Apr 21 2021 12:09 PM
Hi everyone,
In security.microsoft.com, there are report for 'threat protection' related to MDE.
eg: "detection source of all alerts by creation date"
Is there anywhere that I can find the kql for these charts?
I'd like to replicate these charts in the Sentinel workbooks so I don't have to look at the in the security portal.
Thank you.
Apr 23 2021 08:47 AM
Solution
The [Microsoft 365 Defender (Preview)] connector only takes over Device* tables (and these are optional only if you need that data in Azure Sentinel) or put Alerts into the SecurityAlert table. You may not have enough data to re-create the precise alert even if you had the KQL
So you can use, KQL like:
SecurityAlert
| where ProductName in("Microsoft Defender Advanced Threat Protection", "Office 365 Advanced Threat Protection", "Azure Advanced Threat Protection", "Microsoft Cloud App Security", "Microsoft 365 Defender")
| summarize count(AlertName) by ProductName
or (very basic KQL to read any Device* Table)
union Device* | summarize count() by DeviceName, Type
Apr 23 2021 08:51 AM
Aug 05 2021 04:13 PM
I'm not finding the SecurityAlert table under Monitor > Logs, is that table only available for Sentinel? I thought you could use it to find ASC alerts?
Thanks,
Serge
Aug 05 2021 07:02 PM
Aug 06 2021 12:12 AM
Apr 23 2021 08:47 AM
Solution
The [Microsoft 365 Defender (Preview)] connector only takes over Device* tables (and these are optional only if you need that data in Azure Sentinel) or put Alerts into the SecurityAlert table. You may not have enough data to re-create the precise alert even if you had the KQL
So you can use, KQL like:
SecurityAlert
| where ProductName in("Microsoft Defender Advanced Threat Protection", "Office 365 Advanced Threat Protection", "Azure Advanced Threat Protection", "Microsoft Cloud App Security", "Microsoft 365 Defender")
| summarize count(AlertName) by ProductName
or (very basic KQL to read any Device* Table)
union Device* | summarize count() by DeviceName, Type