KQL Search

Query Details

Security Alert Forecast Identity Protection

Query

//Forecast the count of Azure AD Identity Protection Events events for the next 14 days based on the previous 30 days

//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)

SecurityAlert
| where ProviderName == "IPC"
| make-series ["Azure AD Identity Protection Events"]=count() on TimeGenerated from ago(30d) to now() + 14d step 1d
| extend ["Azure AD Identity Protection Events Forecast"] = series_decompose_forecast(['Azure AD Identity Protection Events'], toint(14d / 1d))
| render timechart

Explanation

This query forecasts the count of Azure AD Identity Protection events for the next 14 days based on the data from the previous 30 days. It uses the Security Alert data connector and filters for events with the ProviderName "IPC". The make-series function counts the events over time and the extend function adds a forecast column. The render function displays the results in a timechart.

Details

Matt Zorich

Released: June 17, 2022

Tables

SecurityAlert

Keywords

AzureADIdentityProtectionEvents,SecurityAlert

Operators

wheremake-seriescount()onfromago()tonow()+stepextendseries_decompose_forecast()toint()render

KQL Search

Security Alert Forecast Identity Protection

Query

Explanation

Details

Actions