MDE Incidents api or advanced hunting with KQL

Maria Valek 80 Reputation points
2023-05-24T15:31:51.4866667+00:00

Hi, i am ingesting data from https://api.security.microsoft.com/api/incidents in data factory. However there is a max page for incidents of 100 but I have 440,000 so it takes long time to go through every page of 100. So I was hoping to maybe run advancedhunting queries with KQL for incidents. But I actually have no knowledge.

Anybody would be able to advise how to write the query? I need quite a few columns in the results.

incidents API https://learn.microsoft.com/en-us/microsoft-365/security/defender/api-list-incidents?view=o365-worldwide

similar question https://learn.microsoft.com/en-us/answers/questions/1110157/sentinel-kql-is-there-an-easy-way-to-get-the-top-1

Thank you.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,412 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,158 questions
{count} votes

Accepted answer
  1. VasimTamboli 5,075 Reputation points
    2023-05-25T13:23:37.0633333+00:00

    To run advanced hunting queries with KQL (Kusto Query Language) for incidents in Microsoft Defender for Endpoint (MDE), you can utilize the Advanced Hunting feature. This allows you to construct powerful queries to retrieve the required data from the incidents.

    Here's an example of a basic KQL query to retrieve incidents from MDE:

    KQL
    Incidents
    | project IncidentId, Title, Description, Severity, CreatedTime, LastUpdateTime
    | limit 100
    

    This query fetches the IncidentId, Title, Description, Severity, CreatedTime, and LastUpdateTime columns for the first 100 incidents. You can modify the columns based on your specific requirements.

    To retrieve all the incidents without the pagination limit, you can remove the limit clause. However, be cautious as querying a large number of incidents may impact performance. It's advisable to filter the data based on specific criteria using additional clauses such as where or summarize to reduce the result set.

    For example, if you want to retrieve incidents only with a severity level of "High," you can modify the query as follows:

    kql
    Incidents
    | where Severity == "High"
    | project IncidentId, Title, Description, Severity, CreatedTime, LastUpdateTime
    

    You can customize the query based on your specific needs, including filtering, sorting, and aggregating data. The Microsoft Learn documentation on the MDE API you mentioned provides additional examples and guidance for constructing advanced queries.

    Remember to refer to the MDE API documentation for the available columns and their corresponding names to include in your query.

    Hope this helps you get started with writing advanced hunting queries using KQL for incidents in MDE!

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.