KQL Search

Query Details

HomeAI ToolsDevice Query

Security Incident Stopped Event Reception Security Incident

Query

let query_frequency = 15m;
let query_period = 2h;
let _ExpectedFrequencies =
    _GetWatchlist('DataType-IngestedTables')
    | where Type == "SecurityIncident"
    | project Type, Critical, ExpectedIngestionFrequency = totimespan(Frequency)
;
SecurityIncident
| where TimeGenerated > ago(query_period)
| summarize IngestionTime = max(ingestion_time()) by Type
| lookup kind=inner _ExpectedFrequencies on Type
| where IngestionTime between (ago(ExpectedIngestionFrequency + query_frequency) .. ago(ExpectedIngestionFrequency))
| extend
    TimespanWithoutIngestion = now() - IngestionTime,
    AlertSeverity = case(
        Critical == "true", "High",
        "Informational"
        )
| project Type, Critical, ExpectedIngestionFrequency, TimespanWithoutIngestion, AlertSeverity

Explanation

This query is used to monitor the ingestion time of security incidents. It first retrieves a watchlist of ingested tables and filters for security incidents. It then calculates the expected ingestion frequency for each incident.

Next, it retrieves the latest ingestion time for each incident within a specified time period. It looks up the expected ingestion frequency for each incident and filters for incidents that have not been ingested within the expected frequency plus a specified query frequency.

Finally, it calculates the timespan without ingestion for each incident and assigns an alert severity based on the criticality of the incident. The query returns the incident type, criticality, expected ingestion frequency, timespan without ingestion, and alert severity.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 6, 2023

Tables

SecurityIncident

Keywords

SecurityIncident,Type,Critical,ExpectedIngestionFrequency,IngestionTime,TimespanWithoutIngestion,AlertSeverity

Operators

wheresummarizebylookupbetweenextendcaseproject

Actions