KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Detect New Alerts

Query

//List any new alert types found by the Defender product suite in the last week compared to the previous year

//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)

//First find all the existing alerts from the last year excluding the last week
let existingalerts=
    SecurityAlert
    | where TimeGenerated > ago(365d) and TimeGenerated < ago(7d)
    // Exclude alerts from Sentinel itself
    | where ProviderName != "ASI Scheduled Alerts"
    | distinct AlertName;
//Find new alerts triggered in the last week
SecurityAlert
| where TimeGenerated > ago(7d)
// Exclude alerts from Sentinel itself
| where ProviderName != "ASI Scheduled Alerts"
| where AlertName !in (existingalerts)
| distinct AlertName, ProviderName, ProductName

Explanation

This query is looking for any new types of alerts that have been found by the Defender product suite in the last week compared to the previous year. It uses the Security Alert data connector to retrieve the alert information.

First, it identifies all the existing alerts from the last year, excluding the last week. It excludes alerts from Sentinel itself and retrieves the distinct alert names.

Then, it finds new alerts triggered in the last week. It also excludes alerts from Sentinel itself and filters out any alerts that were found in the previous step. Finally, it retrieves the distinct alert names, provider names, and product names.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

SecurityAlert

Keywords

SecurityAlert,TimeGenerated,ProviderName,AlertName,ProductName

Operators

whereago()distinct|!=in()

Actions