cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IncidentUrl - Investigation

Vshah335
Copper Contributor

‎Sep 22 2020 06:11 PM

‎Sep 22 2020 06:11 PM

IncidentUrl - Investigation

SecurityIncident

| where TimeGenerated > ago(1d)

| where Status == "Active"

| project TimeGenerated, Title, Description, Severity, IncidentUrl

 

 

Is it possible to Security Incident can create an alert and the incidentURL be tacked on into one of the existing fields available for a Security Alert. if Ans is Yes . How ? please explain. 

1,805 Views
0 Likes
1 Reply
Reply
1 Reply
Gary Bushey

‎Sep 23 2020 05:10 AM

‎Sep 23 2020 05:10 AM

Re: IncidentUrl - Investigation

@Vshah335 The short answer is no.   Incidents are created by alerts and not the other way around.  You also cannot modify the schema of an Azure Sentinel table, only custom tables.

 

What you can do is perform a join from the SecurityAlert table to the SecurityIncidents table to get the information.  Something like what is shown below.  You need to use the mv-expand on the SecuirtyIncident table to expand each entry in the AlertIds field into its own row.  You also need to I am not sure if this is the best way to do the query but it does work.

 

SecurityAlert
| join kind=innerunique (SecurityIncident
| mv-expand AlertIds
| extend tempAlertId=tostring(AlertIds)) on $left.SystemAlertId == $right.tempAlertId

 

0 Likes
Reply