Query Details
Incident URL
Query
//Using KQL's strcat to create a URL to an Incident on another domain let new_URL = "domain.com"; let portal_URL = "https://portal.azure.com/"; let subscription = "your_subscription"; let resource_group = "your_resource_group"; let workspace = "your_workspace"; SecurityIncident | where TimeGenerated >= ago(90d) | where Severity == 'High' | where Title has "Suspicious" | extend Updated_URL = strcat(portal_URL, new_URL, "/", "#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/", subscription, "/", "resourceGroups/", resource_group, "/", "providers/Microsoft.OperationalInsights/workspaces/", workspace, "/", "providers/Microsoft.SecurityInsights/Incidents/", IncidentName) | project Updated_URL
Explanation
This query uses KQL's strcat function to create a URL that links to an Incident on another domain. It filters the SecurityIncident table to only include incidents that occurred within the last 90 days, have a severity of 'High', and have a title that includes the word "Suspicious". It then extends the table with a new column called Updated_URL, which concatenates various strings to create the final URL. The query projects only the Updated_URL column.
Details
Rod Trent
Released: December 5, 2023
Tables
SecurityIncident
Keywords
Incident,TimeGenerated,Severity,Title,Updated_URL,IncidentName
Operators
letnew_URL="domain.com",
letportal_URL="https://portal.azure.com/",
letsubscription="your_subscription",
letresource_group="your_resource_group",
letworkspace="your_workspace",
SecurityIncident,
|whereTimeGenerated>=ago(90d),
|whereSeverity=='High',
|whereTitlehas"Suspicious",
|extendUpdated_URL=strcat(portal_URLnew_URL"/""#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/"subscription"/""resourceGroups/"resource_group"/""providers/Microsoft.OperationalInsights/workspaces/"workspace"/""providers/Microsoft.SecurityInsights/Incidents/"IncidentName),
|projectUpdated_URL