Query Details
Collect Incident Statistics
Query
# Function: CollectIncidentStatistics()
## Query Information
#### Description
This function returns the severity statistics of Sentinel or XDR.
## Defender For Endpoint
```
let CollectIncidentStatistics = (TimeSpan: timespan) {
AlertInfo
| where TimeGenerated > ago(TimeSpan)
| summarize arg_max(TimeGenerated, *) by AlertId
| summarize TotalIncidents = count() by Severity
};
// Example
CollectIncidentStatistics(10d)
```
## Sentinel
```
let CollectIncidentStatistics = (TimeSpan: timespan) {
SecurityIncident
| where TimeGenerated > ago(TimeSpan)
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| summarize TotalIncidents = count() by Severity
};
// Example
CollectIncidentStatistics(10d)
```
Explanation
This query collects and summarizes incident statistics based on severity for either Microsoft Defender for Endpoint or Azure Sentinel. It counts the total number of incidents for each severity level within a specified time frame.
Details
Bert-Jan Pals
Released: April 19, 2024
Tables
AlertInfoSecurityIncident
Keywords
TimeSpan,AlertInfo,TimeGenerated,AlertId,TotalIncidents,Severity,SecurityIncident,IncidentNumber
Operators
wheresummarizearg_maxcount()