Query Details
EV Repeated Incidents Same Asset
Query
id: d4e5f6a7-b8c9-4d0e-1f2a-3b4c5d6e7f80
name: EasyVista - Repeated Security Incidents on Same Asset
description: |
Detects assets that have been involved in 3+ security incidents within 7 days.
Indicates persistent compromise, incomplete remediation, or a high-value target under sustained attack.
Enriched with asset details from the EasyVista CMDB.
severity: High
requiredDataConnectors:
- connectorId: EasyVistaITSM
dataTypes:
- EasyVista_Tickets_CL
- EasyVista_Assets_CL
queryFrequency: 6h
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- LateralMovement
relevantTechniques:
- T1078
- T1021
query: |
EasyVista_Tickets_CL
| where TimeGenerated > ago(7d)
| where REQUEST_TYPE has_any ("Incident", "I")
| where isnotempty(ASSET_TAG)
| summarize
IncidentCount = count(),
Tickets = make_set(RFC_NUMBER, 10),
Severities = make_set(SEVERITY_ID, 10),
FirstSeen = min(SUBMIT_DATE_UT),
LastSeen = max(SUBMIT_DATE_UT)
by ASSET_TAG
| where IncidentCount >= 3
| join kind=leftouter (
EasyVista_Assets_CL
| summarize arg_max(TimeGenerated, *) by ASSET_TAG
| project ASSET_TAG, ASSET_LABEL, SERIAL_NUMBER, EMPLOYEE_NAME, EMPLOYEE_EMAIL, DEPARTMENT_PATH, LOCATION_PATH
) on ASSET_TAG
| project
TimeGenerated = now(),
ASSET_TAG,
ASSET_LABEL,
SERIAL_NUMBER,
IncidentCount,
Tickets,
Severities,
FirstSeen,
LastSeen,
AssignedUser = EMPLOYEE_NAME,
AssignedEmail = EMPLOYEE_EMAIL,
Department = DEPARTMENT_PATH,
Location = LOCATION_PATH
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: ASSET_TAG
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AssignedUser
- entityType: Mailbox
fieldMappings:
- identifier: MailboxPrimaryAddress
columnName: AssignedEmail
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: true
lookbackDuration: 7d
matchingMethod: Selected
groupByCustomDetails:
- AssetTag
customDetails:
AssetTag: ASSET_TAG
AssetLabel: ASSET_LABEL
IncidentCount: IncidentCount
AssignedUser: AssignedUser
Department: Department
Location: Location
alertDetailsOverride:
alertDisplayNameFormat: "Repeated Incidents on Asset {{ASSET_TAG}}: {{IncidentCount}} in 7d"
alertDescriptionFormat: "Asset {{ASSET_TAG}} has had {{IncidentCount}} security incidents in 7 days. Assigned to: {{AssignedUser}}."
Explanation
This query is designed to identify and alert on assets that have been involved in multiple security incidents within a short period, specifically three or more incidents within seven days. Here's a simplified breakdown of what the query does:
-
Data Source: It uses data from EasyVista, specifically looking at tickets and asset information.
-
Time Frame: It examines incidents that occurred in the past seven days.
-
Incident Criteria: It filters for tickets that are classified as incidents and have an associated asset tag.
-
Incident Count: It counts the number of incidents per asset. If an asset has three or more incidents, it is flagged.
-
Asset Information: It enriches the incident data with additional details about the asset from the EasyVista asset database, such as asset label, serial number, and the assigned user's details.
-
Alert Generation: If an asset meets the criteria, an alert is generated. The alert includes details like the asset tag, number of incidents, and assigned user information.
-
Severity and Tactics: The alert is marked with high severity and associated with tactics like persistence and lateral movement, indicating potential ongoing threats or incomplete remediation.
-
Incident Management: The system is configured to create incidents automatically, group related incidents, and potentially reopen closed incidents if new related incidents occur within the lookback period.
Overall, this query helps in identifying assets that might be under persistent attack or have unresolved security issues, allowing for timely intervention and remediation.
Details
David Alonso
Released: April 16, 2026
Tables
Keywords
Operators