Query Details
Security Incident Visualize Incidentswith Trend
Query
//Create a visualization showing the total Sentinel incidents and the trend of incidents over time //Data connector required for this query - Microsoft Sentinel Incidents (generated automatically if you create incidents in Sentinel) SecurityIncident | summarize arg_min(TimeGenerated, *) by IncidentNumber | make-series TotalIncidents=count() default=0 on TimeGenerated in range(ago(90d), now(), 1d) | extend (RSquare, SplitIdx, Variance, RVariance, TrendLine)=series_fit_2lines(TotalIncidents) | project TimeGenerated, TotalIncidents, TrendLine | render timechart with (title="Microsoft Sentinel incidents over time with trend")
Explanation
This query creates a visualization that shows the total number of Sentinel incidents and the trend of incidents over time. It uses the Microsoft Sentinel Incidents data connector and summarizes the data by the incident number. It then creates a series of the total incidents count over a 90-day period and calculates the trend line. The final visualization displays the time chart of Microsoft Sentinel incidents over time with the trend line.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityIncident
Keywords
Visualization,Sentinel,Incidents,Trend,TimeGenerated,TotalIncidents,TrendLine
Operators
summarizearg_minmake-seriescountdefaultoninrangeextendseries_fit_2linesprojectrender