Extract all Azure Sentinel incidents

I got asked by a few readers after reading this article if there was a way to extract all incidents in Azure Sentinel so they could conduct a report and send out to their managers.

In this article, let’s see if we can get all incidents and put them in a friendly CSV report.

The API used in this article is unofficial API and is still in preview. Run at your own risk.

TL;DR: You can skip this article and use the script from here https://github.com/azsec/azure-sentinel-tools/tree/master/scripts

Azure Sentinel API – Incident

In fact the term “incident” is not the original one when Microsoft introduced Azure Sentinel (formerly Azure Security Insight). The original term was “Case“. Alright then we have an API for Case. Below is the request Uri for Azure Sentinel API – Incident

  • WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.

This API accepts GET method. Below is the sample response’s value of the Invoke-RestMethod function against the Uri.

What would you need?

Below would be your expected output:

  • Incident ID: this is very important because it shall be used when you need to get specific incident. Name can be similar but this ID is unique.
  • Title: name of that incident
  • Incident number: it is incremental number when an incident is created.
  • Incident severity: severity of an incident (Low, Medium, High, Critical)
  • Status: status of an incident (New, In Progress, Closed)
  • Incident label: it is like a tag.
  • Close Reason: a close status (False Positive, True Positive)
  • Owner: name of the person who is assigned to work on an incident
  • Owner email: email of the assignee. This field is retrieved from AAD user profile.
  • Time Generated: alert time generated, incident time generated…
  • Total comment: it is the total number of comments in each incident.

And of course the script gives all of these for you. Enjoy!


Some of other articles related to Azure Sentinel you might want to check out:

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

2 Responses to Extract all Azure Sentinel incidents

  1. Pingback: Create a fully customized Azure Sentinel incident - Microsoft Azure Security Randomness

  2. Pingback: Update Azure Sentinel incident programatically

Leave a Reply