KQL Search

Query Details

HomeAI ToolsDevice Query

XDR Alert Reports

Query

name : XDR alert reports 
description : 
  - Case1 - Daily alert & severity for MDE/AV 
  - Case2 - Org based MITRE ATT&CK technique for past 30 days
  - Case3 - Org based high/medium alerts for MDE/AV/MDO/MDI/MDA/XDR
table : 
  - AlertInfo
  - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-alertinfo-table?view=o365-worldwide
query: |
  // Case1 - Daily alert & severity for MDE/AV 
  AlertInfo
  | where Timestamp > ago(30d) 
  | where ServiceSource == "Microsoft Defender for Endpoint"
  | summarize AlertNum = count() by Severity, bin(Timestamp, 1d)
  | render timechart 


  //Alert tables - Case2 
  AlertInfo
  | where Timestamp > ago(30d)
  | where ServiceSource in ("AAD Identity Protection", "Microsoft Defender for Endpoint", "Microsoft Defender for Office 365", "Microsoft Defender for Identity", "Microsoft Cloud App Security", "Microsoft 365 Defender")
  | where isnotempty(AttackTechniques)
  | mv-expand DetailedAttackTechniques= parse_json(AttackTechniques)
  | summarize MITRE_ATTACK_list = count() by tostring(DetailedAttackTechniques)
  | render columnchart


  //Alert tables - Case3
  AlertInfo
  | where Timestamp > ago(30d)
  | where Severity in ("Medium", "High")
  | summarize 
      Endpoints = countif(ServiceSource == "Microsoft Defender for Endpoint"),
      Identities = countif(ServiceSource == "Microsoft Defender for Identity" or ServiceSource == "AAD Identity Protection"),
      Emails = countif(ServiceSource == "Microsoft Defender for Office 365"),
      Applications = countif(ServiceSource == "Microsoft Cloud App Security"),
      M365D_XDR = countif(ServiceSource == "Microsoft 365 Defender")
      by bin(Timestamp, 1d)
  | render timechart

Explanation

The query is about generating XDR alert reports.

Case 1: It retrieves daily alerts and their severity for Microsoft Defender for Endpoint (MDE) and Antivirus (AV) services in the past 30 days. The results are visualized in a time chart.

Case 2: It retrieves the number of alerts related to MITRE ATT&CK techniques for various Microsoft services (MDE, AAD Identity Protection, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Cloud App Security, and Microsoft 365 Defender) in the past 30 days. The results are visualized in a column chart.

Case 3: It retrieves the count of high and medium alerts for different Microsoft services (MDE, AV, MDO, MDI, MDA, and XDR) in the past 30 days. The counts are grouped by day and visualized in a time chart.

Details

Kijo Girardi profile picture

Kijo Girardi

Released: February 25, 2023

Tables

AlertInfo

Keywords

Devices,Intune,User,MDE/AV,MITREATT&CK,MDO,MDI,MDA,XDR

Operators

toscalar()arg_max()count()mv-expandwheresummarizebin()renderago()isnotempty()parse_json()countif()

Actions