Notable Events in Sentinel across all tables

Jain, Shamu 0 Reputation points
2023-03-21T15:43:18.1433333+00:00

Hi Everyone,

We are tasked to prepare a dashboard showing total events and total notable events from Sentinel.

While getting total number of events is fairly simple with a query to number of events in each table for selected time frame,  we are struggling to get the number of notable events (events that actually contributed to an Incident sentinel)

Is there a way to get this information using some query or other means? Open to explore custom workbooks as well.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
975 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Clive Watson 5,711 Reputation points MVP
    2023-03-21T16:18:14.0566667+00:00

    Notable could be many things. Take a look at "Investigations Insights" workbook as that allows you to click on an incident and then drill into the results (just by clicking).

    For me I'd maybe be looking at maybe the returned Entities and how often each is seen in an Incident.

    e.g. if IPaddr 1.1.1.1 is seen once in 30days compared to 2.2.2.2 that is seen 5 times per day in multiple Incidents. However if 1.1.1.1 was an actual attack and 2.2.2.2 is noise, it maybe not the right notable event

    1 person found this answer helpful.
  2. JamesTran-MSFT 36,366 Reputation points Microsoft Employee
    2023-03-29T19:13:57.49+00:00

    @Jain, Shamu

    Thank you for your post!

    From your initial post and follow-up, I understand that you're preparing a dashboard showing total events and total notable events from Microsoft Sentinel. While getting the total number of events is simple, you're running into issues with getting the number of notable events - for example, events that generate an alert such as twenty 4625 events for one user generating a Brute force alert.

    Since you're looking for notable events across all of your alerts, have you tried to look within the SecurityAlert table and filtering by technique or IsIncident? This should show all your Sentinel Alerts where an Incident was created.

    SecurityAlert 
| where ProductName == "Azure Sentinel"
| where IsIncident == true

    Note: My Sentinel environment doesn't have sufficient data when it came to testing for "IsIncident = true"

    User's image

    I hope this helps!

    Additional Links:

    If you're still having issues or would like to work with our support team on this, please let me know.