I got some questions from people who worked with Microsoft product team about the new incident API they were introduced. I took a glance at it and thought I would need to write something about it, especially wrote a new script to work with the new Azure Sentinel Incident API.
This article is going to give some notes, as well as a new script to extract all Azure Sentinel incidents. The API used in this article (http://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/) is still working by the way.
The API used in this article is unofficial API and is still in preview. Use at your own risk.
TL;DR: You can skip this article and use the script from here (https://github.com/azsec/azure-sentinel-tools/blob/master/scripts/Get-AzSentinelIncidentListV2.ps1)
The new incident that Microsoft is in progress of developing has the following URI:
https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/incidents?api-version=2019-01-01-preview"
- WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.
There are many changes in data response from the new API compared with the old one (/cases?api-version=2019-01-01-preview).
This API accepts GET method. Below is the sample converted response’s value of the Invoke-RestMethod function against the Uri in format of JSON:
{
"id": "/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/143d1e24-430c-40b5-93
4e-d5662f7a621a",
"name": "143d1e24-430c-40b5-934e-d5662f7a621a",
"etag": "\"0800795f-0000-0100-0000-5e7285530000\"",
"type": "Microsoft.SecurityInsights/Incidents",
"properties": {
"title": "Suspicious authentication activity",
"description": "Although none of them succeeded, some of them used accounts were recognized by the host.\r\nThis resembles a dictionary attack, in which an attacker performs numerous authentication attempts using a d
ictionary of predefined account names and passwords in order to find valid credentials to access the host.\r\nThis indicates that some of your host account names might exist in a well-known account name dictionary.",
"severity": "Medium",
"status": "New",
"owner": "@{objectId=f84a055f-2958-4186-bdc7-7e49bfec8cfa; email=linda@azsec.net; assignedTo=Linda Chung; userPrincipalName=}",
"labels": "",
"firstActivityTimeUtc": "2020-03-18T19:08:34.0353777Z",
"lastActivityTimeUtc": "2020-03-18T19:08:34.0353777Z",
"lastModifiedTimeUtc": "2020-03-18T20:32:19Z",
"createdTimeUtc": "2020-03-18T20:32:19.0222938Z",
"incidentNumber": 156,
"additionalData": "@{alertsCount=1; bookmarksCount=0; commentsCount=0; alertProductNames=System.Object[]; tactics=System.Object[]}",
"firstActivityTimeGenerated": "2020-03-18T20:32:06.5796289Z",
"lastActivityTimeGenerated": "2020-03-18T20:32:06.5796289Z",
"relatedAnalyticRuleIds": "/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityI
nsights/alertRules/c6923c04-12ab-4378-b66b-b86101b6a828",
"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/xxxxxxxxxxx/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/
workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/143d1e24-430c-40b5-934e-d5662f7a621a"
}
}
You can test both APIs and compare what are changed and what are deprecated.
Pingback: Extract all Azure Sentinel incidents