XDR Upn Alerts

# Device Alerts ## Query Information #### Description This query lists all the alerts that have triggered based on a specific UPN in the selected *TimeFrame*. ## Defender XDR ```KQL let Upn = '[email protected]'; let TimeFrame = 7d; AlertEvidence | where Timestamp > ago(TimeFrame) | where EntityType in~ ('User', 'Mailbox') | summarize arg_max(Timestamp, *) by AlertId | project AlertId, EntityType | join kind=inner AlertInfo on AlertId | extend AlertLink = strcat('https://security.microsoft.com/alerts/', AlertId) | project-reorder Timestamp, EntityType, Title, Category, Severity, DetectionSource, AlertLink | sort by Timestamp desc ```

Explanation

This query is designed to retrieve and list all security alerts related to a specific user, identified by their User Principal Name (UPN), within the last 7 days. Here's a simplified breakdown of what the query does:

Set Parameters: It defines the user of interest ([email protected]) and the time frame for the query (the past 7 days).
Filter Alerts: It looks into the AlertEvidence table for alerts that have occurred within the specified time frame and are associated with either a 'User' or 'Mailbox' entity type.
Select Latest Alerts: For each alert, it selects the most recent occurrence by using the arg_max function, which picks the alert with the latest timestamp.
Join Alert Details: It joins the filtered alerts with the AlertInfo table to gather additional details about each alert.
Create Alert Links: It generates a direct link to each alert in the Microsoft security portal.
Organize and Sort Results: Finally, it organizes the results to display key information such as the timestamp, entity type, alert title, category, severity, detection source, and the alert link, sorted by the most recent alerts first.

In summary, this query helps security analysts quickly identify and review recent security alerts related to a specific user within the last week.

KQL Search

Query

Explanation

Details

Actions