Forum Discussion
Vshah335
Sep 23, 2020Copper Contributor
IncidentUrl - Investigation
SecurityIncident | where TimeGenerated > ago(1d) | where Status == "Active" | project TimeGenerated, Title, Description, Severity, IncidentUrl Is it possible to Security Incident can create...
GaryBushey
Sep 23, 2020Bronze Contributor
Vshah335 The short answer is no. Incidents are created by alerts and not the other way around. You also cannot modify the schema of an Azure Sentinel table, only custom tables.
What you can do is perform a join from the SecurityAlert table to the SecurityIncidents table to get the information. Something like what is shown below. You need to use the mv-expand on the SecuirtyIncident table to expand each entry in the AlertIds field into its own row. You also need to I am not sure if this is the best way to do the query but it does work.
SecurityAlert
| join kind=innerunique (SecurityIncident
| mv-expand AlertIds
| extend tempAlertId=tostring(AlertIds)) on $left.SystemAlertId == $right.tempAlertId