Quick look at new Azure Sentinel Incident API

I got some questions from people who worked with Microsoft product team about the new incident API they were introduced. I took a glance at it and thought I would need to write something about it, especially wrote a new script to work with the new Azure Sentinel Incident API.

This article is going to give some notes, as well as a new script to extract all Azure Sentinel incidents. The API used in this article (http://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/) is still working by the way.

TL;DR: You can skip this article and use this script to get all Azure Sentinel incidents.

The new incident that Microsoft is in progress of developing has the following URI:

$uri = "https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/incidents/?api-version=2020-01-01"
  • WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.

There are many changes in data response from the new API compared with the old one (/cases?api-version=2019-01-01-preview).

This API accepts GET method. Below is the sample converted  response’s value  of the Invoke-RestMethod function against the Uri in format of JSON:

    "id": "/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/143d1e24-430c-40b5-93 4e-d5662f7a621a",
    "name": "143d1e24-430c-40b5-934e-d5662f7a621a",
    "etag": "\"0800795f-0000-0100-0000-5e7285530000\"",
    "type": "Microsoft.SecurityInsights/Incidents",
    "properties": {
        "title": "Suspicious authentication activity",
        "description": "Although none of them succeeded, some of them used accounts were recognized by the host.\r\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a d ictionary of predefined account names and passwords in order to find valid credentials to access the host.\r\nThis indicates that some of your host account names might exist in a well-known account name dictionary.",
        "severity": "Medium",
        "status": "New",
        "owner": "@{objectId=f84a055f-2958-4186-bdc7-7e49bfec8cfa; email=linda@azsec.net; assignedTo=Linda Chung; userPrincipalName=}",
        "labels": "",
        "firstActivityTimeUtc": "2020-03-18T19:08:34.0353777Z",
        "lastActivityTimeUtc": "2020-03-18T19:08:34.0353777Z",
        "lastModifiedTimeUtc": "2020-03-18T20:32:19Z",
        "createdTimeUtc": "2020-03-18T20:32:19.0222938Z",
        "incidentNumber": 156,
        "additionalData": "@{alertsCount=1; bookmarksCount=0; commentsCount=0; alertProductNames=System.Object[]; tactics=System.Object[]}",
        "firstActivityTimeGenerated": "2020-03-18T20:32:06.5796289Z",
        "lastActivityTimeGenerated": "2020-03-18T20:32:06.5796289Z",
        "relatedAnalyticRuleIds": "/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityI nsights/alertRules/c6923c04-12ab-4378-b66b-b86101b6a828",
        "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/ workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/143d1e24-430c-40b5-934e-d5662f7a621a"

You can test both APIs and compare what are changed and what are deprecated.

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

9 Responses to Quick look at new Azure Sentinel Incident API

  1. Pingback: Extract all Azure Sentinel incidents

  2. Anurag Srivastava says:


    I have tried using the script in my environment, however I have found out that the count of incidents exported via script doesn’t match with that present in Azure Sentinel.

    To be specific, if I run the report today (say: 28th May), I will not be getting the most recent data i.e. I will get the incident count till 26th May. Data for 27th and 28th May will not be present in the extracted report.

  3. Pingback: Transform Azure Sentinel incident to Log Analytics Workspace with Logic App

  4. Pingback: Azure Incident Relation API

  5. Pingback: Get Alert Relation from an Incident using Azure Sentinel Incident Relation API

  6. Pingback: Extending Azure Sentinel: APIs, Integration and management automation – Azure Sentinel News

  7. Mark says:

    Fantastic script, thanks!
    Wondering if we can pull data from “last x” (week/month/year) instead of all time?

Leave a Reply

Your email address will not be published.