You can usually find Entities in the SecurityAlert Table - this is an example that looks at the IP entity and gets the CountryCode
SecurityIncident
| summarize arg_max(TimeGenerated,) by IncidentNumber
| extend Alerts = extract("\[(.?)\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string)
| join
(
SecurityAlert
| extend AlertEntities = parse_json(Entities)
| mv-expand AlertEntities
| where isnotempty(AlertEntities)
| where AlertEntities.Type == "ip"
| extend Entity = tostring(AlertEntities.Address)
| extend CountryCode_ = tostring(parse_json(tostring(AlertEntities.Location)).CountryCode)
) on $left.AlertIds == $right.SystemAlertId
| where isnotempty(CountryCode_)