// We start from the Incident SecurityIncident // Filter on the desired Incident by using the Incident Number (ID) | where IncidentNumber == xxxxx // add your Incident Number here // We get the last record for that Incident (each change on the Severity, Status, Assignemnt will create a new record for the Incident) | summarize arg_max(TimeGenerated, *) by IncidentNumber // We extract the Owner (Assigned To) username | extend Owner = Owner.assignedTo // We keep just some properties about the incident | project IncidentNumber, Title, Severity, Status,Owner, AlertIds // We create a record for each different alert that is part of the incident | mv-expand AlertIds // We convert the AlertIds from a dynamic type to a string - as we plan to use it in Join criteria, where dynamic is not permited | extend AlertId = tostring(AlertIds) // We now join with the SecurityAlert to get the details from this table based on the AlertId | join SecurityAlert on $left.AlertId == $right.SystemAlertId // We extract the Custom Details for each alert (as these might contain useful information in addition with the Entities) | extend CustomDetails = todynamic(ExtendedProperties).["Custom Details"] // We prepare the results for visualizing, by choosign what colums to keep | project IncidentNumber,Title, Severity, Owner, Status, AlertId, Entities, CustomDetails