This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 18%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA0%3C/text%3E%3C/svg%3E)
I'd like to know if there is a way to write a query that returns:
So far I have tried:
SecurityIncident
| distinct ProviderIncidentId
| summarize by ProviderIncidentId
The goal is to create a visulaization that show cases:
Check out the SOC Efficiency Workbook. That may be closer to what you are working towards.
SecurityIncident
| summarize count() by Status
@AzureSent-0127
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let us know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
](https://learn-attachment.microsoft.com/api/attachments/168091-screen-shot-2022-01-24-at-82203-pm.png?platform=QnA)
Thank you for your response!
This is towards an effort to create a custom workbook. Although similar visualizations exist in "Security Efficiency Workbook" I'm trying to implement the following by coming up with the correct query:
Although I have made some progress, my query does not return the accurate number of "Active" or "Closed" Incidents.