Query Details
XDR Device Alerts
Query
# Device Alerts
## Query Information
#### Description
This query lists all the alerts that have triggered from a specific device in the selected *TimeFrame*.
## Defender XDR
```KQL
let Device = 'host.domain.tld';
let TimeFrame = 7d;
AlertEvidence
| where DeviceName =~ Device
| where Timestamp > ago(TimeFrame)
| where EntityType == 'Machine'
| summarize arg_max(Timestamp, *) by AlertId
| project AlertId
| join kind=inner AlertInfo on AlertId
| extend AlertLink = strcat('https://security.microsoft.com/alerts/', AlertId)
| project-reorder Timestamp, Title, Category, Severity, DetectionSource, AlertLink
| sort by Timestamp desc
```Explanation
This query is designed to retrieve and display alerts from a specific device over a specified period. Here's a simple breakdown of what it does:
-
Device and Time Frame: It starts by defining the device of interest (
host.domain.tld) and the time frame for the alerts (the last 7 days). -
Filter Alerts: It searches for alerts related to the specified device within the given time frame. It specifically looks for alerts where the entity type is a 'Machine'.
-
Latest Alerts: For each alert, it keeps only the most recent occurrence (using the
arg_maxfunction). -
Join Alert Details: It then joins this data with additional alert information to get more details about each alert.
-
Create Alert Links: For each alert, it generates a link to view the alert in Microsoft Defender's security portal.
-
Organize and Sort: Finally, it organizes the results to show the timestamp, title, category, severity, detection source, and the alert link, sorted by the most recent alerts first.
In summary, this query helps you quickly find and review the most recent alerts for a specific device, providing direct links to view each alert in detail.
Details
Bert-Jan Pals
Released: September 28, 2025
Tables
Keywords
Operators