KQL Search

Query Details

EV Hunt Cross Dept Correlation

Query

id: d0e1f2a3-b4c5-4d6e-7f80-911223344556
name: EasyVista - Cross-Department Incident Correlation
description: |
  Hunts for security incidents affecting multiple departments simultaneously within a short window.
  May indicate lateral movement, supply chain compromise, or organization-wide campaigns.
requiredDataConnectors:
  - connectorId: EasyVistaITSM
    dataTypes:
      - EasyVista_Tickets_CL
tactics:
  - LateralMovement
  - Impact
relevantTechniques:
  - T1021
query: |
  EasyVista_Tickets_CL
  | where TimeGenerated > ago(24h)
  | where REQUEST_TYPE has_any ("Incident", "I")
  | where SEVERITY_ID <= 2
  | summarize
      TicketCount = count(),
      Departments = make_set(DEPARTMENT_PATH, 20),
      DeptCount = dcount(DEPARTMENT_PATH),
      Locations = make_set(LOCATION_PATH, 20),
      Assets = make_set(ASSET_TAG, 20),
      Users = make_set(REQUESTOR_NAME, 20),
      Tickets = make_set(RFC_NUMBER, 20)
      by bin(TimeGenerated, 2h)
  | where DeptCount >= 3
  | project TimeGenerated, TicketCount, DeptCount, Departments, Locations, Assets, Users, Tickets
  | sort by DeptCount desc

Explanation

This query is designed to identify security incidents that affect multiple departments within an organization over a short period of time, which could suggest potential security threats like lateral movement, supply chain compromise, or widespread attacks.

Here's a breakdown of what the query does:

  1. Data Source: It uses data from the EasyVista IT Service Management (ITSM) system, specifically looking at ticket logs.

  2. Time Frame: It examines incidents that have occurred in the last 24 hours.

  3. Incident Type and Severity: The query filters for tickets classified as "Incident" with a severity level of 2 or lower, indicating more critical issues.

  4. Data Aggregation: It groups the incidents into 2-hour time bins and counts the number of tickets. It also collects unique sets of departments, locations, assets, users, and ticket numbers involved in these incidents.

  5. Department Count: It specifically looks for incidents that affect three or more departments, which might indicate a broader issue.

  6. Output: The results are sorted by the number of affected departments in descending order, providing a prioritized view of incidents that potentially impact multiple areas within the organization.

In summary, this query helps security teams quickly identify and prioritize incidents that could have a significant impact across different parts of the organization, enabling faster response and mitigation.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

EasyVista_Tickets_CL

Keywords

EasyVistaTicketsTimeGeneratedRequestTypeSeverityIdTicketCountDepartmentsDeptCountLocationsAssetsUsersTickets

Operators

|wherehas_any<=summarizecountmake_setdcountbybin>=projectsort bydesc

Actions