Differentiate XDR and SIEM incidents

After onboarding to Unified SIEM & XDR portal, the incident status and history log table gets a rewrite. We need a new approach to differentiate between Sentinel and Defender incidents.

Another quick article, another nitpicking topic. 😄

Before onboarding Sentinel to the unified SIEM + XDR portal, the incident history Log Analytics table SecurityIncident clearly showed if incidents are from source product Sentinel or Defender.

After onboarding to the unified portal, all incidents are marked as “Defender XDR”:

This is problematic if you want to do SecOps metric reporting, or have other needs to differentiate between SIEM and XDR detections and incidents.

I wish there will be a proper column to identify the source product, but for now we have to work around this.

One way to do this is to identify the RelatedAnalyticRuleIds column, as this contains data only for SIEM detections. If the column is empty (there is no related analytics rules) then the incident is from Defender.

Usage examples below, from Sentinel UI and Azure Workbook:

SecurityIncident
| extend Source = case(RelatedAnalyticRuleIds != "[]", "Microsoft Sentinel", RelatedAnalyticRuleIds == "[]", "Defender XDR", "Other")
| project TimeGenerated, Title, Source, RelatedAnalyticRuleIds

SecurityIncident
| where Status == "Closed"
| extend Source = case(RelatedAnalyticRuleIds != "[]", "Microsoft Sentinel", RelatedAnalyticRuleIds == "[]", "Defender XDR", "Other")
| summarize arg_max(TimeGenerated, Source) by IncidentNumber, Title
| summarize count() by Source