Query Alert Status and Assigned User

%3CLINGO-SUB%20id%3D%22lingo-sub-1141641%22%20slang%3D%22en-US%22%3EQuery%20Alert%20Status%20and%20Assigned%20User%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1141641%22%20slang%3D%22en-US%22%3E%3CP%3ELooking%20to%20query%20to%20alerts%2Fincidents%20that%20have%20not%20been%20assigned%2Fpicked%20up%20or%20to%20look%20at%20the%20current%20status%20(New%2FIn%20Progress)%20to%20detect%20and%20alert%20on%20stale%20events.%26nbsp%3B%20I%20use%20the%20following%20query%20to%20generate%20a%20list%20of%20all%20the%20SOC%20events%20the%20staff%20are%20looking%20at%20but%20I%20don't%20not%20see%20a%20User%20or%20Status%20field%2C%20anyone%20have%20a%20answer%20or%20work%20around%20to%20this%20one%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3ESecurityAlert%20%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20ProviderName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E'ASI%20Scheduled%20Alerts'%3C%2FSPAN%3E%20%3CSPAN%3Eor%3C%2FSPAN%3E%3CSPAN%3E%20ProviderName%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E'CustomAlertRule'%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1141761%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20Alert%20Status%20and%20Assigned%20User%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1141761%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F408589%22%20target%3D%22_blank%22%3E%40ryanksmith%3C%2FA%3E%26nbsp%3BWhat%20you%20are%20looking%20at%20is%20the%20listing%20of%20Alerts%2C%20not%20the%20Incidents.%26nbsp%3B%20Alerts%20do%20not%20get%20assigned%20to%20users%2C%20only%20the%20Incident%20will.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%2C%20you%20cannot%20query%20Incidents%20using%20KQL%20directly.%26nbsp%3B%20You%20have%20to%20use%20the%20Azure%20Sentinel%20REST%20API.%26nbsp%3B%20There%20have%20been%20a%20few%20posts%20about%20doing%20this%20lately%2C%20including%20mine%20on%20doing%20this%20through%20PowerShell%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F11%2Fyour-first-azure-sentinel-rest-api-call%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F11%2Fyour-first-azure-sentinel-rest-api-call%2F%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1142120%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20Alert%20Status%20and%20Assigned%20User%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1142120%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%20I'll%20take%20a%20look%2C%20very%20surprised%20we%20cant%20query%20this%20without%20to%20jump%20though%20a%20bunch%20of%20hoops%2C%20I%20have%20been%20able%20in%20every%20other%20SIEM%20I%20have%20worked%20with.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1142807%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20Alert%20Status%20and%20Assigned%20User%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1142807%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F408589%22%20target%3D%22_blank%22%3E%40ryanksmith%3C%2FA%3E%26nbsp%3BI%20agree%2C%20but%20considering%20the%20API%20is%20still%20not%20G.A.%20we%20may%20be%20able%20to%20see%20something%20to%20make%20it%20easier%20once%20it%20does.%26nbsp%3B%20I%20would%20love%20to%20be%20able%20to%20have%20a%20workbook%20showing%20me%20the%20stats%20of%20my%20Incidents%2C%20but%20I%20guess%20that%20is%20more%20what%20something%20like%20ServiceNow%20is%20for.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1142813%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20Alert%20Status%20and%20Assigned%20User%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1142813%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F408589%22%20target%3D%22_blank%22%3E%40ryanksmith%3C%2FA%3E%26nbsp%3BI%20also%20have%20a%20blog%20post%20about%20getting%20the%20Incidents%20into%20PowerBI%20where%20you%20can%20create%20all%20sorts%20of%20nice%20reports.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F20%2Fazure-sentinel-incidents-in-powerbi%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F20%2Fazure-sentinel-incidents-in-powerbi%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2322390%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20Alert%20Status%20and%20Assigned%20User%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2322390%22%20slang%3D%22en-US%22%3Ehow%20do%20you%20join%20the%20incident%20id%20with%20the%20alert%20via%20kql%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2325966%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20Alert%20Status%20and%20Assigned%20User%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2325966%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434938%22%20target%3D%22_blank%22%3E%40bobsyouruncle%3C%2FA%3E%26nbsp%3BHere%20is%20some%20code.