Forum Discussion
ryanksmith
Jan 30, 2020Copper Contributor
Query Alert Status and Assigned User
Looking to query to alerts/incidents that have not been assigned/picked up or to look at the current status (New/In Progress) to detect and alert on stale events. I use the following query to genera...
SocInABox
Iron Contributor
Thanks GaryBushey!
I was struggling with that join, VERY much appreciated!
GaryBushey
May 06, 2021Bronze Contributor
SocInABox Just found that when you use mv-expand, you can specify the data type to expand into. So the code could be written as
SecurityIncident
| where IncidentNumber == '166'
| summarize arg_max(TimeGenerated,CreatedTime,Status, Severity, Owner, AdditionalData, IncidentUrl, Comments, Classification,ClassificationReason, ClassificationComment,Labels, Title, AlertIds) by IncidentNumber
| mv-expand AlertIds to typeof(string)
| join SecurityAlert on $left.AlertIds == $right.SystemAlertId
(mv-expand expands into a string type which eliminates the need for the expand command.
- SocInABoxMay 06, 2021Iron Contributor
good point, the error output is usually pretty good about telling me when that's wrong :).
ahh but the specific syntax you're showing I have not used before, cool.
Thanks for the tip. - Jay342Oct 27, 2022Copper Contributor
Hi GaryBushey can you write one kql to check if any particular entity(User account) present in any security alert/ incident.
Or one user account is associated with how many security alert for the past 7 days