Forum Discussion
Create a report that contains Alerts and raw events
Hello,
is there a way to autoamtically create a report in sentinel that contains security incidents and alerts as well as the raw events that triggered these alerts and be able to send it somewhere for archival purposes?
Any help is much appreciated !
Hi Zorghost!
You can automatically create a report in Sentinel that includes security incidents, alerts, and the raw events that triggered them. To do this, you can use KQL queries in Sentinel to retrieve the relevant data. You can then schedule these queries to run at specific intervals.
For automation, you can integrate Logic Apps or Power Automate to automatically send the generated report to a storage location, like an Azure Blob Storage account or an external service, for archival purposes. This way, you don’t have to manually create and send reports every time.
Regards!
To get the raw events that triggered the alerts, you'd indeed need to run the KQL query from the "originalquery" field of each alert. However, to automate this in Sentinel, you can create a custom KQL query that retrieves the relevant raw events by joining the alerts with the event data. You can use tables like "SecurityAlert" and "SecurityEvent" or others that store the raw event data.
To automate the process, you can set up a playbook in Sentinel using Logic Apps. This playbook can trigger whenever a security alert or incident occurs, and within the playbook, you can run your query to fetch the raw events. Then, the playbook can send the results to your chosen location for archival purposes, such as Azure Blob Storage.
This method helps automate the entire process without the need for manual intervention.
