Query Details
Security Alert Visualize Total Alertsvs Unique Alerts
Query
//Visualize your total alerts vs distinct entity alerts per week
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
SecurityAlert
| where TimeGenerated > ago(180d)
//Exclude alerts generated by Microsoft Sentinel itself if you don't wish to double count them
| where ProductName != "ASI Scheduled Alerts"
| where Status == "New"
| summarize
['Total Security Alerts']=count(),
['Unique Entity Alerts']=dcountif(CompromisedEntity, isnotempty(CompromisedEntity))
by bin(TimeGenerated, 7d)
| render timechart with (title="Total Security Alerts vs Unique Entity Alerts")Explanation
This query visualizes the total number of security alerts compared to the number of alerts for distinct entities each week. It uses the Security Alert data connector and filters alerts generated in the last 180 days. It excludes alerts generated by Microsoft Sentinel itself to avoid double counting. The query then summarizes the total security alerts and unique entity alerts by grouping them into weekly bins. Finally, it renders a time chart with the title "Total Security Alerts vs Unique Entity Alerts."
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlert
Keywords
SecurityAlert,TimeGenerated,ProductName,Status,CompromisedEntity
Operators
where>ago!===summarizecountdcountifisnotemptybybinrender