Create a fully customized Azure Sentinel incident

There are ways to create an incident in Azure Sentinel. Simulating an alert from Azure Security Center and feeding it to become an Azure Sentinel incident is one of the ways. Another way is to create a simple scheduled analytics rule (e.g, set number of failure of sign-in more than 1 to trigger an alert).

You may wonder if there is another way to create a fully-customize Azure Sentinel incident so you could work with specific need.

TL;DR: You can skip this article and use the script from here to create a fully customized incident in Azure Sentinel https://github.com/azsec/azure-sentinel-tools/blob/master/scripts/New-AzSentinelIncident.ps1

Use Case 

A use case for creating a fully customized incident would be to test your SOAR (Security Orchestration Automation and Response) in a specific need that simulated ASC alert or from scheduled analytics rule couldn’t help.

Another use case would be to use Azure Sentinel incident capability to store an incident that may come from external source (the one that hasn’t been integrated to Azure Sentinel yet) so you could have a single source of incident you could manage.

Azure Sentinel API – Create a new incident

To create a new incident in Azure Sentinel, you need to supply the following info:

  • WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.
  • Incident Configuration is a content in format of JSON that stores incident information. See example below
{
    "properties": {
        "startTimeUtc": "2020-06-01T00:00:00Z",
        "createdTimeUtc": "2020-06-01T00:00:00Z",
        "endTimeUtc": "2020-06-01T00:00:00Z",
        "title": "Your virtual machine is still safe",
        "description": "..then why am I seeing this incident?",
        "owner": {
            "objectId": "b8c7b934-b040-4156-a089-fb344add2d6c",
            "email": "andy@azsec.net",
            "name": "Andy"
        },
        "severity": "High",
        "closeReason": "",
        "status": "New",
        "caseNumber": 1331000000,
        "labels": [
            "sample-incident",
            "test"
        ],
        "relatedAlertIds": [
            "921214ee-beaa-43b5-ab40-0b8b8280511e"
        ]
    },
    "name": "66bd8bac-681a-4caa-8a29-96145e4137fe"
}

Uri for the use of incident creation

https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/cases/$incidentName?api-version=2019-01-01-preview

This API accepts PUT method. Below is the sample response’s value of the Invoke-RestMethod  function against the Uri.

id         : /subscriptions/17c6179d-a99d-4d22-8c56-4d3aa2e13349/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Micr
             osoft.SecurityInsights/Cases/66bd8bac-681a-4caa-8a29-96145e4137fe
name       : 66bd8bac-681a-4caa-8a29-96145e4137fe
etag       : "4b00b8b2-0000-0100-0000-5e1394fc0000"
type       : Microsoft.SecurityInsights/Cases
properties : @{title=Your virtual machine is still safe; description=..then why am I seeing this incident?; severity=High; status=New; labels=System.Object[];
             endTimeUtc=2020-06-01T00:00:00Z; startTimeUtc=2020-06-01T00:00:00Z; owner=; lastUpdatedTimeUtc=2020-01-06T20:13:48Z; createdTimeUtc=2020-01-06T20:13:48.7260396Z;
             relatedAlertIds=System.Object[]; relatedAlertProductNames=System.Object[]; caseNumber=32; totalComments=0; metrics=}

There are some things you should know when using this API:

  • You must provide objectID (inside owner element) of a user that is supposed to be assigned in the incident. Unless you will run into 500 Internal Server Error.
  • startTimeUtc, endtimeUtc are required.
  • Incident Name is actually an incident unique ID so it is highly recommended to be in format of GUID.
  • A custom incident doesn’t give you any alert associated (when you click View full details).
  • No matter what value you put in caseNumber, the value is still incremental.

Enjoy creating your own Azure Sentinel!


Some of other articles related to Azure Sentinel you might want to check out:

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

2 Responses to Create a fully customized Azure Sentinel incident

  1. Pingback: Update Azure Sentinel incident programatically

  2. Pingback: Filter Azure Security Center alert name in Azure Sentinel incident rule

Leave a Reply