Security Incident Visualize Incident Severity
Query
//Visualize the severity of your Microsoft Sentinel incidents per month
//Data connector required for this query - Microsoft Sentinel Incidents (generated automatically if you create incidents in Sentinel)
SecurityIncident
| where TimeGenerated > ago(365d)
| summarize Count=dcount(IncidentNumber)by Severity, startofmonth(TimeGenerated)
| render columnchart with (kind=unstacked, title="Microsoft Sentinel Incident Severity", xtitle="Month")Explanation
This query analyzes the severity of Microsoft Sentinel incidents on a monthly basis. It retrieves data from the Microsoft Sentinel Incidents data connector and filters it to include incidents generated within the past year. The query then groups the incidents by severity and the start of each month, and calculates the count of unique incident numbers for each severity and month. Finally, it visualizes the data in a column chart, showing the severity of incidents over time.
Details

Matt Zorich
Released: June 17, 2022
Tables
SecurityIncident
Keywords
MicrosoftSentinelIncidentsSeverityMonth
Operators
wheresummarizedcountbystartofmonthrender