EasyVista - Repeated Security Incidents on Same Asset
EV Repeated Incidents Same Asset
Query
EasyVista_Tickets_CL
| where TimeGenerated > ago(7d)
| where REQUEST_TYPE has_any ("Incident", "I")
| where isnotempty(ASSET_TAG)
| summarize
IncidentCount = count(),
Tickets = make_set(RFC_NUMBER, 10),
Severities = make_set(SEVERITY_ID, 10),
FirstSeen = min(SUBMIT_DATE_UT),
LastSeen = max(SUBMIT_DATE_UT)
by ASSET_TAG
| where IncidentCount >= 3
| join kind=leftouter (
EasyVista_Assets_CL
| summarize arg_max(TimeGenerated, *) by ASSET_TAG
| project ASSET_TAG, ASSET_LABEL, SERIAL_NUMBER, EMPLOYEE_NAME, EMPLOYEE_EMAIL, DEPARTMENT_PATH, LOCATION_PATH
) on ASSET_TAG
| project
TimeGenerated = now(),
ASSET_TAG,
ASSET_LABEL,
SERIAL_NUMBER,
IncidentCount,
Tickets,
Severities,
FirstSeen,
LastSeen,
AssignedUser = EMPLOYEE_NAME,
AssignedEmail = EMPLOYEE_EMAIL,
Department = DEPARTMENT_PATH,
Location = LOCATION_PATHExplanation
This query is designed to identify and alert on assets that have been involved in three or more security incidents within a seven-day period. Here's a simple breakdown of what the query does:
-
Purpose: It aims to detect assets that might be persistently compromised, not fully remediated, or are high-value targets under sustained attack.
-
Data Sources: It uses data from EasyVista ITSM, specifically focusing on tickets and asset information.
-
Frequency and Period: The query runs every six hours and looks back over the past seven days.
-
Incident Detection:
- It filters for incidents related to specific assets.
- Counts the number of incidents per asset.
- Only considers assets with three or more incidents.
-
Asset Information: It enriches the incident data with additional asset details like asset label, serial number, assigned user, and location from the EasyVista CMDB.
-
Output: The result includes details such as the asset tag, incident count, ticket numbers, severity levels, first and last incident dates, and assigned user information.
-
Alerting:
- If an asset meets the criteria, an alert is generated.
- The alert includes a custom display name and description highlighting the asset and incident count.
- It also supports incident grouping and reopening of closed incidents if new related incidents occur within the lookback period.
-
Severity and Techniques: The alert is marked with high severity and relates to tactics like persistence and lateral movement, with specific techniques referenced (T1078, T1021).
In summary, this query helps security teams quickly identify and respond to assets that are repeatedly involved in security incidents, indicating potential ongoing security issues.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 6h
Period: 7d