Query Details
Security Alert Multiple Low Severity Alerts Triggered
Query
//Detect when the same user or device triggers 3 or more low severity alerts in the space of a day
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
SecurityAlert
| where TimeGenerated > ago (7d)
| where AlertSeverity == "Low"
| summarize
['Count of low severity alerts']=dcount(AlertName),
['List of low severity alerts']=make_set(AlertName)
by CompromisedEntity, bin(TimeGenerated, 1d)
| where ['Count of low severity alerts'] >= 3Explanation
This query is looking for instances where the same user or device triggers 3 or more low severity alerts within a day. It uses the Security Alert data connector and filters for alerts that occurred within the last 7 days and have a severity level of "Low". It then groups the alerts by the compromised entity (user or device) and the day they were generated. Finally, it filters for groups that have a count of low severity alerts greater than or equal to 3.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlert
Keywords
User,Device,Alerts
Operators
where>ago==summarizedcountmake_setbybin>=