Quick look at new Azure Sentinel Incident API

I got some questions from people who worked with Microsoft product team about the new incident API they were introduced. I took a glance at it and thought I would need to write something about it, especially wrote a new script to work with the new Azure Sentinel Incident API.

This article is going to give some notes, as well as a new script to extract all Azure Sentinel incidents. The API used in this article (http://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/) is still working by the way.

The API used in this article is unofficial API and is still in preview. Use at your own risk.

TL;DR: You can skip this article and use the script from here (https://github.com/azsec/azure-sentinel-tools/blob/master/scripts/Get-AzSentinelIncidentListV2.ps1)

The new incident that Microsoft is in progress of developing has the following URI:

https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/incidents?api-version=2019-01-01-preview"
  • WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.

There are many changes in data response from the new API compared with the old one (/cases?api-version=2019-01-01-preview).

This API accepts GET method. Below is the sample converted  response’s value  of the Invoke-RestMethod function against the Uri in format of JSON:

        "id":  "/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/143d1e24-430c-40b5-93
        "name": "143d1e24-430c-40b5-934e-d5662f7a621a",
        "etag": "\"0800795f-0000-0100-0000-5e7285530000\"",
        "type": "Microsoft.SecurityInsights/Incidents",
        "properties": {
            "title": "Suspicious authentication activity",
            "description":  "Although none of them succeeded, some of them used accounts were recognized by the host.\r\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a d
ictionary of predefined account names and passwords in order to find valid credentials to access the host.\r\nThis indicates that some of your host account names might exist in a well-known account name dictionary.",
                           "severity": "Medium",

            "status": "New",
            "owner": "@{objectId=f84a055f-2958-4186-bdc7-7e49bfec8cfa; email=linda@azsec.net; assignedTo=Linda Chung; userPrincipalName=}",
            "labels": "",
            "firstActivityTimeUtc": "2020-03-18T19:08:34.0353777Z",
            "lastActivityTimeUtc": "2020-03-18T19:08:34.0353777Z",
            "lastModifiedTimeUtc": "2020-03-18T20:32:19Z",
            "createdTimeUtc": "2020-03-18T20:32:19.0222938Z",
            "incidentNumber": 156,
            "additionalData": "@{alertsCount=1; bookmarksCount=0; commentsCount=0; alertProductNames=System.Object[]; tactics=System.Object[]}",
            "firstActivityTimeGenerated": "2020-03-18T20:32:06.5796289Z",
            "lastActivityTimeGenerated": "2020-03-18T20:32:06.5796289Z",
            "relatedAnalyticRuleIds":  "/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityI
            "incidentUrl":  "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/

You can test both APIs and compare what are changed and what are deprecated.

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

8 Responses to Quick look at new Azure Sentinel Incident API

  1. Pingback: Extract all Azure Sentinel incidents

  2. Anurag Srivastava says:


    I have tried using the script in my environment, however I have found out that the count of incidents exported via script doesn’t match with that present in Azure Sentinel.

    To be specific, if I run the report today (say: 28th May), I will not be getting the most recent data i.e. I will get the incident count till 26th May. Data for 27th and 28th May will not be present in the extracted report.

  3. Pingback: Transform Azure Sentinel incident to Log Analytics Workspace with Logic App

  4. Pingback: Azure Incident Relation API

  5. Pingback: Get Alert Relation from an Incident using Azure Sentinel Incident Relation API

  6. Pingback: Extending Azure Sentinel: APIs, Integration and management automation – Azure Sentinel News

Leave a Reply

Your email address will not be published. Required fields are marked *