Query Details
Statistics Most Triggered Incidents
Query
# Most Triggered Incidents ## Query Information #### Description The results of this query provide insight in the top 10 incidents that have triggered in your selected *timeframe*, this can give indications on which incidents should be addressed to limit potential false positives. ## Defender For Endpoint ``` // Timeframe to collect incident statistics let timeframe = 7d; AlertInfo | where Timestamp > ago(timeframe) // Collect the first entry of each alert | summarize arg_min(Timestamp, *) by AlertId // Get the alert statistics | summarize Triggers = count(), AlertIds = make_set(AlertId) by Title | top 10 by Triggers ``` ## Sentinel ``` let timeframe = 7d; SecurityIncident | where TimeGenerated > ago(timeframe) // Collect the first entry of each alert | summarize arg_min(TimeGenerated, *) by IncidentNumber // Get the alert statistics | summarize Triggers = count(), AlertIds = make_set(IncidentNumber) by Title | top 10 by Triggers ```
Explanation
This query retrieves the top 10 incidents that have triggered within a specified timeframe. It helps identify which incidents should be addressed to reduce false positives. The query is slightly different for Defender for Endpoint and Sentinel, but the overall purpose and result are the same.
Details
Bert-Jan Pals
Released: July 7, 2023
Tables
AlertInfoSecurityIncident
Keywords
Keywords:Query,Incidents,Triggered,Results,Insight,Top10,Selected,Timeframe,Falsepositives,DefenderForEndpoint,Sentinel,Description,AlertInfo,Timestamp,AlertId,Triggers,AlertIds,Title,SecurityIncident,TimeGenerated,IncidentNumber.
Operators
agoAlertInfowheresummarizearg_minTimestampcountmake_setTitletop