Extract all Azure Sentinel incidents

I got asked by a few readers after reading this article if there was a way to extract all incidents in Azure Sentinel so they could conduct a report and send out to their managers.

In this article, let’s see if we can get all incidents and put them in a friendly CSV report.

[Update 11/20/2021] You now have a much better way to get all incidents without using Azure API or running a complex script. Incidents are stored in a table called SecurityIncident in the Log Analytics workspace that your Azure Sentinel is connected to. You can just run the query to get it.

[Updated 03/18/2020]  There is an article about a new Azure Sentinel incident API you are recommended to check out https://azsec.azurewebsites.net/2020/03/18/quick-look-at-new-azure-sentinel-incident-api/

The API used in this article is unofficial API and is still in preview. Use at your own risk.

TL;DR: You can skip this article and use the script from here https://github.com/azsec/azure-sentinel-tools/tree/master/scripts

Azure Sentinel API – Incident

In fact the term “incident” is not the original one when Microsoft introduced Azure Sentinel (formerly Azure Security Insight). The original term was “Case“. Alright then we have an API for Case. Below is the request Uri for Azure Sentinel API – Incident

https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/cases?api-version=2019-01-01-preview"
  • WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.

This API accepts GET method. Below is the sample response’s value of the Invoke-RestMethod function against the Uri.

id         : /subscriptions/67d6179d-a99d-4ccd-8c56-4d3ff2e13349/resourceGroups/security-services-rg/providers/Microsoft.OperationalInsights
name       : b49a2dce-3365-4a96-8743-84a20e05083f
etag       : "0f00d2ca-0000-0100-0000-5df087420000"
type       : Microsoft.SecurityInsights/Cases
properties : @{title=Azure Security Center test alert (not a threat); description=This is a test alert generated by Azure Security Center.
             No further action is needed.; severity=High; status=New; labels=System.Object[]; endTimeUtc=2019-12-11T06:05:27.4961705Z;
             startTimeUtc=2019-12-11T06:05:27.4961705Z; owner=; lastUpdatedTimeUtc=2019-12-11T06:05:54Z;
             createdTimeUtc=2019-12-11T06:05:54.615849Z; relatedAlertIds=System.Object[]; relatedAlertProductNames=System.Object[];
             caseNumber=9; totalComments=0; metrics=; firstAlertTimeGenerated=2019-12-11T06:05:51.0376295Z;

id         : /subscriptions/67d6179d-a99d-4ccd-8c56-4d3ff2e13349/resourceGroups/security-services-rg/providers/Microsoft.OperationalInsights
name       : b7eb0c0a-fb6b-4895-a249-6138b2ddd929
etag       : "0f00d1ca-0000-0100-0000-5df087420000"
type       : Microsoft.SecurityInsights/Cases
properties : @{title=Potential attempt to bypass AppLocker detected; description=Analysis of host data on %{Compromised Host} detected a
             potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what
             executables are allowed to run on a Windows system. The command line pattern similar to that identified in this alert has been
             previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker
             policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host.; severity=High;
             status=New; labels=System.Object[]; endTimeUtc=2019-12-11T06:05:33.302217Z; startTimeUtc=2019-12-11T06:05:33.302217Z; owner=;
             lastUpdatedTimeUtc=2019-12-11T06:05:54Z; createdTimeUtc=2019-12-11T06:05:54.1727595Z; relatedAlertIds=System.Object[];
             relatedAlertProductNames=System.Object[]; caseNumber=8; totalComments=0; metrics=;
             firstAlertTimeGenerated=2019-12-11T06:05:51.0376295Z; lastAlertTimeGenerated=2019-12-11T06:05:51.0376295Z}

What would you need?

Below would be your expected output:

  • Incident ID: this is very important because it shall be used when you need to get specific incident. Name can be similar but this ID is unique.
  • Title: name of that incident
  • Incident number: it is incremental number when an incident is created.
  • Incident severity: severity of an incident (Low, Medium, High, Critical)
  • Status: status of an incident (New, In Progress, Closed)
  • Incident label: it is like a tag.
  • Close Reason: a close status (False Positive, True Positive)
  • Owner: name of the person who is assigned to work on an incident
  • Owner email: email of the assignee. This field is retrieved from AAD user profile.
  • Time Generated: alert time generated, incident time generated…
  • Total comment: it is the total number of comments in each incident.

And of course the script gives all of these for you. Enjoy!

Some of other articles related to Azure Sentinel you might want to check out:

This entry was posted in Security Automation and tagged , , . Bookmark the permalink.

5 Responses to Extract all Azure Sentinel incidents

  1. Pingback: Create a fully customized Azure Sentinel incident - Microsoft Azure Security Randomness

  2. Pingback: Update Azure Sentinel incident programatically

  3. Pingback: Quick look at new Azure Sentinel Incident API

  4. Hi,

    It’s my first time on your web site and I found what I was looking for regarding Sentinel. It’s a great job and it’s really appreciated. Keep up the the good work!

    Jean Luc

Leave a Reply

Your email address will not be published.