Sentinel Incident KQL

Question

Sentinel Incident KQL

SUNOJ KUMAR YELURU 18,166 MVP Volunteer Moderator

Hi,

My exisiting KQL, here i want to include only hostname

SecurityIncident
| where CreatedTime between (datetime(2026-03-17) .. datetime(2026-03-23))
| where Status contains "Closed"
| project
    IncidentNumber,
    LastModifiedTime,
    CreatedTime,
    Title,
    Severity,
    Status,
    Owner,
    Classification,
    ClassificationReason,
    ClassificationComment

0 comments

Answer accepted by question author

0 additional answers

Your answer

Answer 1

VEMULA SRISAI 11,330 Microsoft External Staff Moderator

Hello SUNOJ KUMAR YELURU,

In Sentinel, SecurityIncident doesn’t expose Entities anymore—it only stores the linked alert references in AlertIds. To get hostnames, you need to expand AlertIds and join with SecurityAlert, because SecurityAlert is the table that contains Entities (and the join key is SystemAlertId).

https://learn.microsoft.com/en-in/azure/sentinel/entities-reference?

https://learn.microsoft.com/en-us/azure/sentinel/security-alert-schema

Use the below query to return only hostnames for Closed incidents in your date range:

SecurityIncident
| where CreatedTime between (datetime(2026-03-17) .. datetime(2026-03-23))
| where Status has "Closed"
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| mv-expand AlertIds to typeof(string)
| join kind=inner (
    SecurityAlert
    | project SystemAlertId, Entities
) on $left.AlertIds == $right.SystemAlertId
| extend E = todynamic(Entities)
| mv-expand E
| where tostring(E.Type) =~ "host"
| extend Hostname = coalesce(tostring(E.HostName), tostring(E.FQDN), tostring(E.Name))
| where isnotempty(Hostname)
| distinct Hostname
| order by Hostname asc

Note: If an incident’s underlying alerts don’t contain a Host entity, no hostname will be returned (connector/provider dependent).

SUNOJ KUMAR YELURU 18,166 Reputation points MVP Volunteer Moderator

2026-03-27T07:42:07.5933333+00:00

Hi @VEMULA SRISAI,

Thanks,

And, I want to include in KQL "Owner" details can i have KQL for this one.

VEMULA SRISAI 11,330 Microsoft External Staff Moderator

Yes,you can include Owner details. In Microsoft Sentinel, Owner is stored in the SecurityIncident table (as a dynamic object like Owner.assignedTo), while host information (Entities) is available in SecurityAlert, so you must extract Owner from SecurityIncident first and then join to SecurityAlert via AlertIds ↔ SystemAlertId.

Kusto

SecurityIncident
| where CreatedTime between (datetime(2026-03-17) .. datetime(2026-03-23))
| where Status == "Closed"
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| extend OwnerName = tostring(Owner.assignedTo)
| mv-expand AlertIds to typeof(string)
| join kind=inner (
    SecurityAlert
    | project SystemAlertId, Entities
) on $left.AlertIds == $right.SystemAlertId
| extend E = todynamic(Entities)
| mv-expand E
| where tostring(E.Type) =~ "host"
| extend Hostname = coalesce(tostring(E.HostName), tostring(E.FQDN), tostring(E.Name))
| where isnotempty(Hostname)
| project IncidentNumber, OwnerName, Hostname
| distinct IncidentNumber, OwnerName, Hostname
| order by IncidentNumber desc

Share via

Sentinel Incident KQL

0 additional answers

Your answer