Query Details
Security Alert Multiple Alerts Triggered
Query
//Detect when a user or device triggers 3 or more unique alerts within a short time frame. This example uses a period of 4 hours
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
SecurityAlert
| where TimeGenerated > ago(1d)
| where isnotempty(CompromisedEntity) and CompromisedEntity != "CompromisedEntity"
| project TimeGenerated, ProviderName, AlertName, CompromisedEntity
| summarize
['Alert Names']=make_set(AlertName),
['Count of Unique Alerts']=dcount(AlertName)
by CompromisedEntity, bin(TimeGenerated, 4h)
| where ['Count of Unique Alerts'] >= 3Explanation
This query detects when a user or device triggers 3 or more unique alerts within a short time frame of 4 hours. It looks at the Security Alert data and filters for alerts generated within the past day. It then selects the relevant columns and groups the data by the compromised entity and time generated (binned in 4-hour intervals). Finally, it filters for entities that have triggered 3 or more unique alerts.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlert
Keywords
User,Device,Alerts
Operators
whereisnotempty!=projectsummarizemake_setdcountbybin>=