Query Details
No Incidents Closedin90
Query
//Number of Incidents closed in the last 90 days SecurityIncident | where TimeGenerated > startofday(ago(90d)) | where ProviderName == "Azure Sentinel" // Commenting out this line provides SecurityIncidents from both Azure Sentinel and Microsoft 365 Defender Incidents. | summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber | where Status == "Closed" | summarize count() by Status
Explanation
This query is counting the number of incidents that have been closed in the last 90 days. It filters the incidents to only include those from Azure Sentinel and Microsoft 365 Defender, and then groups them by their incident number. It then filters the incidents to only include those with a status of "Closed" and finally counts the number of incidents with that status.
Details
Rod Trent
Released: November 4, 2021
Tables
SecurityIncident
Keywords
Incidents,Closed
Operators
| where>startofdayago==summarizearg_maxbywhere==summarizecount()by