Query Details

Incident URL

Query

//Using KQL's strcat to create a URL to an Incident on another domain


let new_URL = "domain.com";
let portal_URL = "https://portal.azure.com/";
let subscription = "your_subscription";
let resource_group = "your_resource_group";
let workspace = "your_workspace";
SecurityIncident
| where TimeGenerated >= ago(90d)
| where Severity == 'High'
| where Title has "Suspicious"
| extend Updated_URL = strcat(portal_URL, new_URL, "/", "#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/", subscription, "/", "resourceGroups/", resource_group, "/", "providers/Microsoft.OperationalInsights/workspaces/", workspace, "/", "providers/Microsoft.SecurityInsights/Incidents/", IncidentName)
| project Updated_URL

Explanation

This query uses KQL's strcat function to create a URL that links to an Incident on another domain. It filters the SecurityIncident table to only include incidents that occurred within the last 90 days, have a severity of 'High', and have a title that includes the word "Suspicious". It then extends the table with a new column called Updated_URL, which concatenates various strings to create the final URL. The query projects only the Updated_URL column.

Details

Rod Trent profile picture

Rod Trent

Released: December 5, 2023

Tables

SecurityIncident

Keywords

IncidentTimeGeneratedSeverityTitleUpdated_URLIncidentName

Operators

letnew_URL="domain.com"portal_URL"https://portal.azure.com/"subscription"your_subscription"resource_group"your_resource_group"workspace"your_workspace"SecurityIncident|whereTimeGenerated>=ago(90d)Severity=='High'Titlehas"Suspicious"extendUpdated_URLstrcat(portal_URL"/""#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/""resourceGroups/""providers/Microsoft.OperationalInsights/workspaces/""providers/Microsoft.SecurityInsights/Incidents/"IncidentName)project

Actions

GitHub