Query Details
EV Unusual Ticket Volume
Query
id: c3d4e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
name: EasyVista - Unusual Volume of Security Tickets
description: |
Detects when the number of security-related EasyVista tickets created in the last hour exceeds the historical baseline by 3 standard deviations.
May indicate a mass incident, phishing campaign, or automated ticket creation abuse.
severity: Medium
requiredDataConnectors:
- connectorId: EasyVistaITSM
dataTypes:
- EasyVista_Tickets_CL
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
- InitialAccess
relevantTechniques:
- T1566
query: |
let baseline = EasyVista_Tickets_CL
| where TimeGenerated between (ago(14d) .. ago(1h))
| where REQUEST_TYPE has_any ("Incident", "I")
| summarize HourlyCount = count() by bin(TimeGenerated, 1h)
| summarize AvgCount = avg(HourlyCount), StdDev = stdev(HourlyCount);
let current = EasyVista_Tickets_CL
| where TimeGenerated > ago(1h)
| where REQUEST_TYPE has_any ("Incident", "I")
| summarize CurrentCount = count();
baseline
| join kind=cross current
| where CurrentCount > AvgCount + (3 * StdDev)
| extend Threshold = round(AvgCount + (3 * StdDev), 0)
| project
TimeGenerated = now(),
CurrentCount,
BaselineAvg = round(AvgCount, 1),
BaselineStdDev = round(StdDev, 1),
Threshold,
Deviation = round((CurrentCount - AvgCount) / StdDev, 1)
incidentConfiguration:
createIncident: true
customDetails:
CurrentVolume: CurrentCount
BaselineAverage: BaselineAvg
Threshold: Threshold
StandardDeviations: Deviation
alertDetailsOverride:
alertDisplayNameFormat: "Unusual EasyVista Ticket Volume: {{CurrentCount}} tickets in 1h (baseline: {{BaselineAvg}})"
alertDescriptionFormat: "{{CurrentCount}} security tickets created in the last hour, exceeding the baseline of {{BaselineAvg}} (threshold: {{Threshold}})."
Explanation
This query is designed to monitor the volume of security-related tickets in EasyVista, an IT service management tool. Here's a simple breakdown of what it does:
-
Purpose: It detects when the number of security-related tickets created in the last hour significantly exceeds the usual volume, which might indicate a large-scale incident, phishing attack, or misuse of the ticketing system.
-
Data Source: The query uses data from EasyVista's ticket logs, specifically looking at entries labeled as "Incident" or "I".
-
Historical Analysis: It calculates a baseline by examining ticket volumes over the past 14 days, determining the average number of tickets per hour and the standard deviation (a measure of variation).
-
Current Analysis: It counts the number of tickets created in the last hour.
-
Comparison: It checks if the current ticket count exceeds the historical average by more than three standard deviations. If it does, this suggests an unusual spike in ticket volume.
-
Alert Generation: If an anomaly is detected, it creates an incident alert with details such as the current ticket volume, baseline average, and the calculated threshold for unusual activity.
-
Severity and Techniques: The alert is marked with medium severity and is associated with tactics like "Impact" and "Initial Access", and the technique "T1566" (related to phishing).
-
Customization: The alert includes specific details about the current situation and is formatted to clearly communicate the anomaly in ticket volume.
In essence, this query helps IT teams quickly identify and respond to potential security incidents by flagging unusual increases in ticket creation.
Details
David Alonso
Released: April 16, 2026
Tables
Keywords
Operators