Investigating SecurityIncident: Five Alerts. One Incident.
The alerts looked unrelated.
A phishing email.
A risky sign-in.
An unusual PowerShell command.
Separate alerts.
One attack.
SecurityIncident revealed the connection.
Lesson overview
Learn how IdentityInfo helps defenders understand who an account belongs to, what access it has and how much risk it represents.
Why SecurityIncident matters
Investigation scenario
Step 1 — Review recent incidents
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
SecurityIncident | where Timestamp > ago(7d) | project Timestamp, IncidentNumber, Title, Severity, Status, Owner, Classification, LastModifiedTime | order by Timestamp desc
Step 2 — Review high severity incidents
- 1
- 2
- 3
- 4
- 5
- 6
SecurityIncident | where Timestamp > ago(30d) | where Severity == "High" | project IncidentNumber, Title, Severity, Status, Owner, LastModifiedTime | order by LastModifiedTime desc
Step 3 — Find open incidents
- 1
- 2
- 3
- 4
- 5
- 6
SecurityIncident | where Timestamp > ago(14d) | where Status != "Resolved" | project IncidentNumber, Title, Severity, Status, Owner | order by Severity desc, IncidentNumber desc
Step 4 — Investigate one incident
- 1
- 2
- 3
- 4
- 5
let TargetIncident = 12345; SecurityIncident | where IncidentNumber == TargetIncident | project Timestamp, IncidentNumber, Title, Severity, Status, Description, Entities
Step 5 — Identify affected entities
- 1
- 2
- 3
- 4
- 5
- 6
- 7
let TargetIncident = 12345; SecurityIncident | where IncidentNumber == TargetIncident | project IncidentNumber, Title, Severity, Entities | extend EntitiesText = tostring(Entities)
Step 6 — Build the incident timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
let TargetIncident = 12345; SecurityIncident | where IncidentNumber == TargetIncident | project IncidentNumber, Title, Severity, FirstActivityTime, LastActivityTime, CreatedTime, LastModifiedTime
