KQL Search

Query Details

Visualization Daily Incident Triggers

Query

# Visualize the daily incident triggers

## Query Information

#### Description
Visualize the daily triggers in MDE or Sentinel in a columnchart. This can give insight into spikes in the amount of triggers.

## Defender For Endpoint
```
AlertInfo
| where Timestamp > ago(30d)
// Collect the first entry of each alert
| summarize arg_min(Timestamp, *) by AlertId
| summarize Total = count() by bin(Timestamp, 1d)
| render columnchart with(title="Incident triggers last 30 days")

```
## Sentinel
```
SecurityIncident
| where TimeGenerated > ago(30d)
// Collect the first entry of each alert
| summarize arg_min(TimeGenerated, *) by IncidentNumber
| summarize Total = count() by bin(TimeGenerated, 1d)
| render columnchart with(title="Incident triggers last 30 days")
```

Explanation

This query visualizes the daily incident triggers in either Microsoft Defender for Endpoint or Azure Sentinel. It uses a column chart to show any spikes in the number of triggers over the past 30 days. The query collects the first entry of each alert or incident and summarizes the total count of triggers per day. The resulting chart provides insights into the frequency of incident triggers over time.

Details

Bert-Jan Pals

Released: July 8, 2023

Tables

AlertInfoSecurityIncident

Keywords

Devices,Intune,User,MDE,Sentinel

Operators

whereagosummarizearg_minbycountbinrender

KQL Search

Visualization Daily Incident Triggers

Query

Explanation

Details

Actions