Query Details
How Many Alerts Generated By Service
Query
//Show how many alerts have been generated by a specific service. Example here is MCAS. Change Product to the service you want info on. SecurityIncident | extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) | where Product has "Microsoft Cloud App Security" | summarize count() by tostring(AlertIds) | summarize sum(count_)
Explanation
This query shows the number of alerts generated by a specific service, such as Microsoft Cloud App Security. It first extracts the service name from the AdditionalData field, then filters for alerts related to that service. Finally, it calculates the total count of alerts and provides the sum of those counts.
Details
Rod Trent
Released: February 17, 2021
Tables
SecurityIncident
Keywords
Alerts,Service,MCAS,Product,AdditionalData,MicrosoftCloudAppSecurity,AlertIds,count,sum
Operators
extendwheresummarize