Forum Discussion
Incidents from Analytics Rule template
Hi all! I have a limited knowledge on Sentinel and the MS products and tools but trying hard to understand the whole puzzle. We have a splunk server acting as a SIEM which ingests data from S...
When you did the search, did you search the SecurityIncident table or just use the UI? There is a new feature to delete incidents so maybe it got deleted?
I would expect to see that data in OfficeActivity or CloudAppEvents tables
This should find it - and list the tables the messages are in, when we know where the data is seen a Use Case can be enabled (or built) from the templates.
search "Authentication Methods Changed for Privileged Account"
| where TimeGenerated between (ago(30d) .. now())
//| where TimeGenerated between (datetime(2022-12-01) .. datetime(2023-01-21))
| summarize count(), min(TimeGenerated), max(TimeGenerated) by Type