Security Incident Incidents With Automation Rule Failure Events From Sentinel Health
Query
// You will need previously https://github.com/ep3p/Sentinel_KQL/blob/main/Queries/Sentinel%20Performance/SentinelHealth-Sentinel%20failure.kql
SecurityIncident
| where Title has_all ("Sentinel health - Automation rule - ", " - Incident Number")
| extend Number = tostring(split(Title, " ")[-1])
| join kind=rightsemi (SecurityIncident | extend IncidentNumber = tostring(IncidentNumber)) on $left.Number == $right.IncidentNumber
// | where Title has_all ("Sentinel health - Automation rule - ", " - Incident Number")
// | extend Number = tostring(split(Title, " ")[-1])
// | join kind=rightsemi (SecurityIncident | extend IncidentNumber = tostring(IncidentNumber)) on $left.Number == $right.IncidentNumber
// | where Title has_all ("Sentinel health - Automation rule - ", " - Incident Number")
// | extend Number = tostring(split(Title, " ")[-1])
// | join kind=rightsemi (SecurityIncident | extend IncidentNumber = tostring(IncidentNumber)) on $left.Number == $right.IncidentNumber
// | where Title has_all ("Sentinel health - Automation rule - ", " - Incident Number")
// | extend Number = tostring(split(Title, " ")[-1])
// | join kind=rightsemi (SecurityIncident | extend IncidentNumber = tostring(IncidentNumber)) on $left.Number == $right.IncidentNumberExplanation
This KQL (Kusto Query Language) query is designed to filter and match specific security incidents in Microsoft Sentinel. Here's a simple summary of what it does:
-
Filter Incidents: It starts by looking for security incidents with titles that contain both "Sentinel health - Automation rule -" and " - Incident Number". This suggests that the query is interested in incidents related to Sentinel's health and automation rules.
-
Extract Incident Number: From these filtered incidents, it extracts the incident number, which is the last part of the title, and converts it to a string.
-
Join with Other Incidents: It performs a right-semi join with the
SecurityIncidenttable again, matching the extracted incident number with theIncidentNumberfield in the table. This effectively filters the incidents to only those that have a corresponding entry in theSecurityIncidenttable with the same incident number.
The commented-out lines are repetitions of the same logic, which are not executed. They might be there for reference or future use.
Details

Jose Sebastián Canós
Released: June 13, 2024
Tables
Keywords
Operators