KQL Search

Query Details

EV Missing ITSM Ticket

Query

id: e5f6a7b8-c9d0-4e1f-2a3b-4c5d6e7f8091
name: EasyVista - Sentinel Incident Without ITSM Ticket
description: |
  Detects Sentinel incidents older than 1 hour that have no linked EasyVista ticket (no EV: tag).
  Ensures all security incidents are tracked in the ITSM workflow for proper lifecycle management.
severity: Informational
requiredDataConnectors:
  - connectorId: AzureSentinel
    dataTypes:
      - SecurityIncident
queryFrequency: 1h
queryPeriod: 4h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Impact
query: |
  SecurityIncident
  | where TimeGenerated > ago(4h)
  | where CreatedTime < ago(1h)
  | where Status != "Closed"
  | where not(Labels has "EV:")
  | where Severity in ("High", "Medium")
  | project
      TimeGenerated,
      IncidentNumber,
      IncidentTitle = Title,
      Severity,
      Status,
      CreatedTime,
      AlertCount = AdditionalData.alertsCount,
      Owner = tostring(Owner.assignedTo)
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 4h
    matchingMethod: AnyAlert
customDetails:
  IncidentId: IncidentNumber
  IncidentSeverity: Severity
  IncidentOwner: Owner
alertDetailsOverride:
  alertDisplayNameFormat: "Missing ITSM Ticket: Sentinel Incident #{{IncidentNumber}} - {{IncidentTitle}}"
  alertDescriptionFormat: "Sentinel incident #{{IncidentNumber}} ({{Severity}}) has been open for over 1 hour without an EasyVista ticket. Owner: {{Owner}}"

Explanation

This query is designed to identify security incidents in Azure Sentinel that are older than one hour and do not have a corresponding EasyVista ITSM ticket. The purpose is to ensure that all security incidents are properly tracked and managed within the ITSM workflow.

Here's a simple breakdown of the query:

  1. Purpose: It detects Sentinel incidents that are more than one hour old and lack an EasyVista ticket, indicated by the absence of an "EV:" tag.

  2. Severity Level: The query focuses on incidents with a severity of "High" or "Medium."

  3. Time Frame: It checks incidents generated within the last four hours but created more than one hour ago.

  4. Status: Only incidents that are not closed are considered.

  5. Output: The query projects details such as the time the incident was generated, its number, title, severity, status, creation time, alert count, and the assigned owner.

  6. Incident Creation: If such incidents are found, an alert is created with a specific format, and incidents are grouped if they match any alert within the last four hours.

  7. Alert Details: The alert is named to highlight the missing ITSM ticket and includes a description with the incident number, severity, and owner.

Overall, this query helps ensure that all significant security incidents are properly logged and managed in the ITSM system, preventing any from being overlooked.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

SecurityIncident

Keywords

SecurityIncidentAzureSentinelEasyVistaITSMTicketIncidentOwnerSeverityStatusTimeGeneratedCreatedTimeAlertCount

Operators

ago()hasinnotprojecttostringwhere

Actions