Query Details
Security Incident Days Since Last Incident
Query
//Calculate how many days since each analytic rule last triggered, useful to determine if rules are still valid
//Data connector required for this query - Microsoft Sentinel Incidents (generated automatically if you create incidents in Sentinel)
SecurityIncident
| where TimeGenerated > ago(180d)
| where Status == "New" and ModifiedBy == "Incident created from alert"
| summarize arg_max(TimeGenerated, *) by Title
| extend ['Days Since Last Incident'] = datetime_diff("day", now(), TimeGenerated)
| project Title, ['Days Since Last Incident']
| sort by ['Days Since Last Incident'] descExplanation
This query calculates the number of days since each analytic rule last triggered. It filters for security incidents that were created from alerts in the past 180 days and have a status of "New". It then finds the most recent incident for each title and calculates the number of days since that incident occurred. The results are sorted in descending order based on the number of days since the last incident.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityIncident
Keywords
SecurityIncident,TimeGenerated,Status,ModifiedBy,Title,['DaysSinceLastIncident']
Operators
whereago==andsummarizearg_maxbyextenddatetime_diffnowprojectsortdesc