Quick look at new Azure Sentinel Incident API

I got some questions from people who worked with Microsoft product team about the new incident API they were introduced. I took a glance at it and thought I would need to write something about it, especially wrote a new script to work with the new Azure Sentinel Incident API.

This article is going to give some notes, as well as a new script to extract all Azure Sentinel incidents. The API used in this article (http://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/) is still working by the way.

The API used in this article is unofficial API and is still in preview. Use at your own risk.

TL;DR: You can skip this article and use the script from here (https://github.com/azsec/azure-sentinel-tools/blob/master/scripts/Get-AzSentinelIncidentListV2.ps1)

The new incident that Microsoft is in progress of developing has the following URI:

https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/incidents?api-version=2019-01-01-preview"
  • WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.

There are many changes in data response from the new API compared with the old one (/cases?api-version=2019-01-01-preview).

This API accepts GET method. Below is the sample converted  response’s value  of the Invoke-RestMethod function against the Uri in format of JSON:

    {
        "id":  "/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/143d1e24-430c-40b5-93
4e-d5662f7a621a",
        "name": "143d1e24-430c-40b5-934e-d5662f7a621a",
        "etag": "\"0800795f-0000-0100-0000-5e7285530000\"",
        "type": "Microsoft.SecurityInsights/Incidents",
        "properties": {
            "title": "Suspicious authentication activity",
            "description":  "Although none of them succeeded, some of them used accounts were recognized by the host.\r\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a d
ictionary of predefined account names and passwords in order to find valid credentials to access the host.\r\nThis indicates that some of your host account names might exist in a well-known account name dictionary.",
                           "severity": "Medium",

            "status": "New",
            "owner": "@{objectId=f84a055f-2958-4186-bdc7-7e49bfec8cfa; email=linda@azsec.net; assignedTo=Linda Chung; userPrincipalName=}",
            "labels": "",
            "firstActivityTimeUtc": "2020-03-18T19:08:34.0353777Z",
            "lastActivityTimeUtc": "2020-03-18T19:08:34.0353777Z",
            "lastModifiedTimeUtc": "2020-03-18T20:32:19Z",
            "createdTimeUtc": "2020-03-18T20:32:19.0222938Z",
            "incidentNumber": 156,
            "additionalData": "@{alertsCount=1; bookmarksCount=0; commentsCount=0; alertProductNames=System.Object[]; tactics=System.Object[]}",
            "firstActivityTimeGenerated": "2020-03-18T20:32:06.5796289Z",
            "lastActivityTimeGenerated": "2020-03-18T20:32:06.5796289Z",
            "relatedAnalyticRuleIds":  "/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityI
nsights/alertRules/c6923c04-12ab-4378-b66b-b86101b6a828",
            "incidentUrl":  "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/
workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/143d1e24-430c-40b5-934e-d5662f7a621a"
        }
    }

You can test both APIs and compare what are changed and what are deprecated.

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

1 Response to Quick look at new Azure Sentinel Incident API

  1. Pingback: Extract all Azure Sentinel incidents

Leave a Reply