Get Alert Relation from an Incident using Azure Sentinel Incident Relation API

I have a few questions recently asking if we can get an associated alert for an incident. The idea is to know which alert that caused an incident so SecOps team could better investigate the issue.

In this article, let’s explore Azure Incident Relation API that can help find an associated alert for your incident.

Problem

The current response when you call Azure Sentinel Incident doesn’t provide you any associated alert ID. Below is the sample response from Incident API:

{
    "id": "/subscriptions/XXXXX-XXXXX-XXXXX/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/eafc996f-45bd-4ac4-9262-a95282a74962",
    "name": "eafc996f-45bd-4ac4-9262-a95282a74962",
    "etag": "\"4900a706-0000-0100-0000-5f0bb77a0000\"",
    "type": "Microsoft.SecurityInsights/Incidents",
    "properties": {
        "title": "PREVIEW - Website is tagged as malicious in threat intelligence feed",
        "description": "Your website as described below is marked as a malicious site by Windows SmartScreen. Contact Windows SmartScreen via the link provided in the remediation steps below.",
        "severity": "Medium",
        "status": "New",
        "relatedAnalyticRuleIds": [
            "/subscriptions/XXXXX-XXXXX-XXXXX/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/alertRules/c6923c04-12ab-4378-b66b-b86101b6a828"
        ],
        "owner": {
            "objectId": null,
            "email": null,
            "assignedTo": null,
            "userPrincipalName": null
        },
        "labels": [],
        "firstActivityTimeUtc": "2020-07-13T01:23:00.0811259Z",
        "lastActivityTimeUtc": "2020-07-13T01:23:00.0811259Z",
        "lastModifiedTimeUtc": "2020-07-13T01:23:06.8899797Z",
        "createdTimeUtc": "2020-07-13T01:23:06.8780987Z",
        "incidentNumber": 566,
        "additionalData": {
            "alertsCount": 1,
            "bookmarksCount": 0,
            "commentsCount": 0,
            "alertProductNames": [
                "Azure Security Center"
            ],
            "tactics": []
        },
        "firstActivityTimeGenerated": "2020-07-13T01:23:00.0811259Z",
        "lastActivityTimeGenerated": "2020-07-13T01:23:00.0811259Z",
        "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/XXXXX-XXXXX-XXXXX/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/eafc996f-45bd-4ac4-9262-a95282a74962"
    }
}

Use Case

A common use case can be seen in a SOAR system in which you would like to feed data to a ticking system which provides enough information about an incident especially an associated alert which caused the incident. Specific to Azure environment where you have Azure Security Center connector enabled in Azure Sentinel, you would like to grab alert ID so you can use it to query SecurityAlert table like you normally do from Azure Sentinel Investigation portal.

Incident Relation API

To get the associated alert ID you can use the following API:

https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/incidents?/incidents/$incidentId/relations?api-version=2020-01-01"
  • WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.
  • IncidentId: the unique ID of the incident. Refer to this article to learn about Incident API.

This API accepts GET method. Below is the sample converted  response’s value  of the Invoke-RestMethod function against the Uri in format of JSON:

{
    "id": "/subscriptions/67d6179d-a99d-4aad-8c11-4d3ff2e12249/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/52668a53-85df-4bc2-90fe-c94ed40adc69/relations/52668a53-85af-4cc1-00fe-c94ed40adc69_63ad2c2a-555f-6714-e989-328faa684c1d",
    "name": "52668a53-85af-4cc1-00fe-c94ed40adc69_63ad2c2a-555f-6714-e989-328faa684c1d",
    "type": "Microsoft.SecurityInsights/Incidents/relations",
    "properties": {
        "relatedResourceId": "/subscriptions/67d6179d-a99d-4aad-8c11-4d3ff2e12249/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/entities/63ad2c2a-555f-6714-e989-328faa684c1d",
        "relatedResourceName": "63ad2c2a-555f-6714-e989-328faa684c1d",
        "relatedResourceType": "Microsoft.SecurityInsights/entities",
        "relatedResourceKind": "SecurityAlert"
    }
}

relatedResourceName is what you need.

The API is available in both API version 2019-01-01-preview and 2020-01-01.

This entry was posted in Security Automation and tagged , , . Bookmark the permalink.

2 Responses to Get Alert Relation from an Incident using Azure Sentinel Incident Relation API

  1. Rui G. says:

    Hello, great job for this article.

    I have a different problem but in a similar aspect. What happens is that I have the “AlertIds” and from there I get to the Incident Number from the Security Incident table. The problem now is that this Incident has no info related to the problem I am investigating, the real info is in the Security Alert table, but for some reason, I cannot find a relation between the Security Alert table ticket that corresponds to the Security Incident ticket.

    I know this is kind of confusing, but when you have analyzed multiple events in sentinel that require to be handled in bulk in a Service Desk where you only have a “AlertIds” as info is real pain.

    The only thing I was close to get but didn’t work, was that the field “Incident Name” from Security Incident table would have the same value as “SystemAlertId” from Security Alert table, but this didn’t work.

    If you have a solution for this, please let me know I need it bad
    Thanks

    • azsec says:

      Hi Rui,

      Could you share more about the data source if possible? The problem might come from a data source when sending data to Azure Sentinel workspace.

Leave a Reply

Your email address will not be published.