Query Details
Incident Id2rule Name
Query
//Getting the Analytics Rule name from the Incident ID
SecurityIncident
| where TimeGenerated >= ago(90d)
| where IncidentNumber == toint("<enter your Incident ID here>") // Example: "118831"
| summarize arg_max(TimeGenerated, IncidentNumber, AlertIds)
| mv-expand AlertIds to typeof(string)
| join kind=leftouter(
SecurityAlert
| where TimeGenerated >= ago(90d)
| project
AnalyticsRuleId = tostring(todynamic(tostring(todynamic(ExtendedProperties)["Analytic Rule Ids"]))[0]),
AnalyticsRuleName = tostring(todynamic(ExtendedProperties)["Analytic Rule Name"]),
AlertName,
SystemAlertId
) on $left.AlertIds == $right.SystemAlertId
| distinct AnalyticsRuleName, AlertName
Explanation
This query retrieves the Analytics Rule name associated with a specific Incident ID. It filters the SecurityIncident table based on the specified Incident ID and a time range of the last 90 days. Then, it finds the latest incident based on the TimeGenerated and IncidentNumber fields. The AlertIds are expanded into separate rows. The SecurityAlert table is joined with the expanded AlertIds, and the AnalyticsRuleName and AlertName are returned. The result will only include distinct AnalyticsRuleName and AlertName combinations.
Details
Rod Trent
Released: October 11, 2022
Tables
SecurityIncidentSecurityAlert
Keywords
SecurityIncident,TimeGenerated,IncidentNumber,AlertIds,SecurityAlert,AnalyticsRuleId,AnalyticsRuleName,AlertName,SystemAlertId
Operators
wheresummarizearg_maxmv-expandjoinkindprojecttotypeoftointtodynamic[]==>=agodistinct