Query Details
Security Alert Which Tables Are In Use
Query
//Find which data sources are being used the most, by calculating which analytics rules are querying which tables when alerts are generated //This will not account for the use of functions and may double handle table names occasionally, so it can be used as just a rough guide //Data connector required for this query - Security Alert (free table that other Defender products send alert info to) let tablenames = search * | summarize make_set($table); SecurityAlert | where TimeGenerated > ago (30d) | where ProviderName == "ASI Scheduled Alerts" | summarize arg_max(TimeGenerated, *) by SystemAlertId | extend Query = tostring(parse_json(ExtendedProperties).Query) | mv-apply table=toscalar(tablenames) to typeof(string) on (where Query contains ['table']) | summarize QueryCount = count()by ['table'], AlertName | order by QueryCount
Explanation
This query is used to find out which data sources are being used the most by analyzing which analytics rules are querying which tables when alerts are generated. It calculates the number of times each table is queried in the alerts generated by the "ASI Scheduled Alerts" provider in the past 30 days. However, it may not account for the use of functions and may occasionally count table names twice, so the results should be used as a rough guide. The query requires a data connector called "Security Alert" which is a free table that other Defender products send alert information to. The final result is ordered by the number of times each table is queried.
Details
Matt Zorich
Released: May 11, 2023
Tables
SecurityAlert
Keywords
DataSources,AnalyticsRules,Tables,Alerts,DataConnector
Operators
letsearchsummarizemake_setwhereagoProviderNamearg_maxextendtostringparse_jsonmv-applytypeofoncontainscountbyorder by