Descriptor: Name: Fetch Sentinel incident comments DisplayName: Fetch Sentinel incident comments Description: Pullback Sentinel incident comments SkillGroups: - Format: KQL Skills: - Name: SentinelIncidentComments DisplayName: Fetch Sentinel incident comments Description: Fetch Sentinel incident comments Inputs: - Name: incidentNumber Description: incident number Required: true Settings: Target: Sentinel TenantId: <your_tenant_ID> SubscriptionId: <your_subscription_ID> ResourceGroupName: <your_RG_name> WorkspaceName: <your_WS_name> Template: |- SecurityIncident | where TimeGenerated > ago(14d) | where IncidentNumber == '{{incidentNumber}}' | summarize arg_max(TimeGenerated, *) by IncidentNumber | where isnotempty( Comments) and Comments != '[]' | project Comments