Incident Id2rule Name
Query
//Getting the Analytics Rule name from the Incident ID
SecurityIncident
| where TimeGenerated >= ago(90d)
| where IncidentNumber == toint("<enter your Incident ID here>") // Example: "118831"
| summarize arg_max(TimeGenerated, IncidentNumber, AlertIds)
| mv-expand AlertIds to typeof(string)
| join kind=leftouter(
SecurityAlert
| where TimeGenerated >= ago(90d)
| project
AnalyticsRuleId = tostring(todynamic(tostring(todynamic(ExtendedProperties)["Analytic Rule Ids"]))[0]),
AnalyticsRuleName = tostring(todynamic(ExtendedProperties)["Analytic Rule Name"]),
AlertName,
SystemAlertId
) on $left.AlertIds == $right.SystemAlertId
| distinct AnalyticsRuleName, AlertNameExplanation
This query retrieves the Analytics Rule name associated with a specific Incident ID. It filters the SecurityIncident table based on the specified Incident ID and a time range of the last 90 days. Then, it finds the latest incident based on the TimeGenerated and IncidentNumber fields. The AlertIds are expanded into separate rows. The SecurityAlert table is joined with the expanded AlertIds, and the AnalyticsRuleName and AlertName are returned. The result will only include distinct AnalyticsRuleName and AlertName combinations.
Details

Rod Trent
Released: October 11, 2022
Tables
SecurityIncidentSecurityAlert
Keywords
SecurityIncidentTimeGeneratedIncidentNumberAlertIdsSecurityAlertAnalyticsRuleIdAnalyticsRuleNameAlertNameSystemAlertId
Operators
wheresummarizearg_maxmv-expandjoinkindprojecttotypeoftointtodynamic[]==>=agodistinct