Mean Time To Acknowledge Last 48 Hours

let MeanTimeToAck = SecurityIncident | where Status == 'Active' | summarize arg_min(LastModifiedTime, CreatedTime, TimeGenerated) by IncidentName | extend timeToAck = datetime_diff('Minute', LastModifiedTime, CreatedTime) | summarize MeanTime = percentiles(timeToAck, 50) by HalfQueryPeriodTime = bin_at(TimeGenerated, 24h, ago(48h)) | order by HalfQueryPeriodTime asc; MeanTimeToAck | serialize HalfQueryPeriodTime | extend MeanTime = MeanTime/todouble(60) | extend Trend = (MeanTime - prev(MeanTime))/todouble(60) | order by HalfQueryPeriodTime desc | project MeanTime, Trend

Explanation

The query is calculating the mean time it takes to acknowledge security incidents. It first filters for active incidents, then finds the earliest time between the last modified time, created time, and time generated for each incident. It calculates the time to acknowledge by finding the difference in minutes between the last modified time and created time. It then calculates the mean time to acknowledge for each half-day period over the past 48 hours. The results are ordered by the half-day period in ascending order. The query then serializes the half-day period, converts the mean time to hours, calculates the trend by finding the difference between the current mean time and the previous mean time in hours, and orders the results by the half-day period in descending order. Finally, it projects the mean time and trend.

Details

Rod Trent

Released: June 15, 2023

Tables

SecurityIncident

Keywords

MeanTimeToAck,SecurityIncident,Status,Active,LastModifiedTime,CreatedTime,TimeGenerated,IncidentName,timeToAck,Minute,MeanTime,percentiles,HalfQueryPeriodTime,bin_at,24h,ago(48h),MeanTime,todouble,Trend,prev(MeanTime),project

Operators

wheresummarizearg_minbyextenddatetime_diffpercentilesbin_atagoorder byserializeprevproject

KQL Search