Update Azure Sentinel incident programmatically

There has to be a case that you want to update Azure Sentinel incidents namely label or assignment. For example you would like all brute-force attack related incidents to have label brute-force and to assign to a specific person/team that are responsible for handling such an incident.

In this article, let’s explore Azure Sentinel Incident API a bit more and see how to update label and assignment on an existing/multiple incidents

The API used in this article is unofficial API and is still in preview. Use at your own risk.

TL;DR: You can skip this article and use the script from here to update an existing Azure Sentinel/multiple incidents filtered by Alert Display Name:

Use Case

As said from the beginning, a common use case when you want to update multiple incidents once at a time is when you would like to assign specific incident type to a person/team who may have expertise on that incident type e.g brute-force attack, suspicious network activity or ones who own associated analytics detection rule.

You may also want to automatically label an incident so you could filter it (in the future ).

Get specific Azure Incident

In the past I wrote an article about extracting Azure Sentinel incidents as well as deleting an existing Azure Security Center incident. There was also an article that I shared about the way to create a fully customized Azure Sentinel incident.

You would have an idea on how to get specific Azure Sentinel incident by incident ID.

$uri = "https://management.azure.com" + $workspaceId `
                                      + "/providers/Microsoft.SecurityInsights/cases/" `
                                      + $IncidentId + "/?api-version=2019-01-01-preview"

$response = Invoke-RestMethod -Uri $uri `
                              -Method GET 
                              -Headers $authHeader
$response | ConvertTo-Json

The output of the above script is as follows:

{
    "id": "/subscriptions/11d6179d-a99d-4ccd-8c55-4d3ff2e13349/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Cases/a6228f80-23bd-4403-8d51-c75907b154bc",
    "name": "a6228f80-23bd-4403-8d51-c75907b154bc",
    "etag": "\"1600f7ac-0000-0100-0000-5e2754960000\"",
    "type": "Microsoft.SecurityInsights/Cases",
    "properties": {
        "title": "Failed SSH brute force attack",
        "description": "Failed brute force attacks were detected from the following attackers: %{Attackers}.  Attackers were trying to access the host with the following user names: %{Accounts used on failed sign in to host attempts}.",
        "severity": "Medium",
        "status": "New",
        "labels": [
            "update",
            "a6228f80-23bd-4403-8d51-c75907b154bc"
        ],
        "endTimeUtc": "2020-01-20T03:22:46.173Z",
        "startTimeUtc": "2020-01-20T03:22:46.173Z",
        "owner": {
            "objectId": null,
            "email": null,
            "name": null
        },
        "lastUpdatedTimeUtc": "2020-01-21T19:44:22Z",
        "createdTimeUtc": "2020-01-20T04:48:51.2558904Z",
        "relatedAlertIds": [
            "b401572c-dd8f-43e7-9103-39da2306e3fb"
        ],
        "relatedAlertProductNames": [
            "Azure Security Center"
        ],
        "caseNumber": 57,
        "totalComments": 0,
        "metrics": {
            "SecurityAlert": 1
        },
        "firstAlertTimeGenerated": "2020-01-20T04:48:49.461707Z",
        "lastAlertTimeGenerated": "2020-01-20T04:48:49.461707Z"
    }
}

Update an existing Azure Sentinel incident

Now to update an Azure Sentinel incident, you only need to update the existing incident and send the request back to the API – as long as the the request contains the same incident that you just retrieved. The sample code is as follows:

$response.Name = $IncidentId
$response.properties.labels = @("brute-force", "detection", "asc")
$response.properties.owner.objectId = "f84a055f-2958-4186-bdc7-7e49bfec8cfa"

$reguestBody = $response | ConvertTo-Json

$updateUri = "https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/cases/" + $IncidentId + "?api-version=2019-01-01-preview"

$r = Invoke-RestMethod -Uri $updateUri `
                       -Method PUT `
                       -Headers $authHeader `
                       -Body $reguestBody
$r

Note that the only way to make sure would be to name your incident a global unique ID (GUID) so it is referenceable. If you name it as a general string the API wouldn’t really work.

Notes

The given script is only a PoC one which may not be well organized. You can build your own one with any language you wish.

There are a few notes:

  • objectId cannot be null. That said you need to specify whether objectID or convert to objectID from a user principal name input. You can also update email of the incident owner.
  • The script is tested in both incidents generated from Azure Security Center and scheduled analytics rule.
  • You can perform mass update on Azure Sentinel incident based on alert display name technically.
  • You can update incident description even incident generated from Azure Security Center.
  • You can update startTimeUtc
  • You can update status to from New to Close in case you know incidents are false positive.

Modified incident title generated from ASC.


Some of other articles related to Azure Sentinel you might want to check out:

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

11 Responses to Update Azure Sentinel incident programmatically

  1. oliver85 says:

    Great article. Thank you very much. Do you have script to do mass update like you described?

  2. rogierg says:

    Hi, many thanks for this. I’ve attempted to extrapolate what you do in Python. However when I perform the PUT changing the status I get: message”: “Newer version of resource ‘…..’ exists. Data was not saved”

    Similar result by doing this manually with Postman.

    Any idea what could be wrong?

    • azsec says:

      Hi rogierg,

      I kinda remember I encountered this issue during my analysis.

      The reason you got this error is because there would be a resource that had similar name and when you did the update that would made a conflict. First, you would need to list all existing incidents and see if there is one using the same name. Use API in this article http://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/

    • Yorenet says:

      Hi Rogierg,

      I face the same issue. Did you find the root cause and solve the issue?

      • Marian says:

        From my experience (I’m also working in Python), the reason for this error is lack of appropriate handling of ‘etag’.
        The value of ‘etag’ changes every time an object is modified.
        So, if you want to modify an object, you first need to query that object, and get the up to date value of the etag.
        Then, when doing PUT, you have to pass that etag in your payload.
        If you don’t provide it, or somebody modified the object between your GET and PUT – you’ll get that error message that you’ve mentioned.

  3. Pingback: Extract all Azure Sentinel incidents

  4. Yasemin says:

    Hi all,

    I am also facing the similar issue while updating an incident / Case. Has anybody figured out a workaround or the reason for this problem?

Leave a Reply

Your email address will not be published. Required fields are marked *