Query Details
Security Incident Playbook Activities
Query
//Visualize which playbooks are interacting with security incidents
//Data connector required for this query - Microsoft Sentinel Incidents (generated automatically if you create incidents in Sentinel)
let timeframe=45d;
SecurityIncident
| where TimeGenerated > ago (timeframe)
| where ModifiedBy startswith "Playbook"
| summarize Count=count() by ModifiedBy
| sort by Count desc
| render barchart
with (
title="Count of playbooks interacting with Microsoft Sentinel incidents",
ytitle="Playbook Name") Explanation
This query visualizes the playbooks that are interacting with security incidents in Microsoft Sentinel. It uses the Microsoft Sentinel Incidents data connector and looks at incidents created in the past 45 days. It filters for incidents that were modified by playbooks, counts the number of incidents for each playbook, and displays the results in a bar chart. The chart shows the count of playbooks interacting with incidents, with the playbook names on the y-axis.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityIncident
Keywords
SecurityIncident,TimeGenerated,ModifiedBy,Count,render
Operators
letwheresummarizecountbysortrender