Query Details
EV High Severity SLA Breach
Query
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
name: EasyVista - High Severity Ticket SLA Breach
description: |
Detects when a high-severity EasyVista security ticket has breached its SLA deadline while still open.
This indicates the SOC or IT team has not resolved a critical security issue within the agreed timeframe.
Bidirectional: triggers a Sentinel incident which can auto-update the EasyVista ticket severity.
severity: High
requiredDataConnectors:
- connectorId: EasyVistaITSM
dataTypes:
- EasyVista_Tickets_CL
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T1499
query: |
EasyVista_Tickets_CL
| where TimeGenerated > ago(1d)
| where REQUEST_TYPE has_any ("Incident", "I")
| where SEVERITY_ID <= 2
| where STATUS_EN !in ("Closed", "Resolved")
| where isnotempty(MAX_RESOLUTION_DATE_UT)
| where MAX_RESOLUTION_DATE_UT < now()
| extend OverdueHours = datetime_diff('hour', now(), MAX_RESOLUTION_DATE_UT)
| project
TimeGenerated,
RFC_NUMBER,
['TITLE'],
SEVERITY_ID,
STATUS_EN,
REQUESTOR_NAME,
REQUESTOR_EMAIL,
RECIPIENT_NAME,
DEPARTMENT_PATH,
LOCATION_PATH,
ASSET_TAG,
MAX_RESOLUTION_DATE_UT,
OverdueHours
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: REQUESTOR_NAME
- entityType: Mailbox
fieldMappings:
- identifier: MailboxPrimaryAddress
columnName: REQUESTOR_EMAIL
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 4h
matchingMethod: Selected
groupByCustomDetails:
- RFC_NUMBER
customDetails:
TicketNumber: RFC_NUMBER
TicketStatus: STATUS_EN
SeverityLevel: SEVERITY_ID
OverdueHours: OverdueHours
AssignedTo: RECIPIENT_NAME
Department: DEPARTMENT_PATH
alertDetailsOverride:
alertDisplayNameFormat: "SLA Breach: {{RFC_NUMBER}} - {{TITLE}} ({{OverdueHours}}h overdue)"
alertDescriptionFormat: "EasyVista ticket {{RFC_NUMBER}} (severity {{SEVERITY_ID}}) has breached SLA by {{OverdueHours}} hours."
alertSeverityColumnName: SEVERITY_ID
Explanation
This query is designed to identify high-severity security tickets in the EasyVista IT Service Management system that have not been resolved within their Service Level Agreement (SLA) deadlines. Here's a simple breakdown of what it does:
-
Purpose: It detects open high-severity security tickets that have exceeded their SLA deadlines, indicating that the Security Operations Center (SOC) or IT team has not addressed a critical issue on time.
-
Severity: The alert generated by this query is considered high severity.
-
Data Source: It uses data from the EasyVista ITSM connector, specifically looking at the
EasyVista_Tickets_CLdata type. -
Frequency: The query runs every hour and looks back over the past day (24 hours) to find relevant tickets.
-
Conditions:
- The ticket must be of type "Incident" or "I".
- The severity level must be 2 or lower (indicating high severity).
- The ticket status must not be "Closed" or "Resolved".
- The ticket must have a set maximum resolution date that is in the past, meaning it is overdue.
-
Output: The query calculates how many hours the ticket is overdue and projects relevant details like ticket number, title, severity, status, requestor information, and more.
-
Incident Creation: If any tickets meet these conditions, an incident is created in Microsoft Sentinel. The incident can automatically update the ticket severity in EasyVista.
-
Grouping: Incidents can be grouped by ticket number to avoid duplication, with a lookback duration of 4 hours.
-
Custom Details: The alert includes custom details such as ticket number, status, severity level, overdue hours, assigned person, and department.
-
Alert Formatting: The alert display name and description are formatted to include the ticket number, title, severity, and how many hours it is overdue.
In summary, this query helps ensure that critical security issues are promptly addressed by alerting the relevant teams when high-severity tickets breach their SLA deadlines.
Details
David Alonso
Released: April 16, 2026
Tables
Keywords
Operators