Query Details
No Unassigned Incidents
Query
//Number of unassigned Incidents in Last 24 hours SecurityIncident | where TimeGenerated > ago(1d) | where ProviderName == "Azure Sentinel" // Commenting out this line provides SecurityIncidents from both Azure Sentinel and Microsoft 365 Defender Incidents. | summarize arg_max(TimeGenerated, Status, Severity, Owner, AdditionalData) by IncidentNumber | where Owner != "Unassigned" | where Status == "New" or Status == "Active" | summarize count() by Status
Explanation
This query is counting the number of unassigned incidents in the last 24 hours. It filters the incidents based on certain criteria such as the provider name and the incident status. It then groups the incidents by their incident number and retrieves the latest values for certain attributes. Finally, it counts the number of incidents based on their status.
Details
Rod Trent
Released: November 4, 2021
Tables
SecurityIncident
Keywords
SecurityIncident,TimeGenerated,ProviderName,AzureSentinel,Microsoft365DefenderIncidents,Status,Severity,Owner,AdditionalData,IncidentNumber,New,Active
Operators
where>ago==|summarizearg_maxby!=orcount()