This is the closest I've been able to achieve. I do get some only drift in my Sentinel which shows a few incidents closed in the UI but showing as Active in the query.
Note, the UI does look back longer for SecurityAlerts (hence the 180days)
SecurityIncident
| where TimeGenerated > ago(1d)
| where Status in('New','Active')
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string)
| join kind=inner
(
SecurityAlert
| where TimeGenerated > ago(180d)
) on $right.SystemAlertId == $left.AlertIds
| summarize AlertCount=dcount(AlertIds),
arg_max
(
TimeGenerated, *)
by IncidentNumber