Function: CollectIncidentStatistics()
Collect Incident Statistics
Query
let CollectIncidentStatistics = (TimeSpan: timespan) {
SecurityIncident
| where TimeGenerated > ago(TimeSpan)
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| summarize TotalIncidents = count() by Severity
};
// Example
CollectIncidentStatistics(10d)About this query
Function: CollectIncidentStatistics()
Query Information
Description
This function returns the severity statistics of Sentinel or XDR.
Defender XDR
let CollectIncidentStatistics = (TimeSpan: timespan) {
AlertInfo
| where TimeGenerated > ago(TimeSpan)
| summarize arg_max(TimeGenerated, *) by AlertId
| summarize TotalIncidents = count() by Severity
};
// Example
CollectIncidentStatistics(10d)
Sentinel
Explanation
The query defines a function called CollectIncidentStatistics that calculates the number of security incidents based on their severity level over a specified period. This function can be used with either Microsoft Defender XDR or Microsoft Sentinel data.
Here's a breakdown of how it works for each system:
-
Defender XDR:
- It looks at the
AlertInfotable. - Filters alerts generated within the specified time span (e.g., the last 10 days).
- For each unique alert (identified by
AlertId), it keeps the most recent entry. - Counts the total number of incidents and groups them by their severity level.
- It looks at the
-
Sentinel:
- It looks at the
SecurityIncidenttable. - Filters incidents generated within the specified time span.
- For each unique incident (identified by
IncidentNumber), it keeps the most recent entry. - Counts the total number of incidents and groups them by their severity level.
- It looks at the
In both cases, the function provides a summary of how many incidents occurred at each severity level during the specified time period. The example usage CollectIncidentStatistics(10d) shows how to call the function to get statistics for the last 10 days.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
AlertInfoSecurityIncident
Keywords
AlertInfoSeveritySecurityIncidentTimeGeneratedAlertIdIncidentNumberTotalIncidents
Operators
lettimespanwhereagosummarizearg_maxbycount