Security Incident True Positive Incidents From Previous Month
Query
SecurityIncident
| where CreatedTime between (make_datetime(2022, getmonth(now())-1, 01)..make_datetime(2022, getmonth(now()), 01))
| summarize arg_max(TimeGenerated, *) by IncidentName
| where Classification == "TruePositive"
| project CreatedTime, ProviderIncidentId, Title, Severity, Classification, Labels, IncidentUrlExplanation
This query retrieves security incidents that were created within the previous month. It then finds the latest occurrence of each incident based on the generated time. Only incidents classified as "TruePositive" are included. The resulting incidents are projected with specific fields such as created time, incident ID, title, severity, classification, labels, and incident URL.
Details

Jose Sebastián Canós
Released: December 20, 2022
Tables
SecurityIncident
Keywords
SecurityIncidentCreatedTimeIncidentNameClassificationTruePositiveProviderIncidentIdTitleSeverityLabelsIncidentUrl
Operators
wherebetweenmake_datetimegetmonthnowsummarizearg_maxby==project