Mar 21 2023 07:37 AM
how to find number of events contributing to incidents in last one month in sentinel.
Mar 21 2023 08:54 AM
If by Events you mean Alerts then this would work?
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| summarize AlertCount=dcount(SystemAlertId) by SystemAlertId
) on $left.AlertIds == $right.SystemAlertId
| summarize count(AlertCount) by IncidentNumber, bin(TimeGenerated,1d)
e,g, Incident 186 had 4 Alerts
or do you mean Events as in an EventID or specific issue?
Mar 21 2023 09:14 AM
I meant the events which are captured in evidence of a security incident below is the example. I want count of all the events for all incidents in last one month. ie the actionable events which lead to the incident.
Mar 21 2023 10:57 AM
SolutionThats screen shot helped.
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend Search_Query_Results_Overall_Count_ = tostring(parse_json(ExtendedProperties).["Search Query Results Overall Count"])
| summarize AlertCount=dcount(SystemAlertId) by SystemAlertId, Search_Query_Results_Overall_Count_
) on $left.AlertIds == $right.SystemAlertId
| project IncidentNumber, AlertCount, Search_Query_Results_Overall_Count_
Mar 21 2023 10:57 AM
SolutionThats screen shot helped.
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend Search_Query_Results_Overall_Count_ = tostring(parse_json(ExtendedProperties).["Search Query Results Overall Count"])
| summarize AlertCount=dcount(SystemAlertId) by SystemAlertId, Search_Query_Results_Overall_Count_
) on $left.AlertIds == $right.SystemAlertId
| project IncidentNumber, AlertCount, Search_Query_Results_Overall_Count_