Forum Discussion
Create a report that contains Alerts and raw events
Hello, is there a way to autoamtically create a report in sentinel that contains security incidents and alerts as well as the raw events that triggered these alerts and be able to send it somewhere ...
Hi Zorghost!
You can automatically create a report in Sentinel that includes security incidents, alerts, and the raw events that triggered them. To do this, you can use KQL queries in Sentinel to retrieve the relevant data. You can then schedule these queries to run at specific intervals.
For automation, you can integrate Logic Apps or Power Automate to automatically send the generated report to a storage location, like an Azure Blob Storage account or an external service, for archival purposes. This way, you don’t have to manually create and send reports every time.
Regards!
Thank you very much for the answer luchete
But as far as I understood, to get the raw events, I would have to iterate through each alert and run the existing KQL query in the "originalquery" field or am I wrong ? How is it possible to automate this step in sentinel ?
To get the raw events that triggered the alerts, you'd indeed need to run the KQL query from the "originalquery" field of each alert. However, to automate this in Sentinel, you can create a custom KQL query that retrieves the relevant raw events by joining the alerts with the event data. You can use tables like "SecurityAlert" and "SecurityEvent" or others that store the raw event data.
To automate the process, you can set up a playbook in Sentinel using Logic Apps. This playbook can trigger whenever a security alert or incident occurs, and within the playbook, you can run your query to fetch the raw events. Then, the playbook can send the results to your chosen location for archival purposes, such as Azure Blob Storage.
This method helps automate the entire process without the need for manual intervention.
