We are making this capability much, MUCH easier in the very near future but for now here’s a convoluted way to get the direct link to Incidents out of the Azure Sentinel tables.
I created the following query for a customer so they could parse out the URL and then send it through email to analysts through a Playbook. Note that this information is contained in the AzureActivity table, but it needs to be cobbled together using strcat.
NOTE: Apparently our blogging system here keeps inserting a double semi-colon at the end of the first line of the query. Please make sure to grab the query from the GitHub posting.
What it looks like…
let IncidentURL = “https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident”;
| where _ResourceId has “Microsoft.SecurityInsights” and _ResourceId has “incidents”
| summarize by _ResourceId
| extend IncidentLINK = strcat(IncidentURL, _ResourceId)
| distinct IncidentLINK