Extract all Azure Sentinel incidents

I got asked by a few readers after reading this article if there was a way to extract all incidents in Azure Sentinel so they could conduct a report and send out to their managers.

In this article, let’s see if we can get all incidents and put them in a friendly CSV report.

[Update 11/20/2021] You now have a much better way to get all incidents without using Azure API or running a complex script. Incidents are stored in a table called SecurityIncident in the Log Analytics workspace that your Azure Sentinel is connected to. You can just run the query to get it.

[Updated 03/18/2020]  There is an article about a new Azure Sentinel incident API you are recommended to check out https://azsec.azurewebsites.net/2020/03/18/quick-look-at-new-azure-sentinel-incident-api/

The API used in this article is unofficial API and is still in preview. Use at your own risk.

TL;DR: You can skip this article and use the script from here https://github.com/azsec/azure-sentinel-tools/tree/master/scripts

Azure Sentinel API – Incident

In fact the term “incident” is not the original one when Microsoft introduced Azure Sentinel (formerly Azure Security Insight). The original term was “Case“. Alright then we have an API for Case. Below is the request Uri for Azure Sentinel API – Incident

https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/cases?api-version=2019-01-01-preview"

• WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.

This API accepts GET method. Below is the sample response’s value of the Invoke-RestMethod function against the Uri.

id         : /subscriptions/67d6179d-a99d-4ccd-8c56-4d3ff2e13349/resourceGroups/security-services-rg/providers/Microsoft.OperationalInsights
             /workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Cases/b49a2dce-3365-4a96-8743-84a20e05083f
name       : b49a2dce-3365-4a96-8743-84a20e05083f
etag       : "0f00d2ca-0000-0100-0000-5df087420000"
type       : Microsoft.SecurityInsights/Cases
properties : @{title=Azure Security Center test alert (not a threat); description=This is a test alert generated by Azure Security Center.
             No further action is needed.; severity=High; status=New; labels=System.Object[]; endTimeUtc=2019-12-11T06:05:27.4961705Z;
             startTimeUtc=2019-12-11T06:05:27.4961705Z; owner=; lastUpdatedTimeUtc=2019-12-11T06:05:54Z;
             createdTimeUtc=2019-12-11T06:05:54.615849Z; relatedAlertIds=System.Object[]; relatedAlertProductNames=System.Object[];
             caseNumber=9; totalComments=0; metrics=; firstAlertTimeGenerated=2019-12-11T06:05:51.0376295Z;
             lastAlertTimeGenerated=2019-12-11T06:05:51.0376295Z}

id         : /subscriptions/67d6179d-a99d-4ccd-8c56-4d3ff2e13349/resourceGroups/security-services-rg/providers/Microsoft.OperationalInsights
             /workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Cases/b7eb0c0a-fb6b-4895-a249-6138b2ddd929
name       : b7eb0c0a-fb6b-4895-a249-6138b2ddd929
etag       : "0f00d1ca-0000-0100-0000-5df087420000"
type       : Microsoft.SecurityInsights/Cases
properties : @{title=Potential attempt to bypass AppLocker detected; description=Analysis of host data on %{Compromised Host} detected a
             potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what
             executables are allowed to run on a Windows system. The command line pattern similar to that identified in this alert has been
             previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker
             policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host.; severity=High;
             status=New; labels=System.Object[]; endTimeUtc=2019-12-11T06:05:33.302217Z; startTimeUtc=2019-12-11T06:05:33.302217Z; owner=;
             lastUpdatedTimeUtc=2019-12-11T06:05:54Z; createdTimeUtc=2019-12-11T06:05:54.1727595Z; relatedAlertIds=System.Object[];
             relatedAlertProductNames=System.Object[]; caseNumber=8; totalComments=0; metrics=;
             firstAlertTimeGenerated=2019-12-11T06:05:51.0376295Z; lastAlertTimeGenerated=2019-12-11T06:05:51.0376295Z}

What would you need?

Below would be your expected output:

• Incident ID: this is very important because it shall be used when you need to get specific incident. Name can be similar but this ID is unique.
• Title: name of that incident
• Incident number: it is incremental number when an incident is created.
• Incident severity: severity of an incident (Low, Medium, High, Critical)
• Status: status of an incident (New, In Progress, Closed)
• Incident label: it is like a tag.
• Close Reason: a close status (False Positive, True Positive)
• Owner: name of the person who is assigned to work on an incident
• Owner email: email of the assignee. This field is retrieved from AAD user profile.
• Time Generated: alert time generated, incident time generated…
• Total comment: it is the total number of comments in each incident.

And of course the script gives all of these for you. Enjoy!

Some of other articles related to Azure Sentinel you might want to check out:

• Transform Azure Sentinel incident to Log Analytics Workspace with Logic App
• Update Azure Sentinel incident programatically
• Parse ExtendedProperty in Azure Sentinel alert for Logic App use
• Notify Azure Sentinel alert to your email automatically
• Authenticate with Log Analytics workspace interactively in Azure Sentinel notebooks
• Get started with Azure Sentinel Notebooks
• Create a fully customized Azure Sentinel incident
• Demystify alert generated by Azure Sentinel versus other 3rd products
• Delete an Azure Sentinel incident (from ASC)
• Azure Sentinel ARM Template
• Extract all Azure Sentinel incidents
• Connect Azure Security Center to Azure Sentinel programatically
• Working with Azure Security Center Alert from Azure Sentinel
• Thoughts on Azure Sentinel