Query Details
Security Alert Percentageof Alerts Highor Critical
Query
//Calculate the percentage of alerts that are high or critical per product
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
SecurityAlert
| where TimeGenerated > ago(30d)
| summarize
['Total Alert Count']=count(),
['Total High or Critical Count']=countif(AlertSeverity in ("Critical", "High"))
by ProductName
| extend Percentage=(todouble(['Total High or Critical Count']) * 100 / todouble(['Total Alert Count']))
| project-reorder ProductName, ['Total Alert Count'], ['Total High or Critical Count'], Percentage
| sort by Percentage desc Explanation
This query calculates the percentage of high or critical alerts per product. It uses the Security Alert data connector and filters the alerts generated in the last 30 days. It then counts the total number of alerts and the number of high or critical alerts for each product. The percentage of high or critical alerts is calculated by dividing the count of high or critical alerts by the total number of alerts and multiplying by 100. The results are then sorted in descending order of the percentage.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlert
Keywords
SecurityAlert,TimeGenerated,TotalAlertCount,TotalHighorCriticalCount,AlertSeverity,Critical,High,ProductName,Percentage,project-reorder,sortbyPercentagedesc
Operators
wheresummarizecount()countif()byextendtodouble()project-reorderprojectsort by