Forum Discussion
IncidentUrl - Investigation
SecurityIncident
| where TimeGenerated > ago(1d)
| where Status == "Active"
| project TimeGenerated, Title, Description, Severity, IncidentUrl
Is it possible to Security Incident can create an alert and the incidentURL be tacked on into one of the existing fields available for a Security Alert. if Ans is Yes . How ? please explain.
1 Reply
Vshah335 The short answer is no. Incidents are created by alerts and not the other way around. You also cannot modify the schema of an Azure Sentinel table, only custom tables.
What you can do is perform a join from the SecurityAlert table to the SecurityIncidents table to get the information. Something like what is shown below. You need to use the mv-expand on the SecuirtyIncident table to expand each entry in the AlertIds field into its own row. You also need to I am not sure if this is the best way to do the query but it does work.
SecurityAlert| join kind=innerunique (SecurityIncident| mv-expand AlertIds| extend tempAlertId=tostring(AlertIds)) on $left.SystemAlertId == $right.tempAlertId
