Kusto Query Language Count Assets

Pedro Ivo 0 Reputation points
2024-02-21T23:52:22.1033333+00:00

Good night, everyone. Can you help me? I am a beginner in the use of Kusto Query Language (KQL) in Microsoft Sentinel and I am Very confused. How can I count alerts by the aflicted asset type (personal computer, servers ...)? I am not finding this column name on SecurityAlert Table.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,117 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Adharsh Santhanam 3,495 Reputation points
    2024-02-22T03:31:17.66+00:00

    The AffectedAssetType is available as extended properties. For your query, you can try something like this.


    SecurityAlert | where TimeGenerated >= ago(1d) // Adjust the time range as needed | extend AffectedAssetType = tostring(parse_json(ExtendedProperties)['AffectedAssetType']) | summarize AlertCount = count() by AffectedAssetType


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.