r/AzureSentinel

I'm trying to export a csv of all the incidents ever registered in Sentinel in my org. This covers 2+ years of Sentinel usage. I did some digging and it turns out you cannot export data from the Threat Mgmt > Incidents tab. You can however export a table of incidents from Log Analytics by SecurityIncident query (set the time frame to the earliest data possible).

So I did exactly that and set the display count to "max limit". Each time, the query only outputs a list going back 90 days in time. Is there a data retention limit in Log Analytics that doesn't allow you to view or export incidents longer than 90 days?

Is there any other way I can go about exporting ALL incidents registered in Sentinel?

Thanks!

My organization has multiple tenants for Workday, Salesforce, and other similar apps. Unfortunately, most pre-built connectors only allow connecting to one environment per app. Is there any way around this? Any way to deploy duplicate connectors?

Am I'm the only one or SigninLogs table ConditionalAccessPolicies is currently showing [] for all entries, also Conditional Access Insights and reporting for "report-only" are empty..

I don't see any official health issue from Microsoft.

https://preview.redd.it/s7otmr395o0h1.png?width=462&format=png&auto=webp&s=2d13aa2491a273bdeb0d392f8538a829d39a2517

A simple KQL query against Sign-in logs gives you visibility into the MFA methods users are actually using:

SigninLogs
| where TimeGenerated > ago(90d)
| where ResultType == 0
| mv-expand AuthDetails = todynamic(AuthenticationDetails)
| extend AuthMethod = tostring(AuthDetails.authenticationMethod)
| where isnotempty(AuthMethod)
| where AuthMethod !in ("Previously satisfied")
| summarize AuthEvents = count(), Users = dcount(UserPrincipalName) by AuthMethod
| order by AuthEvents desc

https://preview.redd.it/nk9rrwqozj0h1.png?width=2664&format=png&auto=webp&s=7b6fab415cec249205902a39a05dd13f8c96e7fe