

Re: howto find number of events contributing to incidents in last one month in sentinel.

@Clive_Watson 

I meant the events which are captured in evidence of a security incident below is the example. I want count of all the events for all incidents in last one month. ie the actionable events which lead to the incident.

deepak198486_0-1679415161745.png

 

0 Likes
Reply
best response confirmed by deepak198486 (Copper Contributor)
Clive_Watson

‎Mar 21 2023 10:57 AM

‎Mar 21 2023 10:57 AM

Solution

Re: howto find number of events contributing to incidents in last one month in sentinel.

@deepak198486 

Thats screen shot helped.

 

SecurityIncident
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
(
    SecurityAlert
    | extend Search_Query_Results_Overall_Count_ = tostring(parse_json(ExtendedProperties).["Search Query Results Overall Count"])
    | summarize AlertCount=dcount(SystemAlertId) by SystemAlertId, Search_Query_Results_Overall_Count_
) on $left.AlertIds == $right.SystemAlertId
| project IncidentNumber, AlertCount, Search_Query_Results_Overall_Count_
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by deepak198486 (Copper Contributor)
Clive_Watson

‎Mar 21 2023 10:57 AM

‎Mar 21 2023 10:57 AM

Solution

Re: howto find number of events contributing to incidents in last one month in sentinel.

@deepak198486 

Thats screen shot helped.

 

SecurityIncident
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
(
    SecurityAlert
    | extend Search_Query_Results_Overall_Count_ = tostring(parse_json(ExtendedProperties).["Search Query Results Overall Count"])
    | summarize AlertCount=dcount(SystemAlertId) by SystemAlertId, Search_Query_Results_Overall_Count_
) on $left.AlertIds == $right.SystemAlertId
| project IncidentNumber, AlertCount, Search_Query_Results_Overall_Count_

View solution in original post

1 Like
Reply