Query Details
Incidents By Closed Classification Last 24 Hours
Query
SecurityIncident | where Status == 'Closed' | where isnotempty(Classification) | summarize arg_max(LastModifiedTime, Classification) by IncidentName | summarize Count = count() by Classification
Explanation
This query is looking at a dataset called SecurityIncident. It filters for incidents that have a status of 'Closed' and a non-empty classification. It then finds the latest modified time for each incident and groups them by incident name. Finally, it counts the number of incidents for each classification.
Details
Rod Trent
Released: June 15, 2023
Tables
SecurityIncident
Keywords
SecurityIncident,Status,Closed,Classification,LastModifiedTime,IncidentName,Count
Operators
|where==isnotemptysummarizearg_maxbycount()