Azure Sentinel Incident Advanced Search Limitations

Microsoft released a super-cool new search capability for Incidents in Azure Sentinel. Prior to this release, analysts could perform a basic search and return results for the Incident ID, Incident Title, assigned Tags, Incident Owner, and the Product name associated with the Incident.

With this new facility, analysts can now also include: Alert ID, Alert description, Alert name, Alert severity, Analytic rule ID, Bookmark ID, Closing comment, Comments, Entities, Incident description, Reason for closing, and Tactics.

These can be chosen one at a time, or multi-selected until you get the data you want.

New Advanced Incident Search

However, there’s a couple caveats to keep in mind when you use this new feature. These aren’t deal breakers, just something necessary to know.

[1] Your Advanced selections are not retained. As soon as you switch to another blade in Azure Sentinel or shutdown the browser tab or exit the Azure portal altogether, your selection is dismissed. The next time you want to perform an Advanced search on any of the new fields, you’ll need to select them again.

[2] The maximum results that will show when using the Advanced search feature is 50. The Advanced search is designed to return more exact results, so less than 50 should be enough. The more filters you use, the more pinpointed your return. If you’re searching for all Incidents assigned to a certain person (Owner field supports both names and email addresses, btw) over the last 3 months, this could be a problem. Instead, use a Workbook or a query to get the data you want if its for longer periods or you want to capture more historical type of data.

Results limit


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]


Leave a Reply