There has to be a case that you want to update Azure Sentinel incidents namely label or assignment. For example you would like all brute-force attack related incidents to have label brute-force and to assign to a specific person/team that are responsible for handling such an incident.
In this article, let’s explore Azure Sentinel Incident API a bit more and see how to update label and assignment on an existing/multiple incidents
The API used in this article is unofficial API and is still in preview. Use at your own risk.
TL;DR: You can skip this article and use this script to update an existing Azure Sentinel/multiple incidents filtered by Alert Display Name:
- Update a single Azure Sentinel incident
- Update multiple Azure Sentinel incidents by alert display name (e.g. Suspicious Authentication Activity)
Use Case
As said from the beginning, a common use case when you want to update multiple incidents once at a time is when you would like to assign specific incident type to a person/team who may have expertise on that incident type e.g brute-force attack, suspicious network activity or ones who own associated analytics detection rule.
You may also want to automatically label an incident so you could filter it (in the future ).
Get specific Azure Incident
In the past I wrote an article about extracting Azure Sentinel incidents as well as deleting an existing Azure Security Center incident. There was also an article that I shared about the way to create a fully customized Azure Sentinel incident.
You would have an idea on how to get specific Azure Sentinel incident by incident ID.
$uri = "https://management.azure.com" + $workspaceId `
+ "/providers/Microsoft.SecurityInsights/cases/" `
+ $IncidentId + "/?api-version=2019-01-01-preview"
$response = Invoke-RestMethod -Uri $uri `
-Method GET
-Headers $authHeader
$response | ConvertTo-Json
The output of the above script is as follows:
{
"id": "/subscriptions/11d6179d-a99d-4ccd-8c55-4d3ff2e13349/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Cases/a6228f80-23bd-4403-8d51-c75907b154bc",
"name": "a6228f80-23bd-4403-8d51-c75907b154bc",
"etag": "\"1600f7ac-0000-0100-0000-5e2754960000\"",
"type": "Microsoft.SecurityInsights/Cases",
"properties": {
"title": "Failed SSH brute force attack",
"description": "Failed brute force attacks were detected from the following attackers: %{Attackers}. Attackers were trying to access the host with the following user names: %{Accounts used on failed sign in to host attempts}.",
"severity": "Medium",
"status": "New",
"labels": [
"update",
"a6228f80-23bd-4403-8d51-c75907b154bc"
],
"endTimeUtc": "2020-01-20T03:22:46.173Z",
"startTimeUtc": "2020-01-20T03:22:46.173Z",
"owner": {
"objectId": null,
"email": null,
"name": null
},
"lastUpdatedTimeUtc": "2020-01-21T19:44:22Z",
"createdTimeUtc": "2020-01-20T04:48:51.2558904Z",
"relatedAlertIds": [
"b401572c-dd8f-43e7-9103-39da2306e3fb"
],
"relatedAlertProductNames": [
"Azure Security Center"
],
"caseNumber": 57,
"totalComments": 0,
"metrics": {
"SecurityAlert": 1
},
"firstAlertTimeGenerated": "2020-01-20T04:48:49.461707Z",
"lastAlertTimeGenerated": "2020-01-20T04:48:49.461707Z"
}
}
Update an existing Azure Sentinel incident
Now to update an Azure Sentinel incident, you only need to update the existing incident and send the request back to the API – as long as the the request contains the same incident that you just retrieved. The sample code is as follows:
$response.Name = $IncidentId
$response.properties.labels = @("brute-force", "detection", "asc")
$response.properties.owner.objectId = "f84a055f-2958-4186-bdc7-7e49bfec8cfa"
$reguestBody = $response | ConvertTo-Json
$updateUri = "https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/cases/" + $IncidentId + "?api-version=2019-01-01-preview"
$r = Invoke-RestMethod -Uri $updateUri `
-Method PUT `
-Headers $authHeader `
-Body $reguestBody
$r
Note that the only way to make sure would be to name your incident a global unique ID (GUID) so it is referenceable. If you name it as a general string the API wouldn’t really work.
