Update Azure Sentinel incident programmatically

There has to be a case that you want to update Azure Sentinel incidents namely label or assignment. For example you would like all brute-force attack related incidents to have label brute-force and to assign to a specific person/team that are responsible for handling such an incident.

In this article, let’s explore Azure Sentinel Incident API a bit more and see how to update label and assignment on an existing/multiple incidents

The API used in this article is unofficial API and is still in preview. Use at your own risk.

TL;DR: You can skip this article and use the script from here to update an existing Azure Sentinel/multiple incidents filtered by Alert Display Name:

Use Case

As said from the beginning, a common use case when you want to update multiple incidents once at a time is when you would like to assign specific incident type to a person/team who may have expertise on that incident type e.g brute-force attack, suspicious network activity or ones who own associated analytics detection rule.

You may also want to automatically label an incident so you could filter it (in the future ).

Get specific Azure Incident

In the past I wrote an article about extracting Azure Sentinel incidents as well as deleting an existing Azure Security Center incident. There was also an article that I shared about the way to create a fully customized Azure Sentinel incident.

You would have an idea on how to get specific Azure Sentinel incident by incident ID.

$uri = "https://management.azure.com" + $workspaceId `
                                      + "/providers/Microsoft.SecurityInsights/cases/" `
                                      + $IncidentId + "/?api-version=2019-01-01-preview"

$response = Invoke-RestMethod -Uri $uri `
                              -Method GET 
                              -Headers $authHeader
$response | ConvertTo-Json

The output of the above script is as follows:

{
    "id": "/subscriptions/11d6179d-a99d-4ccd-8c55-4d3ff2e13349/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Cases/a6228f80-23bd-4403-8d51-c75907b154bc",
    "name": "a6228f80-23bd-4403-8d51-c75907b154bc",
    "etag": "\"1600f7ac-0000-0100-0000-5e2754960000\"",
    "type": "Microsoft.SecurityInsights/Cases",
    "properties": {
        "title": "Failed SSH brute force attack",
        "description": "Failed brute force attacks were detected from the following attackers: %{Attackers}.  Attackers were trying to access the host with the following user names: %{Accounts used on failed sign in to host attempts}.",
        "severity": "Medium",
        "status": "New",
        "labels": [
            "update",
            "a6228f80-23bd-4403-8d51-c75907b154bc"
        ],
        "endTimeUtc": "2020-01-20T03:22:46.173Z",
        "startTimeUtc": "2020-01-20T03:22:46.173Z",
        "owner": {
            "objectId": null,
            "email": null,
            "name": null
        },
        "lastUpdatedTimeUtc": "2020-01-21T19:44:22Z",
        "createdTimeUtc": "2020-01-20T04:48:51.2558904Z",
        "relatedAlertIds": [
            "b401572c-dd8f-43e7-9103-39da2306e3fb"
        ],
        "relatedAlertProductNames": [
            "Azure Security Center"
        ],
        "caseNumber": 57,
        "totalComments": 0,
        "metrics": {
            "SecurityAlert": 1
        },
        "firstAlertTimeGenerated": "2020-01-20T04:48:49.461707Z",
        "lastAlertTimeGenerated": "2020-01-20T04:48:49.461707Z"
    }
}

Update an existing Azure Sentinel incident

Now to update an Azure Sentinel incident, you only need to update the existing incident and send the request back to the API – as long as the the request contains the same incident that you just retrieved. The sample code is as follows:

$response.Name = $IncidentId
$response.properties.labels = @("brute-force", "detection", "asc")
$response.properties.owner.objectId = "f84a055f-2958-4186-bdc7-7e49bfec8cfa"

$reguestBody = $response | ConvertTo-Json

$updateUri = "https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/cases/" + $IncidentId + "?api-version=2019-01-01-preview"

$r = Invoke-RestMethod -Uri $updateUri `
                       -Method PUT `
                       -Headers $authHeader `
                       -Body $reguestBody
$r

Note that the only way to make sure would be to name your incident a global unique ID (GUID) so it is referenceable. If you name it as a general string the API wouldn’t really work.

Notes

The given script is only a PoC one which may not be well organized. You can build your own one with any language you wish.

There are a few notes:

  • objectId cannot be null. That said you need to specify whether objectID or convert to objectID from a user principal name input. You can also update email of the incident owner.
  • The script is tested in both incidents generated from Azure Security Center and scheduled analytics rule.
  • You can perform mass update on Azure Sentinel incident based on alert display name technically.
  • You can update incident description even incident generated from Azure Security Center.
  • You can update startTimeUtc
  • You can update status to from New to Close in case you know incidents are false positive.

Modified incident title generated from ASC.


Some of other articles related to Azure Sentinel you might want to check out:

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

6 Responses to Update Azure Sentinel incident programmatically

  1. oliver85 says:

    Great article. Thank you very much. Do you have script to do mass update like you described?

  2. rogierg says:

    Hi, many thanks for this. I’ve attempted to extrapolate what you do in Python. However when I perform the PUT changing the status I get: message”: “Newer version of resource ‘…..’ exists. Data was not saved”

    Similar result by doing this manually with Postman.

    Any idea what could be wrong?

  3. Pingback: Extract all Azure Sentinel incidents

Leave a Reply