I got some questions from people who worked with Microsoft product team about the new incident API they were introduced. I took a glance at it and thought I would need to write something about it, especially wrote a new script to work with the new Azure Sentinel Incident API.
This article is going to give some notes, as well as a new script to extract all Azure Sentinel incidents. The API used in this article (http://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/) is still working by the way.
The API used in this article is unofficial API and is still in preview. Use at your own risk.
TL;DR: You can skip this article and use the script from here (https://github.com/azsec/azure-sentinel-tools/blob/master/scripts/Get-AzSentinelIncidentListV2.ps1)
The new incident that Microsoft is in progress of developing has the following URI:
https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/incidents?api-version=2019-01-01-preview"
- WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.
There are many changes in data response from the new API compared with the old one (/cases?api-version=2019-01-01-preview).
This API accepts GET method. Below is the sample converted response’s value of the Invoke-RestMethod function against the Uri in format of JSON:
{ "id": "/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/143d1e24-430c-40b5-93 4e-d5662f7a621a", "name": "143d1e24-430c-40b5-934e-d5662f7a621a", "etag": "\"0800795f-0000-0100-0000-5e7285530000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "Suspicious authentication activity", "description": "Although none of them succeeded, some of them used accounts were recognized by the host.\r\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a d ictionary of predefined account names and passwords in order to find valid credentials to access the host.\r\nThis indicates that some of your host account names might exist in a well-known account name dictionary.", "severity": "Medium", "status": "New", "owner": "@{objectId=f84a055f-2958-4186-bdc7-7e49bfec8cfa; email=linda@azsec.net; assignedTo=Linda Chung; userPrincipalName=}", "labels": "", "firstActivityTimeUtc": "2020-03-18T19:08:34.0353777Z", "lastActivityTimeUtc": "2020-03-18T19:08:34.0353777Z", "lastModifiedTimeUtc": "2020-03-18T20:32:19Z", "createdTimeUtc": "2020-03-18T20:32:19.0222938Z", "incidentNumber": 156, "additionalData": "@{alertsCount=1; bookmarksCount=0; commentsCount=0; alertProductNames=System.Object[]; tactics=System.Object[]}", "firstActivityTimeGenerated": "2020-03-18T20:32:06.5796289Z", "lastActivityTimeGenerated": "2020-03-18T20:32:06.5796289Z", "relatedAnalyticRuleIds": "/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityI nsights/alertRules/c6923c04-12ab-4378-b66b-b86101b6a828", "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/ workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/143d1e24-430c-40b5-934e-d5662f7a621a" } }
You can test both APIs and compare what are changed and what are deprecated.
Pingback: Extract all Azure Sentinel incidents
Pingback: Transform Azure Sentinel incident to Log Analytics Workspace with Logic App
Pingback: Azure Incident Relation API
Pingback: Get Alert Relation from an Incident using Azure Sentinel Incident Relation API
Pingback: Extending Azure Sentinel: APIs, Integration and management automation – Azure Sentinel News