KQL Search

Query Details

HomeAI ToolsDevice Query

Security Incident Incidents With Automation Rule Failure Events From Sentinel Health

Query

// You will need previously https://github.com/ep3p/Sentinel_KQL/blob/main/Queries/Sentinel%20Performance/SentinelHealth-Sentinel%20failure.kql
SecurityIncident
| where Title has "Sentinel health - Automation rule - Failure - Incident Number"
| extend Number = tostring(split(Title, " ")[-1])
| join kind=rightsemi SecurityIncident on $left.Number == $right.ProviderIncidentId
// | where Title has "Sentinel health - Automation rule - Failure - Incident Number"
// | extend Number = tostring(split(Title, " ")[-1])
// | join kind=rightsemi SecurityIncident on $left.Number == $right.ProviderIncidentId
// | where Title has "Sentinel health - Automation rule - Failure - Incident Number"
// | extend Number = tostring(split(Title, " ")[-1])
// | join kind=rightsemi SecurityIncident on $left.Number == $right.ProviderIncidentId
// | where Title has "Sentinel health - Automation rule - Failure - Incident Number"
// | extend Number = tostring(split(Title, " ")[-1])
// | join kind=rightsemi SecurityIncident on $left.Number == $right.ProviderIncidentId

Explanation

The query is filtering SecurityIncident records that have a Title containing the phrase "Sentinel health - Automation rule - Failure - Incident Number". It then splits the Title to extract the incident number and joins the filtered records with the SecurityIncident table using the incident number as the join condition. The commented lines are repeated code that can be removed.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 14, 2024

Tables

SecurityIncident

Keywords

SecurityIncident,Title,Sentinelhealth-Automationrule-Failure-IncidentNumber,Number,ProviderIncidentId

Operators

wherehasextendtostringsplitjoinkindrightsemion

Actions