This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 90%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
New to KQL queries here. Trying to query for security alerts or incidents based off a set of users in Microsoft Sentinel.
Would I create a Watchlist of names and identifiers (emails or user ID's) and run a query on that Watchlist or build a query including all the users? Is this possible to do and what would that look like?
Any help would be greatly appreciated!
You can create a Watchlist in the Microsoft 365 Defender portal or through the Microsoft Graph Security API:
SecurityAlert
| where AccountName in (datatable(Identifier:string)["******@mydomain.com", "******@mydomain.com"])
Also, you can directly add it in your query
SecurityAlert
| where AccountName in ("user1@example.com", "user2@example.com")
Attempted to plug in data and utilize these queries in Microsoft Sentinel Logs and unable to pull results.
Thank you for your post and I apologize for the delayed response!
I understand that you're trying to create a new KQL query for Security Alerts or Incidents based off a set of users within Microsoft Sentinel. To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.
Findings:
When it comes to creating a query for Security Alerts or Incidents based off a set of users within MS Sentinel, you can definitely leverage a Watchlist and query for the users' name or ID.
I created a sample query for your reference which compares the upn field to the values in the userWatchlist table using the in operator. This should return your security alerts or incidents that were generated in the last 7 days and where the user that triggered the alert is in the Watchlist.
Note: This query assumes that the Sid field is always the third entity in the Entities array. If the order of the array changes, this may not work as expected. Additionally, the "in" operator is case-sensitive, so you'll want to ensure your values in the Watchlist matchWatchlist Data:
//Set userWatchList variable with the SearchKey column from the Watchlist
let userWatchlist = (_GetWatchlist('Users') | project SearchKey);
//Using the SecurityAlert table:
//Find all security alerts or incidents that were generated in the last 7 days
//Parse the Entities JSON Output
//Set the upn variable with the Entities Object ID that triggered the alert
//Compare the upn field to the values in the userWatchlist table.
SecurityAlert
| where TimeGenerated > ago(7d)
| extend EntityValues = parse_json(Entities)
| extend upn = EntityValues[2].Sid
| where upn in (userWatchlist)
Additional Links:
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 27%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVG%3C/text%3E%3C/svg%3E)
I would like to Export the Events for all the Incidents in Sentinel, Because Each Incident has Multiple Events, how do i export the events for all the Incidents as a whole instead of exporting events for each incident manually using KQL in sentinel.
We you Event so you mean the Event as shown by the Event count or the Alert(s) aligned to each Incident?
This shows the Incident and any Alert(s) aligned to that Incident, and also the count of Events
SecurityIncident
| where TimeGenerated > ago(3d)
| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber), Severity
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend Search_Query_Results_Overall_Count_ = tostring(parse_json(ExtendedProperties).["Search Query Results Overall Count"])
| summarize AlertCount=dcount(SystemAlertId) by SystemAlertId, Search_Query_Results_Overall_Count_, AlertName
) on $left.AlertIds == $right.SystemAlertId