Query Details
Incidents Status By Creation Time Last 24 Hours
Query
SecurityIncident | where CreatedTime > ago(1d) | summarize arg_max(LastModifiedTime, Status, CreatedTime) by IncidentName | summarize Count = count() by Status, bin(CreatedTime, 4h) | extend StatusCount = pack(Status, Count) | summarize StatusCountArray = make_bag(StatusCount) by CreatedTime | evaluate bag_unpack(StatusCountArray) | project Result = pack_all()
Explanation
This query is analyzing a dataset called SecurityIncident. It filters the incidents created within the last day and finds the latest status for each incident. It then counts the number of incidents for each status within 4-hour intervals. The results are then packed into a new column called StatusCount. The query further groups the StatusCount values by the time the incidents were created. The StatusCount values are unpacked and the final result is a projection of all the data.
Details
Rod Trent
Released: June 15, 2023
Tables
SecurityIncident
Keywords
SecurityIncident,CreatedTime,LastModifiedTime,Status,IncidentName,Count,bin,StatusCount,CreatedTime,StatusCountArray,Result
Operators
whereagosummarizearg_maxbycountbinextendpackmake_bagevaluatebag_unpackprojectpack_all