Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Recent changes on a case
Shows the last 10 field-level changes on a specific case, including who made the change and what was modified.
// Last 10 changes on a specific case
SecurityCaseEvent
| where EntityId == 'INC-001'
| mv-expand PropertyNames, PreviousValues, NewValues
| extend
PropertyNames = tostring(PropertyNames),
PreviousValues = tostring(PreviousValues),
NewValues = tostring(NewValues)
| project EventTime, ModifiedBy, OperationName, PropertyNames, PreviousValues, NewValues
| order by EventTime desc
| take 10
Cases by status excluding a value
Finds all cases where the current Status is not a specific value by replaying Create and Update events.
// Find all cases where Status is not "Redirected"
SecurityCaseEvent
| where EventTime >= ago(30d)
| where EntityType == 'Case'
| where OperationName in ('Create', 'Update')
| mv-expand PropertyNames, NewValues
| extend PropertyNames = tostring(PropertyNames), NewValues = tostring(NewValues)
| where PropertyNames == 'Status'
| summarize arg_max(EventTime, NewValues) by EntityId
| where NewValues != 'Redirected'