Updated SecurityOperationsEfficiency.json to fix Mean time to triage

Solutions/SOC Handbook/Data/Solution_SOC Handbook.json

@@ -20,7 +20,7 @@
   ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\azure-sentinel\\Solutions\\SOC Handbook",
-  "Version": "3.0.2",
+  "Version": "3.0.5",
   "TemplateSpec": true,
   "Is1PConnector": false
 }

Solutions/SOC Handbook/ReleaseNotes.md

@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                                  |
 |-------------|--------------------------------|-------------------------------------------------------------------------------------|
+| 3.0.5       | 24-09-2025                     | Updated *SecurityOperationsEfficiency* to fix Mean time to triage |
 | 3.0.4       | 22-04-2025                     | Updated *Azure to Sentinel Cost* - **Workbook**.            |
 | 3.0.3       | 28-11-2023                     | Changes for rebranding from Azure Active Directory to Microsoft Entra ID.            |
 | 3.0.2       | 21-11-2023                     | Updated SecurityOperationsEfficiency **Workbook** to run the query on "set in query".|

Solutions/SOC Handbook/Workbooks/SecurityOperationsEfficiency.json

@@ -504,7 +504,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "SecurityIncident\n| where FirstModifiedTime  >= {TimeRange:start} and FirstModifiedTime  <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend TimeToTriage =  (FirstModifiedTime - CreatedTime)/1h\n| summarize AvgTTT=avg(TimeToTriage) \n",
+              "query": "SecurityIncident\n| where FirstModifiedTime  >= {TimeRange:start} and FirstModifiedTime  <= {TimeRange:end}\n| where Severity in ({Severity}) or \"*\" in ({Severity})\n| extend Tactics = todynamic(AdditionalData.tactics)\n| where Tactics in ({Tactics}) or \"*\" in ({Tactics})\n| summarize arg_max(LastModifiedTime,*) by IncidentNumber \n| extend Owner = todynamic(Owner.assignedTo) \n| where Owner in ({Owner}) or \"*\" in ({Owner})\n| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) \n| where Product in ({Product}) or \"*\" in ({Product})\n| extend TimeToTriage =  (FirstModifiedTime - CreatedTime)/1h\n| summarize AvgTTT=avg(TimeToTriage) \n",
               "size": 1,
               "title": "Mean time to triage",
               "queryType": 0,

Workbooks/WorkbooksMetadata.json

@@ -2366,7 +2366,7 @@
 			"SecurityEfficiencyBlack1.png",
 			"SecurityEfficiencyBlack2.png"
 		],
-		"version": "1.5.1",
+		"version": "1.5.2",
 		"title": "Security Operations Efficiency",
 		"templateRelativePath": "SecurityOperationsEfficiency.json",
 		"subtitle": "",