Its been a while since I wrote this (so test it out) but this is my method. This looks at all products but you can filter with some adjustments
// start Time = when the Alert was first noticed, first event
// End Time = Ingested alerts: the time of the last event or activity included in the alert.
// Processing Time = Ingested alerts: the time that the originating product completes the production of the alert (e.g. Defender XDR).
SecurityIncident
| extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds))
| mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string)
| join kind=inner
(
SecurityAlert
| where TimeGenerated > ago(1h)
| extend ProductProcessingMin = datetime_diff('minute', ProcessingEndTime, EndTime),
ingest_ = ingestion_time()
| extend sentinelIngestionDelayinMinutes_ = datetime_diff('minute', ingestion_time(), ProcessingEndTime)
) on $right.SystemAlertId == $left.AlertIds
| summarize AlertCount=dcount(AlertIds),
arg_max
(
TimeGenerated, *
)
by IncidentNumber
| extend sentinelIngestiontoCreated_ = datetime_diff('minute', ingest_, CreatedTime)
| extend InvestigationElapsedTime_ = datetime_diff('minute', LastModifiedTime, CreatedTime)
| summarize arg_max(TimeGenerated,*) by IncidentNumber
| project StartTime, EndTime, ProcessingEndTime, TimeGenerated, ingest_, ProductProcessingMin,
sentinelIngestionDelayinMinutes_, IncidentNumber, AlertName, FirstActivityTime, LastModifiedTime,
CreatedTime
, InvestigationElapsedTime_
, sentinelIngestiontoCreated_