Query Details
Security Incident Monthly Incidents Closed By Automation Rules
Query
let excluded_incidents = dynamic([
"Automation Rules stopped working"
]);
SecurityIncident
| where CreatedTime > ago(90d)
| summarize arg_max(TimeGenerated, *) by IncidentName
| where not(Title in (excluded_incidents))
| where Classification == "BenignPositive" and ModifiedBy has_any ("Automation rule", "Alert updated")
| project CreatedTime, ProviderIncidentId, Title, Severity, Classification, Labels, IncidentUrl, ModifiedBy
| extend Month = getmonth(CreatedTime)
| summarize ClosedIncidents = count() by Month, Title
| sort by Month asc
| render areachart kind=stacked
//| sort by Title asc
//| serialize AccumulatedClosedIncidents = row_cumsum(ClosedIncidents)
Explanation
This query retrieves security incidents that were created within the last 90 days. It excludes incidents with specific titles mentioned in the "excluded_incidents" list. It further filters the incidents based on their classification and the user who modified them. The query then projects specific fields and adds a "Month" column based on the created time. It summarizes the count of closed incidents by month and title, sorts the results by month in ascending order, and renders the data as a stacked area chart.
Details
Jose Sebastián Canós
Released: December 20, 2022
Tables
SecurityIncident
Keywords
Devices,Intune,User,IncidentName,Title,Classification,ModifiedBy,CreatedTime,ProviderIncidentId,Severity,Labels,IncidentUrl,Month,ClosedIncidents
Operators
agosummarizearg_maxwherenotinandhas_anyprojectextendgetmonthcountsortrender