Forum Discussion

Altarius's avatar
Altarius
Copper Contributor
Mar 13, 2025

Add Search Results to alert details in Microsoft Sentinel

Hi everyone,

I’m working with Microsoft Sentinel and looking to enhance my alerts by appending search results to the alert details. Specifically, I want to include the events that triggered these alerts in the SecurityAlert table for better context during investigations and for archival purposes.

I came across this guide: https://learn.microsoft.com/en-us/azure/sentinel/customize-alert-details?tabs=azure, which explains how to customize alert details. However, it doesn’t clarify whether it’s possible to add search results directly to the alert details.

Is there a way to achieve this? If so, what would be the best approach?

I’d really appreciate any insights, best practices, or examples from those who have done something similar.

Thanks in advance!

alerts
analytics
automation
azure
KQL
Reports
siem
solutions
Workbooks

4 Replies

  • GaryBushey's avatar
    GaryBushey
    Bronze Contributor
    Mar 13, 2025

    What search results are you talking about?  Are you running a query in the Logs area and want to add the results to the alert?   If so, and it is the same query every time, you could create a Playbook that does this and setup Automation to trigger it.

    • Altarius's avatar
      Altarius
      Copper Contributor
      Mar 13, 2025

      Thanks for the reply GaryBushey ,

      I am not currently running any queries. My goal is to append the logs that triggered the alerts to the alert details. In the SecurityAlert table, there is a column called OriginalQuery, and I assume that by using this KQL query, I can retrieve the events that triggered these alerts.

      I need to add these triggering events to the SecurityAlert table. My question is: what is the easiest and most straightforward way to achieve this? The query inside OriginalQuery varies depending on the alert.

      • Clive_Watson's avatar
        Clive_Watson
        Bronze Contributor
        Mar 14, 2025

        Hello, you already get a few places that take you to the results in the Investigation UI (see below), so I guess you need this data for some other use like in your ITSM tool?  You'll see a query like this 

        SecurityAlert
        | summarize arg_max(TimeGenerated, *) by SystemAlertId 
        | where SystemAlertId in("a guid will go in here") 


        and if there are events you'll see 

        But if you really need it again, then as Gary says, a playbook will be the option 

        Note even with the contents of OriginalQuery you may need to amend it to re-run at the same time as the original, so you may need something like this as a new line 1 of the query 

        set query_now = datetime("1/1/2025, 2:20:46.333 PM");

Resources