Incident URL
Query
//Using KQL's strcat to create a URL to an Incident on another domain
let new_URL = "domain.com";
let portal_URL = "https://portal.azure.com/";
let subscription = "your_subscription";
let resource_group = "your_resource_group";
let workspace = "your_workspace";
SecurityIncident
| where TimeGenerated >= ago(90d)
| where Severity == 'High'
| where Title has "Suspicious"
| extend Updated_URL = strcat(portal_URL, new_URL, "/", "#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/", subscription, "/", "resourceGroups/", resource_group, "/", "providers/Microsoft.OperationalInsights/workspaces/", workspace, "/", "providers/Microsoft.SecurityInsights/Incidents/", IncidentName)
| project Updated_URLExplanation
This query uses KQL's strcat function to create a URL that links to an Incident on another domain. It filters the SecurityIncident table to only include incidents that occurred within the last 90 days, have a severity of 'High', and have a title that includes the word "Suspicious". It then extends the table with a new column called Updated_URL, which concatenates various strings to create the final URL. The query projects only the Updated_URL column.
Details

Rod Trent
Released: December 5, 2023
Tables
SecurityIncident
Keywords
IncidentTimeGeneratedSeverityTitleUpdated_URLIncidentName
Operators
letnew_URL="domain.com"portal_URL"https://portal.azure.com/"subscription"your_subscription"resource_group"your_resource_group"workspace"your_workspace"SecurityIncident|whereTimeGenerated>=ago(90d)Severity=='High'Titlehas"Suspicious"extendUpdated_URLstrcat(portal_URL"/""#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/""resourceGroups/""providers/Microsoft.OperationalInsights/workspaces/""providers/Microsoft.SecurityInsights/Incidents/"IncidentName)project