Notes
The given script is only a PoC one which may not be well organized. You can build your own one with any language you wish.
There are a few notes:
- objectId cannot be null. That said you need to specify whether objectID or convert to objectID from a user principal name input. You can also update email of the incident owner.
- The script is tested in both incidents generated from Azure Security Center and scheduled analytics rule.
- You can perform mass update on Azure Sentinel incident based on alert display name technically.
- You can update incident description even incident generated from Azure Security Center.
- You can update startTimeUtc
- You can update status to from New to Close in case you know incidents are false positive.
Modified incident title generated from ASC.
Some of other articles related to Azure Sentinel you might want to check out:
- Parse ExtendedProperty in Azure Sentinel alert for Logic App use
- Notify Azure Sentinel alert to your email automatically
- Authenticate with Log Analytics workspace interactively in Azure Sentinel notebooks
- Get started with Azure Sentinel Notebooks
- Create a fully customized Azure Sentinel incident
- Demystify alert generated by Azure Sentinel versus other 3rd products
- Delete an Azure Sentinel incident (from ASC)
- Azure Sentinel ARM Template
- Extract all Azure Sentinel incidents
- Connect Azure Security Center to Azure Sentinel programatically
- Working with Azure Security Center Alert from Azure Sentinel
- Thoughts on Azure Sentinel
Great article. Thank you very much. Do you have script to do mass update like you described?
Hi oliver85,
Here is the script to update multiple incidents https://github.com/azsec/azure-sentinel-tools/blob/master/scripts/Update-MultipleAzSentinelIncidents.ps1
The idea is to set label to all incidents that have same alert display name no matter where it is generated from. For example you can set all “Suspicious Authentication Activity” alerts some labels like “detection”, “asc”, “authentication”.
Let me know if you would like more info or feedback.
Thank you!
What a great response and work! Thanks a lot
Hi azsec,
Thanks for your article above. I am new to Sentinel and just at stage of using KQL. I went to below URL and found your Powershell script.For a novice person like me, can you please put down the steps on how to update/close multiple incidents in one go with this script? like where do run and where do I change incident id in this script etc.
https://github.com/azsec/azure-sentinel-tools/blob/master/scripts/incidents/Update-MultipleAzSentinelIncidents.ps1
Thanks for your time.
Aj
Hi Ali,
The script was created to help update multiple incidents at once. Supported fields to update are Assignee, Label and Severity. The current script is using old API which might not be working right now.
I’d recommend you to read this one for further information.
Could you create an issue here so we could discuss and track together https://github.com/azsec/azure-sentinel-tools/issues/new ?
Thank you very much.
Hi, many thanks for this. I’ve attempted to extrapolate what you do in Python. However when I perform the PUT changing the status I get: message”: “Newer version of resource ‘…..’ exists. Data was not saved”
Similar result by doing this manually with Postman.
Any idea what could be wrong?
Hi rogierg,
I kinda remember I encountered this issue during my analysis.
The reason you got this error is because there would be a resource that had similar name and when you did the update that would made a conflict. First, you would need to list all existing incidents and see if there is one using the same name. Use API in this article http://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/
Hi Rogierg,
I face the same issue. Did you find the root cause and solve the issue?
From my experience (I’m also working in Python), the reason for this error is lack of appropriate handling of ‘etag’.
The value of ‘etag’ changes every time an object is modified.
So, if you want to modify an object, you first need to query that object, and get the up to date value of the etag.
Then, when doing PUT, you have to pass that etag in your payload.
If you don’t provide it, or somebody modified the object between your GET and PUT – you’ll get that error message that you’ve mentioned.
Pingback: Extract all Azure Sentinel incidents
Hi all,
I am also facing the similar issue while updating an incident / Case. Has anybody figured out a workaround or the reason for this problem?
Hi Yasemin,
Could you post issue here https://github.com/azsec/azure-sentinel-tools/issues? I’d be happy to support.
Sure. done! thanks a lot