KQL Query to get top 10 user accounts seen in Alerts for the last 30 days

Question

We are looking to create a query that finds the top 10 user accounts that are associated to Sentinel Incidents so we can track common users.

However, entities of the incident are only in the security alerts table so using that table will skew the numbers and not match the number of incidents. Is there any way to to say only count the Entity account name if the security alert is tied to an IncidentID and only count that as 1? Since the user may be in multiple security alerts that make up 1 incident it skews the numbers as well.

Here is an example from one of Microsoft's built in workbooks. But using this there are a lot of duplicate rows and skewed counts

SecurityAlert
| where "{AlertSeverity:lable}" == "All" or AlertSeverity in ({AlertSeverity})
| where "{ProductName:lable}" == "All" or ProductName in ({ProductName})
| where AlertSeverity == '{AlertSeverityPicker}' or '{AlertSeverityPicker}' == "All"
| where ProductName == '{ProductNamePicker}' or '{ProductNamePicker}' == "All"
| extend Entities = iff(isempty(Entities), todynamic('[{"dummy" : ""}]'), todynamic(Entities))
| mvexpand Entities
| evaluate bag_unpack(Entities, "Entity_")
| extend Entity_Type = columnifexists("Entity_Type", "")
| extend Entity_Name = columnifexists("Entity_Name", "")
| extend Entity_ResourceId = columnifexists("Entity_ResourceId", "")
| extend Entity_Directory = columnifexists("Entity_Directory", "")
| extend Entity_Value = columnifexists("Entity_Value", "")
| extend Entity_HostName = columnifexists("Entity_HostName", "")
| extend Entity_Address = columnifexists("Entity_Address", "")
| extend Entity_ProcessId = columnifexists("Entity_ProcessId", "")
| extend Entity_Url = columnifexists("Entity_Url", "")
| extend Target = iif(Entity_Type == "account", Entity_Name, iif(Entity_Type == "azure-resource", Entity_ResourceId, iif(Entity_Type == "cloud-application", Entity_Name, iif(Entity_Type == "dns", Entity_Name, iif(Entity_Type == "file", strcat(Entity_Directory, "\\", Entity_Name), iif(Entity_Type == "filehash", Entity_Value, iif(Entity_Type == "host", Entity_HostName, iif(Entity_Type == "ip" , Entity_Address, iif(Entity_Type == "malware", Entity_HostName, iif(Entity_Type == "network-connection", Entity_Name, iif(Entity_Type == "process", Entity_ProcessId, iif(Entity_Type == "registry-key", Entity_Name, iif(Entity_Type == "registry-value", Entity_Name, iif(Entity_Type == "security-group", Entity_Name, iif(Entity_Type == "url", Entity_Url, "NoTarget")))))))))))))))
| where Entity_Type in ("account", "host", "ip", "url", "azure-resource", "cloud-application", "dns", "file", "filehash", "malware", "network-connection", "process", "registry-key", "registry-value", "security-group")
| summarize count() by bin(TimeGenerated, 1d), Target, Entity_Type
| project-away TimeGenerated
| order by count_ desc

Answer 1

The top 6 are listed on the Entity Behavior Page....

There is a Security Alerts workbook in the SOC Handbook solution. This has an alerts by entity view that is close. You can probably grab that query as a base.