MDE Incidents api or advanced hunting with KQL

Maria Valek 60 Reputation points

Hi, i am ingesting data from in data factory. However there is a max page for incidents of 100 but I have 440,000 so it takes long time to go through every page of 100. So I was hoping to maybe run advancedhunting queries with KQL for incidents. But I actually have no knowledge.

Anybody would be able to advise how to write the query? I need quite a few columns in the results.

incidents API

similar question

Thank you.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
822 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
706 questions
{count} votes

Accepted answer
  1. VasimTamboli 2,880 Reputation points

    To run advanced hunting queries with KQL (Kusto Query Language) for incidents in Microsoft Defender for Endpoint (MDE), you can utilize the Advanced Hunting feature. This allows you to construct powerful queries to retrieve the required data from the incidents.

    Here's an example of a basic KQL query to retrieve incidents from MDE:

    | project IncidentId, Title, Description, Severity, CreatedTime, LastUpdateTime
    | limit 100

    This query fetches the IncidentId, Title, Description, Severity, CreatedTime, and LastUpdateTime columns for the first 100 incidents. You can modify the columns based on your specific requirements.

    To retrieve all the incidents without the pagination limit, you can remove the limit clause. However, be cautious as querying a large number of incidents may impact performance. It's advisable to filter the data based on specific criteria using additional clauses such as where or summarize to reduce the result set.

    For example, if you want to retrieve incidents only with a severity level of "High," you can modify the query as follows:

    | where Severity == "High"
    | project IncidentId, Title, Description, Severity, CreatedTime, LastUpdateTime

    You can customize the query based on your specific needs, including filtering, sorting, and aggregating data. The Microsoft Learn documentation on the MDE API you mentioned provides additional examples and guidance for constructing advanced queries.

    Remember to refer to the MDE API documentation for the available columns and their corresponding names to include in your query.

    Hope this helps you get started with writing advanced hunting queries using KQL for incidents in MDE!

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful