KQL Queries Behind the Microsoft Sentinel Overview Page
How the sausage is made...Mmmmmm...
Customers and partners regularly ask about the KQL queries that are used to supply the data on the Overview page for Microsoft Sentinel that include overview information about Incidents, Automation, and Data.
If you want these queries for yourself to either a) learn more about KQL, or b) to tinker with creating your own data views in a Workbook, you can find these queries at the following location in my Microsoft Sentinel GitHub repo:
Microsoft Sentinel Overview Page queries: https://github.com/rod-trent/SentinelKQL/tree/master/Overview_Page
The repo is organized into the various Overview Page modules:
P.S. Some have asked why there are no queries supplied for the Analytics widget. The Analytics widget uses the API instead of a KQL query.
UPDATE:
offers a great solution if you want to enhance the Automation query to show Playbooks in addition to Automation Rules for the ‘Time Saved’. See the comment: https://rodtrent.substack.com/p/kql-queries-behind-the-microsoft/comment/17384061[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]
Im not sure I'd eat sausages if l knew how they were made 😬
Thanks for this Rob! I always wondered how the Automation stats were calculated.
My 2 pence also - when calculating 'Time saved' you assume it's only Automation Rules that do the closing, but what if we're closing certain incidents using Playbooks instead (due to automation rules being too limiting)? As I understand, this dash section applies to ALL Automation rather than autorules specifically.
For my own calcs, I could use this for example:
| extend IsClosedByAutomation = iff((ModifiedBy has 'Automation rule' or ModifiedBy has 'Playbook'), 'ClosedByAutomation', 'NotClosedByAutomation')