I got asked by a few readers after reading this article if there was a way to extract all incidents in Azure Sentinel so they could conduct a report and send out to their managers.
In this article, let’s see if we can get all incidents and put them in a friendly CSV report.
The API used in this article is unofficial API and is still in preview. Run at your own risk.
TL;DR: You can skip this article and use the script from here https://github.com/azsec/azure-sentinel-tools/tree/master/scripts
Azure Sentinel API – Incident
In fact the term “incident” is not the original one when Microsoft introduced Azure Sentinel (formerly Azure Security Insight). The original term was “Case“. Alright then we have an API for Case. Below is the request Uri for Azure Sentinel API – Incident
|
1 |
https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/cases?api-version=2019-01-01-preview" |
- WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.
This API accepts GET method. Below is the sample response’s value of the Invoke-RestMethod function against the Uri.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
id : /subscriptions/67d6179d-a99d-4ccd-8c56-4d3ff2e13349/resourceGroups/security-services-rg/providers/Microsoft.OperationalInsights /workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Cases/b49a2dce-3365-4a96-8743-84a20e05083f name : b49a2dce-3365-4a96-8743-84a20e05083f etag : "0f00d2ca-0000-0100-0000-5df087420000" type : Microsoft.SecurityInsights/Cases properties : @{title=Azure Security Center test alert (not a threat); description=This is a test alert generated by Azure Security Center. No further action is needed.; severity=High; status=New; labels=System.Object[]; endTimeUtc=2019-12-11T06:05:27.4961705Z; startTimeUtc=2019-12-11T06:05:27.4961705Z; owner=; lastUpdatedTimeUtc=2019-12-11T06:05:54Z; createdTimeUtc=2019-12-11T06:05:54.615849Z; relatedAlertIds=System.Object[]; relatedAlertProductNames=System.Object[]; caseNumber=9; totalComments=0; metrics=; firstAlertTimeGenerated=2019-12-11T06:05:51.0376295Z; lastAlertTimeGenerated=2019-12-11T06:05:51.0376295Z} id : /subscriptions/67d6179d-a99d-4ccd-8c56-4d3ff2e13349/resourceGroups/security-services-rg/providers/Microsoft.OperationalInsights /workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Cases/b7eb0c0a-fb6b-4895-a249-6138b2ddd929 name : b7eb0c0a-fb6b-4895-a249-6138b2ddd929 etag : "0f00d1ca-0000-0100-0000-5df087420000" type : Microsoft.SecurityInsights/Cases properties : @{title=Potential attempt to bypass AppLocker detected; description=Analysis of host data on %{Compromised Host} detected a potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. The command line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host.; severity=High; status=New; labels=System.Object[]; endTimeUtc=2019-12-11T06:05:33.302217Z; startTimeUtc=2019-12-11T06:05:33.302217Z; owner=; lastUpdatedTimeUtc=2019-12-11T06:05:54Z; createdTimeUtc=2019-12-11T06:05:54.1727595Z; relatedAlertIds=System.Object[]; relatedAlertProductNames=System.Object[]; caseNumber=8; totalComments=0; metrics=; firstAlertTimeGenerated=2019-12-11T06:05:51.0376295Z; lastAlertTimeGenerated=2019-12-11T06:05:51.0376295Z} |
What would you need?
Below would be your expected output:
- Incident ID: this is very important because it shall be used when you need to get specific incident. Name can be similar but this ID is unique.
- Title: name of that incident
- Incident number: it is incremental number when an incident is created.
- Incident severity: severity of an incident (Low, Medium, High, Critical)
- Status: status of an incident (New, In Progress, Closed)
- Incident label: it is like a tag.
- Close Reason: a close status (False Positive, True Positive)
- Owner: name of the person who is assigned to work on an incident
- Owner email: email of the assignee. This field is retrieved from AAD user profile.
- Time Generated: alert time generated, incident time generated…
- Total comment: it is the total number of comments in each incident.
And of course the script gives all of these for you. Enjoy!
Some of other articles related to Azure Sentinel you might want to check out:
Pingback: Create a fully customized Azure Sentinel incident - Microsoft Azure Security Randomness
Pingback: Update Azure Sentinel incident programatically