I'm working on creating a visualization in Kibana that counts incidents by their m365_defender.incident.alert.status. The statuses can be "new", "inProgress", or "resolved". However, I am encountering an issue where Kibana counts incidents even after their status transitions, which results in duplicate counting.
Scenario:
Each incident has a unique event.id.
An incident goes through the following status flow: "new" → "inProgress" → "resolved".
I only want to list event.id where the status is still "new" and has not moved to "inProgress" or "resolved".
Issue:
The query lists event.id even if those incidents transitioned from "new" to "inProgress" or "resolved".
What I want is to exclude any event.id from my results if that incident has transitioned to "inProgress" or "resolved". Essentially, I need to filter out all the event IDs that have been closed or are in progress and leave only the ones with the "new" status.
Desired Outcome:
A list of event.id values where the m365_defender.incident.alert.status is still "new", and the incident has not progressed to "inProgress" or "resolved".
Any help for creating query or approach to properly filter out incidents that transitioned statuses would be appreciated!
Attached are sample and output created using AI.
