Forum Discussion
Tracking Incidents across Lighthouse
Hi everyone!
I have a customer with multiple Sentinel instances and they're hooked together via Lighthouse. The main/master instance will display "Incidents" for the local Instance but not the other sub instances. I think.
To get around this I set up a Workbook which uses a query:
union SecurityIncident, workspace('A').SecurityIncident, workspace('B').SecurityIncident, workspace('C').SecurityIncident
| where CreatedTime between (ago(1d) .. now())
| project CreatedTime, IncidentName, Title, IncidentNumber
Simple enough. Except I get duplicate incidents. But not all incidents, only some:
Any ideas what's going on?
JKatzmandu 1) Did you select all the workspaces you wanted to see when you first when into Azure Sentinel and then clicked on the "View Incidents" button on the top of the screen to see all the incidents in one place?
2) The SecurityIncident table contains a new row each time an incident is updated so it is quite possible to have many rows for a single incident. You would need to filter the query to show the latest entry but using the steps from above is your best bet.
GaryBushey I've tried Item #1 and that didn't seem to work. Even after selecting all workspaces I only see 24 incidents. My query brings back 66. Also, all the incident numbers are sequential and local, whereas the query has many different numbers because of the different Sentinel Instances. For #2 I guess I can do a | summarize max(LastModifiedTime) or something to make the results "singular."
JKatzmandu When I look at all the incidents from various tenants I have access to, they are grouped by the workspace so the Incident ID would be sequential within each workspace.
If you are not seeing the incidents from the other tenants I would double check your Lighthouse configuration to make sure it it working correctly. Can you go into the individual tenant directly and see the incidents from each tenant enabled via Lighthouse?
