There has to be a case that you want to update Azure Sentinel incidents namely label or assignment. For example you would like all brute-force attack related incidents to have label brute-force and to assign to a specific person/team that are responsible for handling such an incident.
In this article, let’s explore Azure Sentinel Incident API a bit more and see how to update label and assignment on an existing/multiple incidents
The API used in this article is unofficial API and is still in preview. Use at your own risk.
TL;DR: You can skip this article and use the script from here to update an existing Azure Sentinel/multiple incidents filtered by Alert Display Name:
- Update a single Azure Sentinel incident
- Update multiple Azure Sentinel incidents by alert display name (e.g. Suspicious Authentication Activity)
Use Case
As said from the beginning, a common use case when you want to update multiple incidents once at a time is when you would like to assign specific incident type to a person/team who may have expertise on that incident type e.g brute-force attack, suspicious network activity or ones who own associated analytics detection rule.
You may also want to automatically label an incident so you could filter it (in the future ).
Get specific Azure Incident
In the past I wrote an article about extracting Azure Sentinel incidents as well as deleting an existing Azure Security Center incident. There was also an article that I shared about the way to create a fully customized Azure Sentinel incident.
You would have an idea on how to get specific Azure Sentinel incident by incident ID.
|
1 2 3 4 5 6 7 8 |
$uri = "https://management.azure.com" + $workspaceId ` + "/providers/Microsoft.SecurityInsights/cases/" ` + $IncidentId + "/?api-version=2019-01-01-preview" $response = Invoke-RestMethod -Uri $uri ` -Method GET -Headers $authHeader $response | ConvertTo-Json |
The output of the above script is as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
{ "id": "/subscriptions/11d6179d-a99d-4ccd-8c55-4d3ff2e13349/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Cases/a6228f80-23bd-4403-8d51-c75907b154bc", "name": "a6228f80-23bd-4403-8d51-c75907b154bc", "etag": "\"1600f7ac-0000-0100-0000-5e2754960000\"", "type": "Microsoft.SecurityInsights/Cases", "properties": { "title": "Failed SSH brute force attack", "description": "Failed brute force attacks were detected from the following attackers: %{Attackers}. Attackers were trying to access the host with the following user names: %{Accounts used on failed sign in to host attempts}.", "severity": "Medium", "status": "New", "labels": [ "update", "a6228f80-23bd-4403-8d51-c75907b154bc" ], "endTimeUtc": "2020-01-20T03:22:46.173Z", "startTimeUtc": "2020-01-20T03:22:46.173Z", "owner": { "objectId": null, "email": null, "name": null }, "lastUpdatedTimeUtc": "2020-01-21T19:44:22Z", "createdTimeUtc": "2020-01-20T04:48:51.2558904Z", "relatedAlertIds": [ "b401572c-dd8f-43e7-9103-39da2306e3fb" ], "relatedAlertProductNames": [ "Azure Security Center" ], "caseNumber": 57, "totalComments": 0, "metrics": { "SecurityAlert": 1 }, "firstAlertTimeGenerated": "2020-01-20T04:48:49.461707Z", "lastAlertTimeGenerated": "2020-01-20T04:48:49.461707Z" } } |
Update an existing Azure Sentinel incident
Now to update an Azure Sentinel incident, you only need to update the existing incident and send the request back to the API – as long as the the request contains the same incident that you just retrieved. The sample code is as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
$response.Name = $IncidentId $response.properties.labels = @("brute-force", "detection", "asc") $response.properties.owner.objectId = "f84a055f-2958-4186-bdc7-7e49bfec8cfa" $reguestBody = $response | ConvertTo-Json $updateUri = "https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/cases/" + $IncidentId + "?api-version=2019-01-01-preview" $r = Invoke-RestMethod -Uri $updateUri ` -Method PUT ` -Headers $authHeader ` -Body $reguestBody $r |
Note that the only way to make sure would be to name your incident a global unique ID (GUID) so it is referenceable. If you name it as a general string the API wouldn’t really work.
Notes
The given script is only a PoC one which may not be well organized. You can build your own one with any language you wish.
There are a few notes:
- objectId cannot be null. That said you need to specify whether objectID or convert to objectID from a user principal name input. You can also update email of the incident owner.
- The script is tested in both incidents generated from Azure Security Center and scheduled analytics rule.
- You can perform mass update on Azure Sentinel incident based on alert display name technically.
- You can update incident description even incident generated from Azure Security Center.
- You can update startTimeUtc
- You can update status to from New to Close in case you know incidents are false positive.
Modified incident title generated from ASC.
Some of other articles related to Azure Sentinel you might want to check out:
- Parse ExtendedProperty in Azure Sentinel alert for Logic App use
- Notify Azure Sentinel alert to your email automatically
- Authenticate with Log Analytics workspace interactively in Azure Sentinel notebooks
- Get started with Azure Sentinel Notebooks
- Create a fully customized Azure Sentinel incident
- Demystify alert generated by Azure Sentinel versus other 3rd products
- Delete an Azure Sentinel incident (from ASC)
- Azure Sentinel ARM Template
- Extract all Azure Sentinel incidents
- Connect Azure Security Center to Azure Sentinel programatically
- Working with Azure Security Center Alert from Azure Sentinel
- Thoughts on Azure Sentinel
Great article. Thank you very much. Do you have script to do mass update like you described?
Hi oliver85,
Here is the script to update multiple incidents https://github.com/azsec/azure-sentinel-tools/blob/master/scripts/Update-MultipleAzSentinelIncidents.ps1
The idea is to set label to all incidents that have same alert display name no matter where it is generated from. For example you can set all “Suspicious Authentication Activity” alerts some labels like “detection”, “asc”, “authentication”.
Let me know if you would like more info or feedback.
Thank you!
What a great response and work! Thanks a lot