Forum Discussion
Tracking Incidents across Lighthouse
JKatzmandu 1) Did you select all the workspaces you wanted to see when you first when into Azure Sentinel and then clicked on the "View Incidents" button on the top of the screen to see all the incidents in one place?
2) The SecurityIncident table contains a new row each time an incident is updated so it is quite possible to have many rows for a single incident. You would need to filter the query to show the latest entry but using the steps from above is your best bet.
GaryBushey I've tried Item #1 and that didn't seem to work. Even after selecting all workspaces I only see 24 incidents. My query brings back 66. Also, all the incident numbers are sequential and local, whereas the query has many different numbers because of the different Sentinel Instances. For #2 I guess I can do a | summarize max(LastModifiedTime) or something to make the results "singular."
JKatzmandu When I look at all the incidents from various tenants I have access to, they are grouped by the workspace so the Incident ID would be sequential within each workspace.
If you are not seeing the incidents from the other tenants I would double check your Lighthouse configuration to make sure it it working correctly. Can you go into the individual tenant directly and see the incidents from each tenant enabled via Lighthouse?
Aha! There is a "view incidents" link you can select after you check all the workspaces. Once you do that you can see them all. Thank you!
- CliveWatson
Microsoft
I have an example Workbook that may also help Announcing: Azure Sentinel Central Workbook | LinkedIn
