Query Details
No New Open Incidents24hrs
Query
//Number of new, open Incidents in the last 24 hours SecurityIncident | where TimeGenerated > ago(1d) | summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber | where Status == "New" | summarize count() by Status
Explanation
This query is counting the number of new, open incidents that have occurred in the last 24 hours. It filters the SecurityIncident table to only include incidents that have occurred within the past day. Then, it uses the arg_max function to find the latest values for each incident based on the TimeGenerated field, and groups them by IncidentNumber. It further filters the incidents to only include those with a status of "New". Finally, it counts the number of incidents and groups them by their status.
Details
Rod Trent
Released: November 4, 2021
Tables
SecurityIncident
Keywords
Incidents,TimeGenerated,Status,Severity,Owner,AdditionalData,IncidentNumber
Operators
whereagosummarizearg_maxby==count()