Query Details
Security Alert Visualize MDE Alert Severity
Query
//Visualize the severity of your MDE alerts (Informational, Low, Medium, High) per day //Data connector required for this query - Security Alert (free table that other Defender products send alert info to) SecurityAlert | where TimeGenerated > ago (14d) | where ProviderName == "MDATP" | summarize Count=count()by AlertSeverity, startofday(TimeGenerated) | render columnchart with (kind=unstacked, ytitle="Alert Count", xtitle="Day", title="Defender for Endpoint alert severity per day")
Explanation
This query retrieves data from the Security Alert table and visualizes the severity of MDE (Microsoft Defender for Endpoint) alerts per day. It filters the data for the past 14 days and only includes alerts from the MDATP provider. The query then groups the alerts by severity and the start of each day, and counts the number of alerts in each group. Finally, it renders a column chart showing the count of alerts for each severity level per day.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlert
Keywords
SecurityAlert,TimeGenerated,ProviderName,AlertSeverity,startofday,Count,render,columnchart,kind,ytitle,xtitle,title,DefenderforEndpoint
Operators
wheresummarizecount()byrender