Visualize the daily incident triggers
Visualization Daily Incident Triggers
Query
AlertInfo
| where Timestamp > ago(30d)
// Collect the first entry of each alert
| summarize arg_min(Timestamp, *) by AlertId
| summarize Total = count() by bin(Timestamp, 1d)
| render columnchart with(title="Incident triggers last 30 days")About this query
Visualize the daily incident triggers
Query Information
Description
Visualize the daily triggers in MDE or Sentinel in a columnchart. This can give insight into spikes in the amount of triggers.
Defender XDR
Sentinel
SecurityIncident
| where TimeGenerated > ago(30d)
// Collect the first entry of each alert
| summarize arg_min(TimeGenerated, *) by IncidentNumber
| summarize Total = count() by bin(CreatedTime, 1d)
| render columnchart with(title="Incident triggers last 30 days")
Explanation
The query is designed to visualize daily incident triggers over the past 30 days using a column chart. It is applicable to two different systems: Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. Here's a simplified breakdown of what each part of the query does:
-
Data Source:
- For Defender XDR, it uses the
AlertInfotable. - For Sentinel, it uses the
SecurityIncidenttable.
- For Defender XDR, it uses the
-
Time Filtering:
- Both queries filter the data to include only incidents or alerts that have occurred in the last 30 days.
-
Unique Entries:
- The queries ensure that only the first entry of each alert or incident is considered by using the
arg_minfunction. This function helps in selecting the earliest occurrence of each alert or incident based on its unique identifier (AlertIdfor Defender XDR andIncidentNumberfor Sentinel).
- The queries ensure that only the first entry of each alert or incident is considered by using the
-
Daily Count:
- The queries then count the total number of unique alerts or incidents for each day by grouping the data into daily bins.
-
Visualization:
- Finally, the results are displayed as a column chart titled "Incident triggers last 30 days," which helps in identifying any spikes or trends in the number of daily incident triggers.
In summary, these queries help visualize and analyze the frequency of incident triggers on a daily basis over the past month, providing insights into potential patterns or anomalies in security events.
Details

Bert-Jan Pals
Released: October 21, 2024
Tables
Keywords
Operators