Queries for the AlertInfo table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Alerts by MITRE ATT&CK technique

List number of alerts by MITRE ATT&CK technique in descending order.

AlertInfo
| where isnotempty(AttackTechniques)
| mvexpand todynamic(AttackTechniques) to typeof(string)
| summarize AlertCount = dcount(AlertId) by AttackTechniques
| sort by AlertCount desc