Getting Direct URLs for Azure Sentinel Incidents Using KQL

We are making this capability much, MUCH easier in the very near future but for now here’s a convoluted way to get the direct link to Incidents out of the Azure Sentinel tables.

I created the following query for a customer so they could parse out the URL and then send it through email to analysts through a Playbook. Note that this information is contained in the AzureActivity table, but it needs to be cobbled together using strcat.

NOTE: Apparently our blogging system here keeps inserting a double semi-colon at the end of the first line of the query. Please make sure to grab the query from the GitHub posting.

What it looks like…


let IncidentURL = “”;
| where _ResourceId has “Microsoft.SecurityInsights” and _ResourceId has “incidents”
| summarize by _ResourceId
| extend IncidentLINK = strcat(IncidentURL, _ResourceId)
| distinct IncidentLINK


Get it from GitHub: