Getting Direct URLs for Azure Sentinel Incidents Using KQL

We are making this capability much, MUCH easier in the very near future but for now here’s a convoluted way to get the direct link to Incidents out of the Azure Sentinel tables.

I created the following query for a customer so they could parse out the URL and then send it through email to analysts through a Playbook. Note that this information is contained in the AzureActivity table, but it needs to be cobbled together using strcat.

NOTE: Apparently our blogging system here keeps inserting a double semi-colon at the end of the first line of the query. Please make sure to grab the query from the GitHub posting.

What it looks like…

Query:

let IncidentURL = “https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident”;
AzureActivity
| where _ResourceId has “Microsoft.SecurityInsights” and _ResourceId has “incidents”
| summarize by _ResourceId
| extend IncidentLINK = strcat(IncidentURL, _ResourceId)
| distinct IncidentLINK

Results:

Get it from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/SentinelIncidentURLs-%20ALL.txt

Authors