Check out the SOC Efficiency Workbook. That may be closer to what you are working towards.
SecurityIncident
| summarize count() by Status
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I'd like to know if there is a way to write a query that returns:
So far I have tried:
SecurityIncident
| distinct ProviderIncidentId
| summarize by ProviderIncidentId
The goal is to create a visulaization that show cases:
Check out the SOC Efficiency Workbook. That may be closer to what you are working towards.
SecurityIncident
| summarize count() by Status