KQL Search

Query Details

HomeAI ToolsDevice Query

Incident Owner Change

Query

//Shows when the owner of an Incident has changed. From Gary Bushey. Details here: https://cda.ms/3Z8  

SecurityIncident 
| order by TimeGenerated asc 
| serialize
| extend NewOwner = Owner.email
| extend PreIncidentNumber = prev(IncidentNumber)
| extend PrevEmail = iif (PreIncidentNumber == IncidentNumber, prev(NewOwner), "")
| where PrevEmail != NewOwner 
| order by IncidentNumber, TimeGenerated desc
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| project TimeGenerated, NewOwner, IncidentNumber, IncidentUrl, Severity

Explanation

This query shows when the owner of a security incident has changed. It orders the incidents by the time they were generated, serializes the results, and extends the "NewOwner" column to show the email of the current owner. It also extends the "PreIncidentNumber" column to show the previous incident number, and the "PrevEmail" column to show the previous owner's email if the incident number has not changed. It then filters out incidents where the previous owner's email is the same as the current owner's email. The results are ordered by incident number and time generated, and then summarized to show the latest time generated for each incident number. Finally, the query projects the time generated, new owner, incident number, incident URL, and severity columns.

Details

Rod Trent profile picture

Rod Trent

Released: March 7, 2022

Tables

SecurityIncident

Keywords

Incident,Owner,TimeGenerated,NewOwner,PreIncidentNumber,PrevEmail,IncidentNumber,IncidentUrl,Severity

Operators

order byserializeextendpreviifwheresummarizearg_maxproject

Actions