Forum Discussion

SocInABox's avatar
SocInABox
Iron Contributor
Apr 03, 2025

How to use KQL to associate alerts with incidents?

There is no method I'm aware of to use KQL to query from an alertID to an incident or vice versa. Please provide kql examples for querying between XDR incidents and alerts. These queries should be ...
alerts
investigation
Search
siem
threat hunting
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Apr 17, 2025

If you do have Sentinel integration it would be this (just sharing in case you haven't seen it, and I know it wasn't the request you asked for, but the way I know that works)

SecurityIncident

| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))

| mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string)

| join kind=leftouter

(

    SecurityAlert

    //| where TimeGenerated > ago(10m)   

    ) on $right.SystemAlertId == $left.AlertIds

    | summarize AlertCount=dcount(AlertIds),

                arg_max

                (

                 TimeGenerated, *

                )

                by IncidentNumber

Resources