Query Details
Threat Status
Query
//Starting to develop a SOC "Threat Score." Based on Number of open Incidents + Numerical values for Status + Numerical values for Severity. A work in progress. SecurityIncident | where Status != "Closed" | summarize count() by Severity, Status
Explanation
This query is used to develop a "Threat Score" for a Security Operations Center (SOC). The score is calculated based on the number of open incidents, along with numerical values assigned to the status and severity of each incident. The query filters out closed incidents and then summarizes the count of incidents by their severity and status. It is mentioned that this development is still a work in progress.
Details
Rod Trent
Released: June 26, 2021
Tables
SecurityIncident
Keywords
SecurityIncident,Status,Severity
Operators
where!=summarizecount()by