Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

Visualize Daily Incident Triggers

Wayne Andes 4 min read

Description

This KQL query visualizes the daily triggers in MDE or Sentinel in a columnchart. This can give insight into spikes in the amount of triggers.

Query

Microsoft Defender For Endpoint
Kusto
AlertInfo
| where Timestamp > ago(30d)
// Collect the first entry of each alert
| summarize arg_min(Timestamp, *) by AlertId
| summarize Total = count() by bin(Timestamp, 1d)
| render columnchart with(title="Incident triggers last 30 days")

Microsoft Sentinel
Kusto
SecurityIncident
| where TimeGenerated > ago(30d)
// Collect the first entry of each alert
| summarize arg_min(TimeGenerated, *) by IncidentNumber
| summarize Total = count() by bin(TimeGenerated, 1d)
| render columnchart with(title="Incident triggers last 30 days")

You May Also Like

Detect Azure Monitor Agent Connector Failures In CommonSecurityLog

Wayne Andes

List User Account Added To Sensitive Group

Wayne Andes

List Malicious Scan Attempts Not Blocked by Symantec Endpoint Protection

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *