SOLVED

Sentinel Creating Multiple AlertIDs/IncidentNumbers for Multiple Events

Copper Contributor

Hey there,

 

This one is really giving me hard times as I can't quite understand why or how to fix this.

In Sentinel, we run a log search in the LAW, and we get a full list of SecurityIncidents using the below.

 

 

 

SecurityIncident
| where TimeGenerated > ago(30d)

 

 

 

 This is fine. It gives us a fill list of all SecurityIncidents in the last 30 days. However, it brings up a total of 1000 incidents, when we've only seen 325. The remaining 675 are all duplicated in some way. Either duplicate AlertID or Incident Numbers.

 

This really messes with my reports, as I us these to get understanding on how many incidents we see. But it's nearly impossible when the values are skewed before I even get them out of Sentinel.

 

With that being said, I've tried to use the following KQL to get more defined metrics, but this still doesn't work. 

 

 

 

SecurityIncident
| where TimeGenerated > ago(30d)
| summarize any(IncidentName) by Title, Description, ClosedTime,Status,TimeGenerated,IncidentNumber

 

 

 

The Distinct operator also doesn't seemingly work, unless I'm using it in the wrong way.

 

Any help would be greatly appreciated, as I am really struggling with this one! 

 

Kind Regards.,

C.

3 Replies
best response confirmed by CharlieK95 (Copper Contributor)
Solution
Maybe just use the latest one per Incident Number (which arg_max does for you), this gets rid of those that have changed status during the Incident

SecurityIncident
| where TimeGenerated > ago(30d)
| summarize count(), arg_max(TimeGenerated,*) by IncidentNumber


You may prefer to filter on LastModified or LastActivity time rather than TimeGenerated in my example?
Thank you very much Clive 🙂

You just made my day better haha!
That was the mistake I was making, thanks for the help, will keep that in mind for the future!
BTW, every time an incident is updated in any way, a new row will be added to the SecurityIncidents table which is why you are seeing all the duplicates.
1 best response

Accepted Solutions
best response confirmed by CharlieK95 (Copper Contributor)
Solution
Maybe just use the latest one per Incident Number (which arg_max does for you), this gets rid of those that have changed status during the Incident

SecurityIncident
| where TimeGenerated > ago(30d)
| summarize count(), arg_max(TimeGenerated,*) by IncidentNumber


You may prefer to filter on LastModified or LastActivity time rather than TimeGenerated in my example?

View solution in original post