// We start from the Incident
    SecurityIncident
    // Filter on the desired Incident by using the Incident Number (ID)
    | where IncidentNumber == xxxxx // add your Incident Number here
    // We get the last record for that Incident (each change on the Severity, Status, Assignemnt will create a new record for the Incident)
    | summarize arg_max(TimeGenerated, *) by IncidentNumber
    // We extract the Owner (Assigned To) username
    | extend Owner = Owner.assignedTo
    // We keep just some properties about the incident
    | project IncidentNumber, Title, Severity, Status,Owner, AlertIds
    // We create a record for each different alert that is part of the incident
    | mv-expand AlertIds
    // We convert the AlertIds from a dynamic type to a string - as we plan to use it in Join criteria, where dynamic is not permited
    | extend AlertId = tostring(AlertIds)
    // We now join with the SecurityAlert to get the details from this table based on the AlertId
    | join SecurityAlert on $left.AlertId == $right.SystemAlertId
    // We extract the Custom Details for each alert (as these might contain useful information in addition with the Entities)
    | extend CustomDetails = todynamic(ExtendedProperties).["Custom Details"]
    // We prepare the results for visualizing, by choosign what colums to keep
    | project IncidentNumber,Title, Severity, Owner, Status, AlertId, Entities, CustomDetails