Query Details

EasyVista - Unusual Volume of Security Tickets

EV Unusual Ticket Volume

Query

let baseline = EasyVista_Tickets_CL
| where TimeGenerated between (ago(14d) .. ago(1h))
| where REQUEST_TYPE has_any ("Incident", "I")
| summarize HourlyCount = count() by bin(TimeGenerated, 1h)
| summarize AvgCount = avg(HourlyCount), StdDev = stdev(HourlyCount);
let current = EasyVista_Tickets_CL
| where TimeGenerated > ago(1h)
| where REQUEST_TYPE has_any ("Incident", "I")
| summarize CurrentCount = count();
baseline
| join kind=cross current
| where CurrentCount > AvgCount + (3 * StdDev)
| extend Threshold = round(AvgCount + (3 * StdDev), 0)
| project
    TimeGenerated = now(),
    CurrentCount,
    BaselineAvg = round(AvgCount, 1),
    BaselineStdDev = round(StdDev, 1),
    Threshold,
    Deviation = round((CurrentCount - AvgCount) / StdDev, 1)

Explanation

This query is designed to monitor the volume of security-related tickets in EasyVista, an IT service management tool. Here's a simple breakdown of what it does:

  1. Purpose: It detects when the number of security-related tickets created in the last hour significantly exceeds the usual volume, which might indicate a large-scale incident, phishing attack, or misuse of the ticketing system.

  2. Data Source: The query uses data from EasyVista's ticket logs, specifically looking at entries labeled as "Incident" or "I".

  3. Historical Analysis: It calculates a baseline by examining ticket volumes over the past 14 days, determining the average number of tickets per hour and the standard deviation (a measure of variation).

  4. Current Analysis: It counts the number of tickets created in the last hour.

  5. Comparison: It checks if the current ticket count exceeds the historical average by more than three standard deviations. If it does, this suggests an unusual spike in ticket volume.

  6. Alert Generation: If an anomaly is detected, it creates an incident alert with details such as the current ticket volume, baseline average, and the calculated threshold for unusual activity.

  7. Severity and Techniques: The alert is marked with medium severity and is associated with tactics like "Impact" and "Initial Access", and the technique "T1566" (related to phishing).

  8. Customization: The alert includes specific details about the current situation and is formatted to clearly communicate the anomaly in ticket volume.

In essence, this query helps IT teams quickly identify and respond to potential security incidents by flagging unusual increases in ticket creation.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

EasyVista_Tickets_CL

Keywords

EasyVistaTicketsSecurityIncidentPhishingCampaignAutomatedAbuse

Operators

letbetweenagohas_anysummarizebinavgstdevjoinkindcrosswhereextendroundprojectnow

Severity

Medium

Tactics

ImpactInitialAccess

MITRE Techniques

Frequency: 1h

Period: 14d

Actions

GitHub