Query Details
Device Visualize ASR Eventswithtrend
Query
//Visualize your total attack surface reduction rule events over time with trend
//Data connector required for this query - M365 Defender - Device* tables
let StartDate = now(-90d);
let EndDate = now();
DeviceEvents
| where ActionType startswith "Asr"
| make-series ['Total ASR Events']=count() on TimeGenerated in range(StartDate, EndDate, 1d)
| extend (RSquare, SplitIdx, Variance, RVariance, TrendLine)=series_fit_2lines(['Total ASR Events'])
| project TimeGenerated, ['Total ASR Events'], Trend=TrendLine
| render timechart
with (
xtitle="Day",
ytitle="Count of ASR Events",
title="Attack surface reduction events over time with trend")Explanation
This query visualizes the total number of attack surface reduction (ASR) rule events over time and shows the trend. It uses the M365 Defender - Device* tables as the data source. The query calculates the count of ASR events for each day within the last 90 days and creates a trend line. The resulting chart displays the count of ASR events on the y-axis and the days on the x-axis. The title of the chart is "Attack surface reduction events over time with trend."
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
Keywords:Visualize,attacksurfacereduction,ruleevents,time,trend,Dataconnector,M365Defender,DeviceEvents,ActionType,TotalASREvents,TimeGenerated,RSquare,SplitIdx,Variance,RVariance,TrendLine,project,render,timechart,xtitle,ytitle,title.
Operators
wheremake-seriesextendprojectrender