Hi Team, I have need to export the incidents to excel. Is this possible ? Basically i want to summarize the no of incidents triggered for curtain time period and do further analysis on this. Thanks

this is amazing. Thank you for helping me out. I think I can start to really look at this more to get what we need. I really do appreciate all your help

In looking at the query language there was a Status1. I added that and now Sentinel now shows closed Clive_Watson

Pavan_Gelli would be doing a query against SecurityAlert work? It shows the alerts but not the actual incidents but the numbers should be close if you don't need the exact information from the incident. If you query in the Logs screen you can export your results.

Pavan_Gelli Once you have the KQL query you want, run it and then choose the Export menu. Is this what you're talking about?

How to export incidents in azure sentinel

MickTravels

Copper Contributor

Jun 07, 2023

Pavan_Gelli, you've no doubt solved this problem since late 2019, but for everyone else who finds this entry at the top of their Google search and needs an up-to-date answer, use this KQL code to generate a list of Sentinel incidents:

SecurityIncident
| summarize LatestEntry = arg_max(TimeGenerated, *) by IncidentNumber
| project IncidentNumber, LatestEntry, Title, Description, Severity, Status, Classification, ClassificationComment, ModifiedBy
| sort by IncidentNumber

Adjust the Date Range appropriately, adjust the columns you want to see in the project statement. Then export the results to .csv

KheenanH

Copper Contributor

Nov 14, 2023

MickTravels This is a really good start. Is there a column field that can get where the alert came from? There is modified by but if i modify the alert to close it then puts my name vs Defender or Sentinel. Also be good to know what other fields people use in this query.

Clive_Watson

Bronze Contributor

Nov 14, 2023

KheenanH

SecurityAlert
| where TimeGenerated > ago(5h)
| join 
(
SecurityIncident 
    | extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
    | mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string), Owner to typeof(string)
) on $left.SystemAlertId == $right.AlertIds
| summarize AlertCount=dcount(AlertIds), arg_max(TimeGenerated,Title,
            Severity,
            Status,
            Owner,
            ModifiedBy,
            CreatedTime,
            FirstModifiedTime,
            LastModifiedTime,
            ProductName,
            Tags= tostring(parse_json(Labels).labelName),
            Comments=tostring(parse_json(Comments).message))
            by IncidentNumber
| extend IncidentSource = case(
    ProductName == "Azure Sentinel", "Analytic",
    ProductName == "Azure Active Directory Identity Protection", "Azure AD Identity Protection",
    ProductName == "Azure Security Center", "Microsoft Defender for Cloud",
    ProductName == "Microsoft Defender Advanced Threat Protection", "Microsoft Defender for Endpoint",
    ProductName == "Microsoft Cloud App Security", "Microsoft Defender for Cloud Apps",
    ProductName == "Office 365 Advanced Threat Protection", "Microsoft Defender for Office 365",
    ProductName == "Azure Advanced Threat Protection", "Microsoft Defender for Identity",
    ProductName)

Rod_Trent
Microsoft
Dec 19, 2019
Pavan_Gelli Once you have the KQL query you want, run it and then choose the Export menu. Is this what you're talking about?
GaryBushey
Bronze Contributor
Dec 17, 2019
Pavan_Gelli would be doing a query against SecurityAlert work? It shows the alerts but not the actual incidents but the numbers should be close if you don't need the exact information from the incident. If you query in the Logs screen you can export your results.

Forum Discussion

How to export incidents in azure sentinel

Share

Resources