KQL Search

Query Details

EV Hunt High Churn Tickets

Query

id: c9d0e1f2-a3b4-4c5d-6e7f-809112233445
name: EasyVista - High Churn Tickets (Rapid Status Changes)
description: |
  Hunts for tickets with suspiciously rapid status changes, which may indicate automated loops,
  sync issues between Sentinel and EasyVista, or ticket manipulation.
requiredDataConnectors:
  - connectorId: EasyVistaITSM
    dataTypes:
      - EasyVista_Tickets_CL
tactics:
  - DefenseEvasion
query: |
  EasyVista_Tickets_CL
  | where TimeGenerated > ago(7d)
  | where REQUEST_TYPE has_any ("Incident", "I")
  | summarize
      UpdateCount = count(),
      StatusChanges = dcount(STATUS_EN),
      Statuses = make_set(STATUS_EN),
      TimeSpanMinutes = datetime_diff('minute', max(LAST_UPDATE), min(SUBMIT_DATE_UT))
      by RFC_NUMBER, ['TITLE']
  | where UpdateCount > 5 and TimeSpanMinutes < 60
  | extend ChurnRate = round(toreal(UpdateCount) / iif(TimeSpanMinutes > 0, toreal(TimeSpanMinutes), 1.0), 2)
  | sort by ChurnRate desc

Explanation

This KQL query is designed to identify tickets in the EasyVista IT Service Management system that have undergone unusually rapid status changes, which could suggest issues like automated loops, synchronization problems, or potential manipulation. Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from the EasyVista_Tickets_CL table, specifically looking at the past 7 days.

  2. Filter Criteria: It focuses on tickets with a request type of "Incident" or "I".

  3. Aggregation: For each ticket, it calculates:

    • The total number of updates (UpdateCount).
    • The number of distinct status changes (StatusChanges).
    • A set of all statuses the ticket has been through (Statuses).
    • The total time span in minutes from when the ticket was submitted to the last update (TimeSpanMinutes).

  4. Suspicious Activity Identification: It filters for tickets that have more than 5 updates and where all these updates occurred within less than 60 minutes.

  5. Churn Rate Calculation: It calculates a ChurnRate, which is the rate of updates per minute, and rounds it to two decimal places.

  6. Sorting: Finally, it sorts the results by the ChurnRate in descending order, highlighting tickets with the highest rate of rapid changes.

This query helps identify tickets that might be experiencing abnormal activity, which could be worth investigating further for potential issues or anomalies.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

EasyVista_Tickets_CL

Keywords

EasyVistaTicketsTimeGeneratedRequestTypeUpdateCountStatusChangesStatusesTimeSpanMinutesRfcNumberTitleLastUpdateSubmitDateUtChurnRate

Operators

agohas_anysummarizecountdcountmake_setdatetime_diffmaxminbyextendroundtorealiifsort

Actions