Forum Discussion
howto find number of events contributing to incidents in last one month in sentinel.
how to find number of events contributing to incidents in last one month in sentinel.
Thats screen shot helped.
SecurityIncident | where TimeGenerated > ago(30d) | summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity | extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds)) | mv-expand AlertIds to typeof(string) | join ( SecurityAlert | extend Search_Query_Results_Overall_Count_ = tostring(parse_json(ExtendedProperties).["Search Query Results Overall Count"]) | summarize AlertCount=dcount(SystemAlertId) by SystemAlertId, Search_Query_Results_Overall_Count_ ) on $left.AlertIds == $right.SystemAlertId | project IncidentNumber, AlertCount, Search_Query_Results_Overall_Count_
I meant the events which are captured in evidence of a security incident below is the example. I want count of all the events for all incidents in last one month. ie the actionable events which lead to the incident.
Thats screen shot helped.
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend Search_Query_Results_Overall_Count_ = tostring(parse_json(ExtendedProperties).["Search Query Results Overall Count"])
| summarize AlertCount=dcount(SystemAlertId) by SystemAlertId, Search_Query_Results_Overall_Count_
) on $left.AlertIds == $right.SystemAlertId
| project IncidentNumber, AlertCount, Search_Query_Results_Overall_Count_
