cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

[Playbook] Message alert with all unresolved incidents

%3CLINGO-SUB%20id%3D%22lingo-sub-1890607%22%20slang%3D%22en-US%22%3E%5BPlaybook%5D%20Message%20alert%20with%20all%20unresolved%20message%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1890607%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20try%20to%20create%20a%20playbook%20that%20will%20be%20sent%20a%20summary%20of%20incidents%20with%20status%20new%2Factive%20which%20have%20more%20than%2024%20hours.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20problem%20with%20log%20analytics%20query%20which%20list%20all%20unresolved%20incidents.%20When%20I%20search%20for%20one%20incident%20for%20example%20query%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CEM%3ESecurityIncident%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%7C%20where%20IncidentNumber%20%3D%3D%20%22100%22%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EI%20see%20this%20incident%20with%20status%20New%2C%20Active%20and%20Closed%20with%20different%20time.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EHow%20to%20search%20indents%20only%20with%20Status%20New%20and%20Active%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1890739%22%20slang%3D%22en-US%22%3ERe%3A%20%5BPlaybook%5D%20Message%20alert%20with%20all%20unresolved%20incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1890739%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F738814%22%20target%3D%22_blank%22%3E%40gizapawel%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20would%20be%20something%20like%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecurityIncidents%3C%2FP%3E%3CP%3E%7C%20where%20status%20!%3D%20%22Closed%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1890743%22%20slang%3D%22en-US%22%3ERe%3A%20%5BPlaybook%5D%20Message%20alert%20with%20all%20unresolved%20incidents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1890743%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F738814%22%20target%3D%22_blank%22%3E%40gizapawel%3C%2FA%3E%26nbsp%3BHere%20is%20a%20short%20example%20of%20how%20to%20do%20this.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3ESecurityIncident%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Esummarize%3C%2FSPAN%3E%3CSPAN%3E%20arg_max(LastModifiedTime%2CStatus)%20%3C%2FSPAN%3E%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20IncidentNumber%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Status%20in%20(%3C%2FSPAN%3E%3CSPAN%3E%22New%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22Active%22%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eorder%3C%2FSPAN%3E%20%3CSPAN%3Eby%3C%2FSPAN%3E%3CSPAN%3E%20IncidentNumber%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Pawel_Giza
Occasional Contributor

‎Nov 16 2020 05:54 AM - edited ‎Nov 16 2020 05:55 AM

‎Nov 16 2020 05:54 AM - edited ‎Nov 16 2020 05:55 AM

[Playbook] Message alert with all unresolved incidents

Hello,

I try to create a playbook that will be sent a summary of incidents with status new/active which have more than 24 hours. 

 

I have a problem with log analytics query which list all unresolved incidents. When I search for one incident for example query:

 

SecurityIncident
| where IncidentNumber == "100"
 
I see this incident with status New, Active and Closed with different time.
How to search indents only with Status New and Active?
170 Views
0 Likes
2 Replies
Reply
2 Replies
PeterJ_Inobits

‎Nov 16 2020 06:31 AM

‎Nov 16 2020 06:31 AM

Re: [Playbook] Message alert with all unresolved incidents

@Pawel_Giza 

 

It would be something like

 

SecurityIncidents

| where status != "Closed"

0 Likes
Reply
best response confirmed by Pawel_Giza (Occasional Contributor)
Gary Bushey

‎Nov 16 2020 06:37 AM

‎Nov 16 2020 06:37 AM

Solution

Re: [Playbook] Message alert with all unresolved incidents

@Pawel_Giza Here is a short example of how to do this. 

 

SecurityIncident
| summarize arg_max(LastModifiedTime,Status) by IncidentNumber
| where Status in ("New","Active")
| order by IncidentNumber
0 Likes
Reply