How to use KQL to associate alerts with incidents?

Question

There is no method I'm aware of to use KQL to query from an alertID to an incident or vice versa.

Please provide kql examples for querying between XDR incidents and alerts.

These queries should be independent of the SecurityIncident table which is only available when Sentinel is connected to XDR.

Thank you.

clive_watson · Answer

If you do have Sentinel integration it would be this (just sharing in case you haven't seen it, and I know it wasn't the request you asked for, but the way I know that works)SecurityIncident| extend Alerts = extract("$$(.*?)$$", 1, tostring(AlertIds))| mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string)| join kind=leftouter(&nbsp;&nbsp;&nbsp; SecurityAlert&nbsp; &nbsp; //| where TimeGenerated &gt; ago(10m)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ) on $right.SystemAlertId == $left.AlertIds&nbsp;&nbsp;&nbsp; | summarize AlertCount=dcount(AlertIds),&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; arg_max&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TimeGenerated, *&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; )&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; by IncidentNumber

Forum Discussion

How to use KQL to associate alerts with incidents?

1 Reply

Resources