To run advanced hunting queries with KQL (Kusto Query Language) for incidents in Microsoft Defender for Endpoint (MDE), you can utilize the Advanced Hunting feature. This allows you to construct powerful queries to retrieve the required data from the incidents.
Here's an example of a basic KQL query to retrieve incidents from MDE:
KQL
Incidents
| project IncidentId, Title, Description, Severity, CreatedTime, LastUpdateTime
| limit 100
This query fetches the IncidentId
, Title
, Description
, Severity
, CreatedTime
, and LastUpdateTime
columns for the first 100 incidents. You can modify the columns based on your specific requirements.
To retrieve all the incidents without the pagination limit, you can remove the limit
clause. However, be cautious as querying a large number of incidents may impact performance. It's advisable to filter the data based on specific criteria using additional clauses such as where
or summarize
to reduce the result set.
For example, if you want to retrieve incidents only with a severity level of "High," you can modify the query as follows:
kql
Incidents
| where Severity == "High"
| project IncidentId, Title, Description, Severity, CreatedTime, LastUpdateTime
You can customize the query based on your specific needs, including filtering, sorting, and aggregating data. The Microsoft Learn documentation on the MDE API you mentioned provides additional examples and guidance for constructing advanced queries.
Remember to refer to the MDE API documentation for the available columns and their corresponding names to include in your query.
Hope this helps you get started with writing advanced hunting queries using KQL for incidents in MDE!