Query Details
Mean Time To Close
Query
let MeanTimeToClose = SecurityIncident
| where Status == 'Closed'
| summarize arg_min(LastModifiedTime, ClosedTime, CreatedTime, TimeGenerated) by IncidentName
| extend timeToClose = datetime_diff('Minute', ClosedTime, CreatedTime)
| summarize MeanTime = percentiles(timeToClose, 50)
by HalfQueryPeriodTime = bin_at(TimeGenerated, 24h, ago(48h))
| order by HalfQueryPeriodTime asc;
MeanTimeToClose
| serialize HalfQueryPeriodTime
| extend MeanTime = MeanTime/todouble(60)
| extend Trend = (MeanTime - prev(MeanTime))/todouble(60)
| order by HalfQueryPeriodTime desc
| project MeanTime, Trend
Explanation
The query is calculating the mean time it takes to close security incidents. It groups the incidents by a specific time period and calculates the mean time to close for each period. It also calculates the trend of the mean time to close over time. The results are then ordered by the time period in descending order and only the mean time and trend values are displayed.
Details
Rod Trent
Released: June 15, 2023
Tables
SecurityIncident
Keywords
MeanTimeToClose,SecurityIncident,Status,Closed,CreatedTime,TimeGenerated,IncidentName,timeToClose,Minute,datetime_diff,MeanTime,percentiles,HalfQueryPeriodTime,bin_at,ago,order,asc,serialize,todouble,Trend,prev,project
Operators
SecurityIncidentwhere==summarizearg_minbyextenddatetime_diffsummarizepercentilesbin_atagoorder byascMeanTimeToCloseserializeextendprevproject