Query Details
Time Saved
Query
SecurityIncident
| where Status == 'Closed'
| summarize arg_min(LastModifiedTime, ClosedTime, CreatedTime, ModifiedBy) by IncidentName
| extend timeToClose = datetime_diff('Minute',ClosedTime, CreatedTime)
| extend IsClosedByAutomation = iff(ModifiedBy has 'Automation rule','ClosedByAutomation', 'NotClosedByAutomation')
| summarize MeanTimeToClose = percentiles(timeToClose, 50) by IsClosedByAutomation
Explanation
This query analyzes a dataset called SecurityIncident and focuses on incidents that have a status of 'Closed'. It finds the earliest time among LastModifiedTime, ClosedTime, CreatedTime, and ModifiedBy for each incident, grouped by IncidentName. It calculates the time taken to close each incident in minutes and determines whether it was closed by an automation rule or not. Finally, it calculates the median time taken to close incidents for both cases, grouped by whether they were closed by automation or not.
Details
Rod Trent
Released: June 15, 2023
Tables
SecurityIncident
Keywords
SecurityIncident,Status,Closed,CreatedTime,ModifiedBy,IncidentName,LastModifiedTime,ClosedTime,timeToClose,IsClosedByAutomation,MeanTimeToClose
Operators
where==summarizearg_minbyextenddatetime_diffhasiffsummarizepercentilesby