Query Details

EasyVista - Cross-Department Incident Correlation

EV Hunt Cross Dept Correlation

Query

EasyVista_Tickets_CL
| where TimeGenerated > ago(24h)
| where REQUEST_TYPE has_any ("Incident", "I")
| where SEVERITY_ID <= 2
| summarize
    TicketCount = count(),
    Departments = make_set(DEPARTMENT_PATH, 20),
    DeptCount = dcount(DEPARTMENT_PATH),
    Locations = make_set(LOCATION_PATH, 20),
    Assets = make_set(ASSET_TAG, 20),
    Users = make_set(REQUESTOR_NAME, 20),
    Tickets = make_set(RFC_NUMBER, 20)
    by bin(TimeGenerated, 2h)
| where DeptCount >= 3
| project TimeGenerated, TicketCount, DeptCount, Departments, Locations, Assets, Users, Tickets
| sort by DeptCount desc

Explanation

This query is designed to identify security incidents that affect multiple departments within an organization over a short period of time, which could suggest potential security threats like lateral movement, supply chain compromise, or widespread attacks.

Here's a breakdown of what the query does:

  1. Data Source: It uses data from the EasyVista IT Service Management (ITSM) system, specifically looking at ticket logs.

  2. Time Frame: It examines incidents that have occurred in the last 24 hours.

  3. Incident Type and Severity: The query filters for tickets classified as "Incident" with a severity level of 2 or lower, indicating more critical issues.

  4. Data Aggregation: It groups the incidents into 2-hour time bins and counts the number of tickets. It also collects unique sets of departments, locations, assets, users, and ticket numbers involved in these incidents.

  5. Department Count: It specifically looks for incidents that affect three or more departments, which might indicate a broader issue.

  6. Output: The results are sorted by the number of affected departments in descending order, providing a prioritized view of incidents that potentially impact multiple areas within the organization.

In summary, this query helps security teams quickly identify and prioritize incidents that could have a significant impact across different parts of the organization, enabling faster response and mitigation.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

EasyVista_Tickets_CL

Keywords

EasyVistaTicketsTimeGeneratedRequestTypeSeverityIdTicketCountDepartmentsDeptLocationsAssetsUsers

Operators

|wherehas_any<=summarizecountmake_setdcountbybin>=projectsort bydesc

Tactics

LateralMovementImpact

MITRE Techniques

Actions

GitHub