Mar 07 2022 01:49 AM
Hey there,
This one is really giving me hard times as I can't quite understand why or how to fix this.
In Sentinel, we run a log search in the LAW, and we get a full list of SecurityIncidents using the below.
SecurityIncident
| where TimeGenerated > ago(30d)
This is fine. It gives us a fill list of all SecurityIncidents in the last 30 days. However, it brings up a total of 1000 incidents, when we've only seen 325. The remaining 675 are all duplicated in some way. Either duplicate AlertID or Incident Numbers.
This really messes with my reports, as I us these to get understanding on how many incidents we see. But it's nearly impossible when the values are skewed before I even get them out of Sentinel.
With that being said, I've tried to use the following KQL to get more defined metrics, but this still doesn't work.
SecurityIncident
| where TimeGenerated > ago(30d)
| summarize any(IncidentName) by Title, Description, ClosedTime,Status,TimeGenerated,IncidentNumber
The Distinct operator also doesn't seemingly work, unless I'm using it in the wrong way.
Any help would be greatly appreciated, as I am really struggling with this one!
Kind Regards.,
C.
Mar 07 2022 03:28 AM
SolutionMar 07 2022 03:44 AM
Mar 07 2022 04:35 AM
Mar 07 2022 03:28 AM
Solution