Forum Discussion

Tvoby's avatar
Tvoby
Copper Contributor
Dec 14, 2024

The issue with displaying the original query in the newly created scheduled query rule

Hello everyone. I recently started learning Azure Sentinel, and I wanted to create my first custom rule. The rule works as I wanted, but I encountered an issue with displaying the original query. When an incident is created and I go to the "Incident Timeline" and click "Link to LA," my query is shown in an obfuscated form, as shown in the screenshot. Could you please help me figure out how to make the original query visible? Thank you! 

 

alerts
investigation
KQL

1 Reply

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Jan 08, 2025

    You can see the Query (as its custom) from the previous screen - instead of pressing 'link to LA', select "Rule Name"

    If you really need to see it in that KQL screen you need to "know" the "System Alert ID" and Use that to query for it, this is an example:

    SecurityAlert
    | where SystemAlertId in("< insert your system alert ID here>") 
    | project parse_json(ExtendedProperties).OriginalQuery

    You can use this KQL to find the Incident ID and last AlertID and also show the KQL, you just need to insert the Incident Number in to line #2 (which you can see top left of the Sentinel screen) when you are in the Link to LA window.

    SecurityIncident
    | where IncidentNumber =="< Insert the Incident ID here>"
    | extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
    | mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string)
    | join kind=leftouter
    (
        SecurityAlert
         | extend ProductProcessingMin = datetime_diff('minute',  ProcessingEndTime, EndTime), ingest_ = ingestion_time()
         | extend sentinelIngestionDelayinMinutes_ = datetime_diff('minute', ingestion_time(), ProcessingEndTime)
         | extend StarttoEndDelayinMinutes_ = datetime_diff('minute', EndTime, StartTime)
    ) on $right.SystemAlertId == $left.AlertIds
    | summarize AlertCount=dcount(AlertIds),arg_max(TimeGenerated, *) by IncidentNumber
    | extend sentinelIngestiontoCreated_ = datetime_diff('minute', ingest_, CreatedTime)
    | extend InvestigationElapsedTime_   = datetime_diff('minute', LastModifiedTime, CreatedTime)
    | summarize arg_max(TimeGenerated,*) by IncidentNumber
    | project IncidentNumber, Title, StartTime, EndTime, ProcessingEndTime, TimeGenerated, ingest_, StarttoEndDelayinMinutes_, ProductProcessingMin,
            sentinelIngestionDelayinMinutes_, AlertName, FirstActivityTime, LastModifiedTime, 
            CreatedTime
            , InvestigationElapsedTime_ 
            , sentinelIngestiontoCreated_
            , Severity, Status, Comments, ProductName, ProviderName
            , AlertIds
            , OriginalQuery = parse_json(ExtendedProperties).OriginalQuery

Resources