KQL Search

Query Details

Visualization Threat Intelligence Indicator Triggered By Day

Query

# Visualize the Threat Intelligence Indicators by day for the last 30 days

## Query Information

#### Description
This query visualizes the amount of IOCs that have triggerd each day for the last 30 days in a timechart. This could indicate spikes in malicious activities by users or give intsights in the value of Threat Intelligence feeds. 

## Sentinel
```
ThreatIntelligenceIndicator
| where TimeGenerated > ago(30d)
| extend IOC = iff(isnotempty(DomainName), DomainName, 
iff(isnotempty(NetworkIP), NetworkIP, iff(isnotempty(Url), Url, "No IOC defined")))
| summarize count() by bin(TimeGenerated, 1d), IOC
| render columnchart with (kind=stacked, title="Threat Intelligence Indicators triggered each day")
```

Explanation

The query visualizes the number of Threat Intelligence Indicators triggered each day for the past 30 days. It uses a timechart to show any spikes in malicious activities or provide insights into the value of Threat Intelligence feeds. The query filters the data to include only IOCs (Indicators of Compromise) and groups them by day. The resulting visualization is a stacked column chart titled "Threat Intelligence Indicators triggered each day."

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

ThreatIntelligenceIndicator

Keywords

ThreatIntelligenceIndicator,TimeGenerated,IOC

Operators

where>agoextendiffisnotemptysummarizecount()bybinrender

KQL Search

Visualization Threat Intelligence Indicator Triggered By Day

Query

Explanation

Details

Actions