Query Details

EasyVista - Orphaned Tickets Missing Sentinel Linkage

EV Hunt Orphaned Tickets

Query

EasyVista_Tickets_CL
| where TimeGenerated > ago(7d)
| where REQUEST_TYPE has_any ("Incident", "I")
| where ORIGIN == "API"
| where isempty(EXTERNAL_REFERENCE) or not(EXTERNAL_REFERENCE has "/subscriptions/")
| project TimeGenerated, RFC_NUMBER, ['TITLE'], STATUS_EN, SEVERITY_ID, REQUESTOR_NAME, ORIGIN, EXTERNAL_REFERENCE
| sort by TimeGenerated desc

Explanation

This query is designed to identify potential issues with EasyVista security tickets that are supposed to be linked to Microsoft Sentinel but are missing the necessary linkage. Here's a simple breakdown:

  1. Purpose: The query searches for security tickets in EasyVista that were created through an API, which suggests they originated from Microsoft Sentinel. It checks if these tickets are missing a valid external reference, which could indicate problems like playbook failures or manual ticket creation that bypasses the automated process.

  2. Data Source: It uses data from the EasyVista IT Service Management (ITSM) connector, specifically looking at the EasyVista_Tickets_CL data type.

  3. Time Frame: The query focuses on tickets generated in the last 7 days.

  4. Filters:

    • It looks for tickets with a request type of "Incident" or "I".
    • It checks that the ticket's origin is "API".
    • It identifies tickets that either have an empty EXTERNAL_REFERENCE field or do not contain a specific subscription path ("/subscriptions/").
  5. Output: The query outputs a list of relevant ticket details, including when they were generated, their RFC number, title, status, severity, requestor name, origin, and external reference.

  6. Sorting: The results are sorted by the time they were generated, in descending order, so the most recent tickets appear first.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

EasyVista_Tickets_CL

Keywords

EasyVistaTicketsTimeGeneratedRequestTypeOriginExternalReferenceRfcNumberTitleStatusEnSeverityIdRequestorName

Operators

has_any==isemptyornothasprojectsort bydesc

Tactics

Impact

Actions

GitHub