KQL Search

Query Details

EV Hunt Orphaned Tickets

Query

id: b8c9d0e1-f2a3-4b4c-5d6e-7f8091122334
name: EasyVista - Orphaned Tickets Missing Sentinel Linkage
description: |
  Hunts for EasyVista security tickets created via API (indicating Sentinel origin) that lack a valid EXTERNAL_REFERENCE.
  May indicate playbook failures or manual ticket creation bypassing the automated workflow.
requiredDataConnectors:
  - connectorId: EasyVistaITSM
    dataTypes:
      - EasyVista_Tickets_CL
tactics:
  - Impact
query: |
  EasyVista_Tickets_CL
  | where TimeGenerated > ago(7d)
  | where REQUEST_TYPE has_any ("Incident", "I")
  | where ORIGIN == "API"
  | where isempty(EXTERNAL_REFERENCE) or not(EXTERNAL_REFERENCE has "/subscriptions/")
  | project TimeGenerated, RFC_NUMBER, ['TITLE'], STATUS_EN, SEVERITY_ID, REQUESTOR_NAME, ORIGIN, EXTERNAL_REFERENCE
  | sort by TimeGenerated desc

Explanation

This query is designed to identify potential issues with EasyVista security tickets that are supposed to be linked to Microsoft Sentinel but are missing the necessary linkage. Here's a simple breakdown:

  1. Purpose: The query searches for security tickets in EasyVista that were created through an API, which suggests they originated from Microsoft Sentinel. It checks if these tickets are missing a valid external reference, which could indicate problems like playbook failures or manual ticket creation that bypasses the automated process.

  2. Data Source: It uses data from the EasyVista IT Service Management (ITSM) connector, specifically looking at the EasyVista_Tickets_CL data type.

  3. Time Frame: The query focuses on tickets generated in the last 7 days.

  4. Filters:

    • It looks for tickets with a request type of "Incident" or "I".
    • It checks that the ticket's origin is "API".
    • It identifies tickets that either have an empty EXTERNAL_REFERENCE field or do not contain a specific subscription path ("/subscriptions/").

  5. Output: The query outputs a list of relevant ticket details, including when they were generated, their RFC number, title, status, severity, requestor name, origin, and external reference.

  6. Sorting: The results are sorted by the time they were generated, in descending order, so the most recent tickets appear first.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

EasyVista_Tickets_CL

Keywords

EasyVistaTicketsTimeGeneratedRequestTypeOriginExternalReferenceRfcNumberTitleStatusEnSeverityIdRequestorName

Operators

has_any==isemptyornothasprojectsort bydesc

Actions