Query Details
Device New ASR Events
Query
//Retrieve any new ASR alerts in your environment over the last week not previously seen in the prior 90 days and which devices have triggered them
//Data connector required for this query - M365 Defender - Device* tables
let timerange=90d;
let existingalerts=
DeviceEvents
| where TimeGenerated > ago (timerange) and TimeGenerated < ago(7d)
| where ActionType startswith "Asr"
| distinct ActionType;
DeviceEvents
| where TimeGenerated > ago(7d)
| where ActionType startswith "Asr"
| where ActionType !in (existingalerts)
| summarize ['Device List']=make_set(DeviceName) by ActionTypeExplanation
This query retrieves any new ASR (Advanced Threat Protection) alerts in your environment over the last week that have not been seen in the prior 90 days. It also identifies the devices that triggered these alerts. The query requires a data connector called M365 Defender - Device* tables.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
Keywords:Retrieve,ASRalerts,environment,lastweek,prior90days,devices,triggered,Dataconnector,M365Defender,DeviceEvents,TimeGenerated,ago,ActionType,distinct,DeviceName,summarize,make_set
Operators
agoletwheredistinctinsummarizemake_setby