Query Details
No Total Open Incidentsin90
Query
//Number of total open Incidents in the last 90 days SecurityIncident | where TimeGenerated > startofday(ago(90d)) | where ProviderName == "Azure Sentinel" // Commenting out this line provides SecurityIncidents from both Azure Sentinel and Microsoft 365 Defender Incidents. | summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber | where Status != "Closed" | summarize count() by Status
Explanation
This query calculates the total number of open incidents in the last 90 days. It filters the incidents from both Azure Sentinel and Microsoft 365 Defender, selects the latest incident details based on certain criteria, and excludes closed incidents. Finally, it groups the incidents by their status and counts the number of incidents for each status.
Details
Rod Trent
Released: November 4, 2021
Tables
SecurityIncident
Keywords
Incidents,TimeGenerated,ProviderName,AzureSentinel,Microsoft365Defender,Status,Severity,Owner,AdditionalData,IncidentNumber,Closed
Operators
| where>startofdayago==summarizearg_maxby!=count()