Query Details

Function: CollectIncidentStatistics()

Collect Incident Statistics

Query

let CollectIncidentStatistics = (TimeSpan: timespan) {
    SecurityIncident
    | where TimeGenerated > ago(TimeSpan)
    | summarize arg_max(TimeGenerated, *) by IncidentNumber
    | summarize TotalIncidents = count() by Severity
};
// Example
CollectIncidentStatistics(10d)

About this query

Function: CollectIncidentStatistics()

Query Information

Description

This function returns the severity statistics of Sentinel or XDR.

Defender XDR

let CollectIncidentStatistics = (TimeSpan: timespan) {
    AlertInfo
    | where TimeGenerated > ago(TimeSpan)
    | summarize arg_max(TimeGenerated, *) by AlertId
    | summarize TotalIncidents = count() by Severity
};
// Example
CollectIncidentStatistics(10d)

Sentinel

Explanation

The query defines a function called CollectIncidentStatistics that calculates the number of security incidents based on their severity level over a specified period. This function can be used with either Microsoft Defender XDR or Microsoft Sentinel data.

Here's a breakdown of how it works for each system:

  1. Defender XDR:

    • It looks at the AlertInfo table.
    • Filters alerts generated within the specified time span (e.g., the last 10 days).
    • For each unique alert (identified by AlertId), it keeps the most recent entry.
    • Counts the total number of incidents and groups them by their severity level.
  2. Sentinel:

    • It looks at the SecurityIncident table.
    • Filters incidents generated within the specified time span.
    • For each unique incident (identified by IncidentNumber), it keeps the most recent entry.
    • Counts the total number of incidents and groups them by their severity level.

In both cases, the function provides a summary of how many incidents occurred at each severity level during the specified time period. The example usage CollectIncidentStatistics(10d) shows how to call the function to get statistics for the last 10 days.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

AlertInfoSecurityIncident

Keywords

AlertInfoSeveritySecurityIncidentTimeGeneratedAlertIdIncidentNumberTotalIncidents

Operators

lettimespanwhereagosummarizearg_maxbycount

Actions

GitHub