Create a fully customized Azure Sentinel incident

There are ways to create an incident in Azure Sentinel. Simulating an alert from Azure Security Center and feeding it to become an Azure Sentinel incident is one of the ways. Another way is to create a simple scheduled analytics rule (e.g., set number of failure of sign-in more than 1 to trigger an alert).

You may wonder if there is another way to create a fully-customize Azure Sentinel incident so you could work with specific need.

TL;DR: You can skip this article and use this script to create a fully customized incident in Azure Sentinel

Use Case 

A use case for creating a fully customized incident would be to test your SOAR (Security Orchestration Automation and Response) in a specific need that simulated ASC alert or from scheduled analytics rule couldn’t help.

Another use case would be to use Azure Sentinel incident capability to store an incident that may come from external source (the one that hasn’t been integrated to Azure Sentinel yet) so you could have a single source of incident you could manage.

Azure Sentinel API – Create a new incident

To create a new incident in Azure Sentinel, you need to supply the following info:

  • WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.
  • Incident Configuration is a content in format of JSON that stores incident information. See example below

Below is the sample request body:

    "name": "e5f4ec2c-53ec-4fe8-9590-64bc0a78dd97",
    "properties": {
        "owner": {
            "objectId": null
        "labels": [
                "labelName": "SSH",
                "labelType": "User"
        "title": "New Incident",
        "description": "Test Incident",
        "status": "active",
        "severity": "Informational",
        "firstActivityTimeUtc": "2021-11-27T00:00:00Z",
        "lastActivityTimeUtc": "2021-11-27T00:00:00Z"

Uri for the use of incident creation:

$uri = "" + $workspaceId `
                                      + "/providers/Microsoft.SecurityInsights/incidents/" `
                                      + $incidentName `
                                      + "?api-version=2021-04-01"

This API accepts PUT method. Below is the sample response’s value of the Invoke-RestMethod  function against the Uri.

id         : /subscriptions/17c6179d-a99d-4d22-8c56-4d3aa2e13349/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Micr
name       : 66bd8bac-681a-4caa-8a29-96145e4137fe
etag       : "4b00b8b2-0000-0100-0000-5e1394fc0000"
type       : Microsoft.SecurityInsights/Cases
properties : @{title=Your virtual machine is still safe; description=..then why am I seeing this incident?; severity=High; status=New; labels=System.Object[];
             endTimeUtc=2020-06-01T00:00:00Z; startTimeUtc=2020-06-01T00:00:00Z; owner=; lastUpdatedTimeUtc=2020-01-06T20:13:48Z; createdTimeUtc=2020-01-06T20:13:48.7260396Z;
             relatedAlertIds=System.Object[]; relatedAlertProductNames=System.Object[]; caseNumber=32; totalComments=0; metrics=}

There are some things you should know when using this API:

  • You must provide objectID (inside owner element) of a user that is supposed to be assigned in the incident. Unless you will run into 500 Internal Server Error.
  • startTimeUtc, endtimeUtc are required.
  • Incident Name is actually an incident unique ID so it is highly recommended to be in format of GUID.
  • A custom incident doesn’t give you any alert associated (when you click View full details).
  • No matter what value you put in caseNumber, the value is still incremental.

Enjoy creating your own Azure Sentinel!

Some of other articles related to Azure Sentinel you might want to check out:

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

4 Responses to Create a fully customized Azure Sentinel incident

  1. Pingback: Update Azure Sentinel incident programatically

  2. Pingback: Filter Azure Security Center alert name in Azure Sentinel incident rule

  3. Kalai says:

    Thanks a lot for the article! it was very useful. I would like to know what are the other possible parameters we could add on the properties block? so that we could enable the investigation option on the incident.

    Could you please provide any reference documentation for this API methods?

    again thanks a lot!

Leave a Reply

Your email address will not be published.