Direct linking to Microsoft Sentinel incidents in the unified portal

This might be the smallest thing I've ever written about here, but anyhow.. If you've onboarded to SIEM & XDR unified portal, you may wonder how to generate direct links to Sentinel incidents.

Having working links to Microsoft Sentinel incidents is a common and basic request when doing automation and integration to external systems such as Microsoft Teams or a ticketing system.

When building integrations with Azure Logic Apps, the Sentinel incident trigger has two options for providing the incident links:

The first one (Incident URL) which links to Sentinel in Azure portal, has been here for a long time and works as expected.

The second one (Provider Incident Url) is new and should provide us a link to the Sentinel incident in the Unified SIEM + XDR portal.

However it seems that the Provider Incident Url is not yet actually working. At least in any tenants I have access to, this property stays empty always or generates incorrect links.

Until this problem is fixed, some manual tweaking in the Logic Apps is required if you want to get working links to the Unified portal.

We need to find the unified portal incident id from the Sentinel incident trigger outputs and generate the link ourselves.

From the Sentinel incident outputs, you can find the right incident id as property providerIncidentId.

In Logic App code you can reference providerIncidentId as follows:

"@{triggerBody()?['object']?['properties']?['providerIncidentId']}"

Using that and the tenant id, unified portal link can be generated in this format:

https://security.microsoft.com/incident2/@{triggerBody()?['object']?['properties']?['providerIncidentId']}/overview?tid=[tenant id here]

Now we can use this link in our automation wherever we need it, and get working links also to Unified portal, as shown in a Teams message example here:

Simple stuff, but I’ve seen this discussed many times so hopefully it helps.