Query Details
Security Incident True Positive Incidents From Previous Month
Query
SecurityIncident | where CreatedTime between (make_datetime(2022, getmonth(now())-1, 01)..make_datetime(2022, getmonth(now()), 01)) | summarize arg_max(TimeGenerated, *) by IncidentName | where Classification == "TruePositive" | project CreatedTime, ProviderIncidentId, Title, Severity, Classification, Labels, IncidentUrl
Explanation
This query retrieves security incidents that were created within the previous month. It then finds the latest occurrence of each incident based on the generated time. Only incidents classified as "TruePositive" are included. The resulting incidents are projected with specific fields such as created time, incident ID, title, severity, classification, labels, and incident URL.
Details
Jose Sebastián Canós
Released: December 20, 2022
Tables
SecurityIncident
Keywords
SecurityIncident,CreatedTime,IncidentName,Classification,TruePositive,ProviderIncidentId,Title,Severity,Labels,IncidentUrl
Operators
wherebetweenmake_datetimegetmonthnowsummarizearg_maxby==project