Get all comments in an Azure Sentinel incident programmatically

For any kind of report you may want to get all comments in an Azure Sentinel in order to archive as an forensic or incident artifact in an incident case before it is closed. Even comments in Azure Sentinel is not really much helpful it is still play an important role.

In this article, let’s explore a way to extract all comments in an Azure Sentinel incident. You will be playing with both PowerShell and Azure CLI (+ Curl) to work with Azure Sentinel comment API.

The API used in this article is unofficial API and is still in preview. Use at your own risk.

TL;DR: You can skip this article and use the script from here to get all comments in an Azure Sentinel incident: https://github.com/azsec/azure-sentinel-tools/blob/master/scripts/Get-AzSentinelIncidentComments.ps1

Use Case

What is a use case for extracting all comments in an Azure Sentinel incident? There are a few. First, if you don’t have an integration of ticket management system or IM (instant messaging) system you are likely going to have to use Comment feature in Azure Sentinel. This feature is not actually helpful and likely doesn’t satisfy your need but it is still helpful and is needed when you still don’t have a better choice. SecOps analyst would like to have comment before investigating a case. For example give a first-look comment or simply say this is his testing and the incident should be marked as a False Positive case.

You would need to archive everything stored in an Azure Sentinel incident to be an artifact of incident before it is closed. In this case getting all comments in an Azure Sentinel is likely required.

Azure Sentinel Comment API

To use Azure Sentinel comment API, you simply need to call the following URI with GET method:

$uri = "https://management.azure.com" + $workspaceId `
                                      + "/providers/Microsoft.SecurityInsights/cases/" `
                                      + $IncidentId `
                                      + "/comments" `
                                      + "?api-version=2019-01-01-preview"
  • WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.
  • IncidentId is the ID of the incident you want to get all comments.

Below is the sample JSON converted response when calling Azure Sentinel Comment API:

[
    {
        "id":  "/subscriptions/67d6111d-a99d-4aad-8c16-4d3ff2e13349/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Cases/7f04b0e2-969f-4cf2-9360-4292888cc3d6/Comments/8bc3db9f-034b-40df-b2ab-f9b1ea1ea37b",
        "name":  "8bc3db9f-034b-40df-b2ab-f9b1ea1ea37b",
        "type":  "Microsoft.SecurityInsights/Cases/Comments",
        "properties":  {
                           "message":  "Hi Andy. \n\nI looked at the resource and quickly checked log. Yes you were right. The virtual machine has no restriction on port 22 and it was scanned. I\u0027m going to talk to Brian to add a rule and may shutdown the VM temporarily.",
                           "createdTimeUtc":  "2020-01-27T16:32:46.467213Z",
                           "userInfo":  "@{objectId=f84a055f-2958-4116-ttc7-7e49baac8cfa; email=; name=Linda Chung}"
                       }
    },
    {
        "id":  "/subscriptions/67d6111d-a99d-4aad-8c16-4d3ff2e13349/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Cases/7f04b0e2-969f-4cf2-9360-4292888cc3d6/Comments/f976b609-8e2e-4adf-bd6d-e79a9bcef77d",
        "name":  "f976b609-8e2e-4adf-bd6d-e79a9bcef77d",
        "type":  "Microsoft.SecurityInsights/Cases/Comments",
        "properties":  {
                           "message":  "Linda could you help look into this? This seems to be a true positive.",
                           "createdTimeUtc":  "2020-01-27T16:30:16.5526602Z",
                           "userInfo":  "@{objectId=b8c7b934-b11b-2256-a089-fb322add2d6c; email=; name=Andy Nguyen}"
                       }
    }
]

For those who are not interested in touching PowerShell, here is a dirty script to achieve similar result with Bash and Azure CLI:

ACCESS_TOKEN=$(az account get-access-token --query 'accessToken' -o tsv)
AUTH_HEADER="Authorization: Bearer $ACCESS_TOKEN"
RM_ENDPOINT='https://management.azure.com'
CONTENT_TYPE="Content-Type: application/json"
 
SUBSCRIPTION_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
RG_NAME="azsec-corporate-rg"
WORKSPACE_NAME="azsec-shared-workspace"
INCIDENT_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
WORKSPACE_ID=$(az monitor log-analytics workspace show --resource-group $RG_NAME \
                                                       --workspace-name $WORKSPACE_NAME \
                                                       --query 'id' \
                                                       -o tsv)
                           
echo $WORKSPACE_ID
 
URI="$RM_ENDPOINT/$WORKSPACE_ID/providers/Microsoft.SecurityInsights/cases/$INCIDENT_ID/comments?api-version=2019-01-01-preview"
 
curl -X GET -H "$AUTH_HEADER" -H "$CONTENT_TYPE" $URI

You need latest Azure CLI to use az monitor log-analytics workspace


Some of other articles related to Azure Sentinel you might want to check out:

This entry was posted in Security Automation and tagged , , . Bookmark the permalink.

Leave a Reply