Query Details
Closed Incidents
Query
SecurityIncident | where Status == 'Closed' | summarize arg_min(LastModifiedTime, ModifiedBy) by IncidentName | where ModifiedBy has 'Automation rule' | summarize Count = count()
Explanation
This query is looking at a dataset called SecurityIncident. It filters for incidents that have a status of 'Closed'. It then finds the earliest modified time and the person who made that modification for each incident, and groups them by incident name. It then filters for incidents where the modification was made by an automation rule. Finally, it counts the number of incidents that meet these criteria and summarizes it as 'Count'.
Details
Rod Trent
Released: June 15, 2023
Tables
SecurityIncident
Keywords
SecurityIncident,Status,Closed,IncidentName,LastModifiedTime,ModifiedBy,Automationrule,Count
Operators
|==wheresummarizearg_minbyhascount()