To run advanced hunting queries with KQL (Kusto Query Language) for incidents in Microsoft Defender for Endpoint (MDE), you can utilize the Advanced Hunting feature. This allows you to construct powerful queries to retrieve the required data from the incidents.
Here's an example of a basic KQL query to retrieve incidents from MDE:
KQL Incidents | project IncidentId, Title, Description, Severity, CreatedTime, LastUpdateTime | limit 100
This query fetches the
LastUpdateTime columns for the first 100 incidents. You can modify the columns based on your specific requirements.
To retrieve all the incidents without the pagination limit, you can remove the
limit clause. However, be cautious as querying a large number of incidents may impact performance. It's advisable to filter the data based on specific criteria using additional clauses such as
summarize to reduce the result set.
For example, if you want to retrieve incidents only with a severity level of "High," you can modify the query as follows:
kql Incidents | where Severity == "High" | project IncidentId, Title, Description, Severity, CreatedTime, LastUpdateTime
You can customize the query based on your specific needs, including filtering, sorting, and aggregating data. The Microsoft Learn documentation on the MDE API you mentioned provides additional examples and guidance for constructing advanced queries.
Remember to refer to the MDE API documentation for the available columns and their corresponding names to include in your query.
Hope this helps you get started with writing advanced hunting queries using KQL for incidents in MDE!