Query Details
Sentinel Incident UR Ls ALL
Query
let IncidentURL = "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident"; AzureActivity | where _ResourceId has "Microsoft.SecurityInsights" and _ResourceId has "incidents" | summarize by _ResourceId | extend IncidentLINK = strcat(IncidentURL, _ResourceId) | distinct IncidentLINK
Explanation
This query searches for Azure activity logs related to Microsoft Azure Security Insights incidents. It then creates a unique link for each incident by combining the incident URL with the incident's resource ID. Finally, it returns a list of distinct incident links.
Details
Rod Trent
Released: June 12, 2020
Tables
AzureActivity
Keywords
AzureActivity,_ResourceId,Microsoft.SecurityInsights,incidents,IncidentURL,IncidentLINK
Operators
wherehassummarizeextendstrcatdistinct