Forum Discussion

deepak198486's avatar
deepak198486
Copper Contributor
Mar 21, 2023
Solved

howto find number of events contributing to incidents in last one month in sentinel.

how to find number of events contributing to incidents in last one month in sentinel.

KQL
Reports
siem
Workbooks
  • Clive_Watson's avatar
    Clive_Watson
    Mar 21, 2023

    deepak198486 

    Thats screen shot helped.

     

    SecurityIncident
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
(
    SecurityAlert
    | extend Search_Query_Results_Overall_Count_ = tostring(parse_json(ExtendedProperties).["Search Query Results Overall Count"])
    | summarize AlertCount=dcount(SystemAlertId) by SystemAlertId, Search_Query_Results_Overall_Count_
) on $left.AlertIds == $right.SystemAlertId
| project IncidentNumber, AlertCount, Search_Query_Results_Overall_Count_
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Mar 21, 2023

    deepak198486 

     

    If by Events you mean Alerts then this would work?

    SecurityIncident
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
(
    SecurityAlert
    | summarize AlertCount=dcount(SystemAlertId) by SystemAlertId
) on $left.AlertIds == $right.SystemAlertId
| summarize count(AlertCount) by IncidentNumber, bin(TimeGenerated,1d)

    e,g,  Incident 186 had 4 Alerts 

     




    or do you mean Events as in an EventID or specific issue?

    • deepak198486's avatar
      deepak198486
      Copper Contributor
      Mar 21, 2023

      Clive_Watson 

      I meant the events which are captured in evidence of a security incident below is the example. I want count of all the events for all incidents in last one month. ie the actionable events which lead to the incident.

       

      • Clive_Watson's avatar
        Clive_Watson
        Bronze Contributor
        Mar 21, 2023

        deepak198486 

        Thats screen shot helped.

         

        SecurityIncident
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join 
(
    SecurityAlert
    | extend Search_Query_Results_Overall_Count_ = tostring(parse_json(ExtendedProperties).["Search Query Results Overall Count"])
    | summarize AlertCount=dcount(SystemAlertId) by SystemAlertId, Search_Query_Results_Overall_Count_
) on $left.AlertIds == $right.SystemAlertId
| project IncidentNumber, AlertCount, Search_Query_Results_Overall_Count_

Resources