%26nbsp%3B%20The%20good%20news%20is%20that%20since%20I%20last%20replied%20to%20this%20threat%2C%20the%20SecurityIncident%20table%20was%20created%20so%20you%20don't%20need%20to%20do%20the%20REST%20calls%20anymore.%26nbsp%3B%20I%20took%20some%20of%20the%20KQL%20from%20the%20%22Incident%20Overview%22%20workbook%20and%20added%20the%20join.%26nbsp%3B%20I%20have%20found%20that%20the%20workbooks%20and%20existing%20rules%20provide%20a%20wealth%20of%20useful%20KQL%20code.%3C%2FP%3E%3CP%3EDefinitely%20not%20saying%20this%20code%20is%20perfect%20but%20it%20does%20work.%26nbsp%3B%20Have%20to%20convert%20the%20AlertIds%20into%20a%20string%20to%20use%20in%20the%20join%20and%20unfortunately%20you%20cannot%20do%20it%20in%20the%20join%20command%20itself.%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3ESecurityIncident%0A%7C%20where%20IncidentNumber%20%3D%3D%20'166'%0A%7C%20summarize%20arg_max(TimeGenerated%2CCreatedTime%2CStatus%2C%20Severity%2C%20Owner%2C%20AdditionalData%2C%20IncidentUrl%2C%20Comments%2C%20Classification%2CClassificationReason%2C%20ClassificationComment%2CLabels%2C%20Title%2C%20AlertIds)%20by%20IncidentNumber%0A%7C%20mv-expand%20AlertIds%0A%7C%20extend%20AlertIDstring%20%3D%20tostring(AlertIds)%0A%7C%20join%20SecurityAlert%20on%20%24left.AlertIDstring%20%3D%3D%20%24right.SystemAlertId%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2326234%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20Alert%20Status%20and%20Assigned%20User%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2326234%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E!%3C%2FP%3E%3CP%3EI%20was%20struggling%20with%20that%20join%2C%20VERY%20much%20appreciated!%3C%2FP%3E%3CP%3E%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%40B71AFCCE02F5853FE57A20BD4B04EADD%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%40B71AFCCE02F5853FE57A20BD4B04EADD%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%40B71AFCCE02F5853FE57A20BD4B04EADD%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%40B71AFCCE02F5853FE57A20BD4B04EADD%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%40B71AFCCE02F5853FE57A20BD4B04EADD%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2331284%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20Alert%20Status%20and%20Assigned%20User%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2331284%22%20slang%3D%22en-US%22%3E%3CP%3Egood%20point%2C%20the%20error%20output%20is%20usually%20pretty%20good%20about%20telling%20me%20when%20that's%20wrong%20%3A).%3C%2FP%3E%3CP%3Eahh%20but%20the%20specific%20syntax%20you're%20showing%20I%20have%20not%20used%20before%2C%20cool.%3CBR%20%2F%3EThanks%20for%20the%20tip.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2331256%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20Alert%20Status%20and%20Assigned%20User%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2331256%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434938%22%20target%3D%22_blank%22%3E%40bobsyouruncle%3C%2FA%3E%26nbsp%3BJust%20found%20that%20when%20you%20use%20mv-expand%2C%20you%20can%20specify%20the%20data%20type%20to%20expand%20into.%26nbsp%3B%20So%20the%20code%20could%20be%20written%20as%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3ESecurityIncident%0A%7C%20where%20IncidentNumber%20%3D%3D%20'166'%0A%7C%20summarize%20arg_max(TimeGenerated%2CCreatedTime%2CStatus%2C%20Severity%2C%20Owner%2C%20AdditionalData%2C%20IncidentUrl%2C%20Comments%2C%20Classification%2CClassificationReason%2C%20ClassificationComment%2CLabels%2C%20Title%2C%20AlertIds)%20by%20IncidentNumber%0A%7C%20mv-expand%20AlertIds%20to%20typeof(string)%0A%7C%20join%20SecurityAlert%20on%20%24left.AlertIds%20%3D%3D%20%24right.SystemAlertId%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B(mv-expand%20expands%20into%20a%20string%20type%20which%20eliminates%20the%20need%20for%20the%20expand%20command.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Looking to query to alerts/incidents that have not been assigned/picked up or to look at the current status (New/In Progress) to detect and alert on stale events.  I use the following query to generate a list of all the SOC events the staff are looking at but I don't not see a User or Status field, anyone have a answer or work around to this one?

