Defender XDR Alert Evidence Summarized
Query
AlertEvidence
| where Timestamp > ago(1d)
| where AlertId == "<<<>>>"
| extend AdditionalFields = bag_remove_keys(todynamic(AdditionalFields), dynamic(["MergeByKey", "MergeByKeyHex"]))
| extend AdditionalFieldsType = iff(EntityType == "GenericEntity", tostring(AdditionalFields["Type"]), "")
| extend AllInfo = bag_remove_keys(pack_all(true), dynamic(["Timestamp", "Title", "Severity", "Categories", "AttackTechniques", "ServiceSource", "DetectionSource", "AlertId","EntityType"]))
| extend Packed = bag_remove_keys(AllInfo, dynamic(["EvidenceRole", "EvidenceDirection", "AdditionalFields", "AdditionalFieldsType"]))
| extend PackedKeys = bag_keys(Packed)
| summarize
AllInfo = make_set(AllInfo),
EntityList = make_set_if(Packed, array_length(PackedKeys) > 0),
EntityKeys = make_set_if(PackedKeys, array_length(PackedKeys) > 0),
take_any(Timestamp, Title, Severity, Categories, AttackTechniques, ServiceSource, DetectionSource)
by AlertId, EntityType
| summarize
AllInfo = make_bag(bag_pack(EntityType, AllInfo)),
BagToUnpack = make_bag_if(bag_pack(EntityType, EntityList), array_length(EntityKeys) > 0),
ColumnKeys = make_bag_if(bag_pack(EntityType, EntityKeys), array_length(EntityKeys) > 0),
take_any(Timestamp, Title, Severity, Categories, AttackTechniques, ServiceSource, DetectionSource)
by AlertId
| extend EntityColumns = bag_keys(BagToUnpack)
| evaluate bag_unpack(BagToUnpack)
| project-reorder Timestamp, AlertId, ServiceSource, DetectionSource, Title, Severity, Categories, AttackTechniques, EntityColumns, ColumnKeysExplanation
This query is designed to process and summarize alert evidence data from a security monitoring system. Here's a simplified breakdown of what it does:
-
Filter Data: It starts by filtering the
AlertEvidencetable to include only records from the last day (ago(1d)) and those with a specificAlertId. -
Process Additional Fields: It removes certain keys (
MergeByKey,MergeByKeyHex) from theAdditionalFieldsand extracts aTypefield if the entity is of typeGenericEntity. -
Pack Information: It creates a packed version of all information, excluding some predefined fields, to focus on relevant data.
-
Summarize by Alert and Entity Type: It groups the data by
AlertIdandEntityType, collecting all relevant information and creating lists of entities and their keys if they exist. -
Further Summarization: It further summarizes the data by
AlertId, creating bags (collections) of information and keys for each entity type. -
Unpack and Reorder: It unpacks the collected data for easier access and reorders the columns for a structured output.
The final result is a neatly organized table that highlights key alert details and associated entities, making it easier to analyze and understand the context of each alert.
Details

Jose Sebastián Canós
Released: October 17, 2024
Tables
Keywords
Operators