SOLVED

[Playbook] Message alert with all unresolved incidents

Occasional Contributor

Hello,

I try to create a playbook that will be sent a summary of incidents with status new/active which have more than 24 hours. 

 

I have a problem with log analytics query which list all unresolved incidents. When I search for one incident for example query:

 

SecurityIncident
| where IncidentNumber == "100"
 
I see this incident with status New, Active and Closed with different time.
How to search indents only with Status New and Active?
2 Replies

@Pawel_Giza 

 

It would be something like

 

SecurityIncidents

| where status != "Closed"

best response confirmed by Pawel_Giza (Occasional Contributor)
Solution

@Pawel_Giza Here is a short example of how to do this. 

 

SecurityIncident
| summarize arg_max(LastModifiedTime,Status) by IncidentNumber
| where Status in ("New","Active")
| order by IncidentNumber