 

SecurityAlert | where ProviderName == 'ASI Scheduled Alerts' or ProviderName == 'CustomAlertRule'
9 Replies

@ryanksmith What you are looking at is the listing of Alerts, not the Incidents.  Alerts do not get assigned to users, only the Incident will.

 

Unfortunately, you cannot query Incidents using KQL directly.  You have to use the Azure Sentinel REST API.  There have been a few posts about doing this lately, including mine on doing this through PowerShell : https://www.garybushey.com/2020/01/11/your-first-azure-sentinel-rest-api-call/  

Thanks @Gary Bushey I'll take a look, very surprised we cant query this without to jump though a bunch of hoops, I have been able in every other SIEM I have worked with. 

@ryanksmith I agree, but considering the API is still not G.A. we may be able to see something to make it easier once it does.  I would love to be able to have a workbook showing me the stats of my Incidents, but I guess that is more what something like ServiceNow is for.

@ryanksmith I also have a blog post about getting the Incidents into PowerBI where you can create all sorts of nice reports.  https://www.garybushey.com/2020/01/20/azure-sentinel-incidents-in-powerbi

how do you join the incident id with the alert via kql?

@bobsyouruncle Here is some code.  The good news is that since I last replied to this threat, the SecurityIncident table was created so you don't need to do the REST calls anymore.  I took some of the KQL from the "Incident Overview" workbook and added the join.  I have found that the workbooks and existing rules provide a wealth of useful KQL code.

Definitely not saying this code is perfect but it does work.  Have to convert the AlertIds into a string to use in the join and unfortunately you cannot do it in the join command itself.

SecurityIncident
| where IncidentNumber == '166'
| summarize arg_max(TimeGenerated,CreatedTime,Status, Severity, Owner, AdditionalData, IncidentUrl, Comments, Classification,ClassificationReason, ClassificationComment,Labels, Title, AlertIds) by IncidentNumber
| mv-expand AlertIds
| extend AlertIDstring = tostring(AlertIds)
| join SecurityAlert on $left.AlertIDstring == $right.SystemAlertId

 

Thanks @Gary Bushey!

I was struggling with that join, VERY much appreciated!

:cool::cool::cool::cool::cool:

@bobsyouruncle Just found that when you use mv-expand, you can specify the data type to expand into.  So the code could be written as

SecurityIncident
| where IncidentNumber == '166'
| summarize arg_max(TimeGenerated,CreatedTime,Status, Severity, Owner, AdditionalData, IncidentUrl, Comments, Classification,ClassificationReason, ClassificationComment,Labels, Title, AlertIds) by IncidentNumber
| mv-expand AlertIds to typeof(string)
| join SecurityAlert on $left.AlertIds == $right.SystemAlertId

 (mv-expand expands into a string type which eliminates the need for the expand command.

good point, the error output is usually pretty good about telling me when that's wrong :).

ahh but the specific syntax you're showing I have not used before, cool.
Thanks for the tip.