Query Details

Security Incident Incidents With Automation Rule Failure Events From Sentinel Health

Query

// You will need previously https://github.com/ep3p/Sentinel_KQL/blob/main/Queries/Sentinel%20Performance/SentinelHealth-Sentinel%20failure.kql
SecurityIncident
| where Title has_all ("Sentinel health - Automation rule - ", " - Incident Number")
| extend Number = tostring(split(Title, " ")[-1])
| join kind=rightsemi (SecurityIncident | extend IncidentNumber = tostring(IncidentNumber)) on $left.Number == $right.IncidentNumber
// | where Title has_all ("Sentinel health - Automation rule - ", " - Incident Number")
// | extend Number = tostring(split(Title, " ")[-1])
// | join kind=rightsemi (SecurityIncident | extend IncidentNumber = tostring(IncidentNumber)) on $left.Number == $right.IncidentNumber
// | where Title has_all ("Sentinel health - Automation rule - ", " - Incident Number")
// | extend Number = tostring(split(Title, " ")[-1])
// | join kind=rightsemi (SecurityIncident | extend IncidentNumber = tostring(IncidentNumber)) on $left.Number == $right.IncidentNumber
// | where Title has_all ("Sentinel health - Automation rule - ", " - Incident Number")
// | extend Number = tostring(split(Title, " ")[-1])
// | join kind=rightsemi (SecurityIncident | extend IncidentNumber = tostring(IncidentNumber)) on $left.Number == $right.IncidentNumber

Explanation

This KQL (Kusto Query Language) query is designed to filter and match specific security incidents in Microsoft Sentinel. Here's a simple summary of what it does:

  1. Filter Incidents: It starts by looking for security incidents with titles that contain both "Sentinel health - Automation rule -" and " - Incident Number". This suggests that the query is interested in incidents related to Sentinel's health and automation rules.

  2. Extract Incident Number: From these filtered incidents, it extracts the incident number, which is the last part of the title, and converts it to a string.

  3. Join with Other Incidents: It performs a right-semi join with the SecurityIncident table again, matching the extracted incident number with the IncidentNumber field in the table. This effectively filters the incidents to only those that have a corresponding entry in the SecurityIncident table with the same incident number.

The commented-out lines are repetitions of the same logic, which are not executed. They might be there for reference or future use.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: June 13, 2024

Tables

SecurityIncident

Keywords

SecurityIncidentSentinelHealthAutomationRuleIncidentNumberTitle

Operators

SecurityIncidentwherehas_allextendtostringsplitjoinkindrightsemi

Actions

GitHub