Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

List Most Triggered Incidents

Wayne Andes 5 min read

Description

The results of this KQL query provide insight in the top 10 incidents that have been triggered in your selected timeframe, this can give indications on which incidents should be addressed to limit potential false positives.

Query

Microsoft Defender For Endpoint
Kusto
// Timeframe to collect incident statistics
let timeframe = 7d;
AlertInfo
| where Timestamp > ago(timeframe)
// Collect the first entry of each alert
| summarize arg_min(Timestamp, *) by AlertId
// Get the alert statistics
| summarize Triggers = count(), AlertIds = make_set(AlertId) by Title
| top 10 by Triggers

Microsoft Sentinel
Kusto
SentinelHealth
| extend Rule_Health = tostring(parse_json(ExtendedProperties).RuleId)
| project TimeGenerated, SentinelResourceName, Rule_Health
| join kind=inner (SecurityIncident
| extend Rule_Incident = trim(@"[^\w]+",tostring(RelatedAnalyticRuleIds))
| project TimeGenerated, Title, Rule_Incident, IncidentNumber)
on $left.Rule_Health == $right.Rule_Incident
| summarize arg_min(TimeGenerated, *) by IncidentNumber
| summarize Triggers = count(), AlertIds = make_set(IncidentNumber) by SentinelResourceName
| sort by Triggers

You May Also Like

List Generic Directory Traversal Not Blocked By Symantec Endpoint Protection

Wayne Andes

List Local User Account Created

Wayne Andes

Visualize Top 100 Users That Have The Most Interactive Sign-ins

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *