Get Alert Relation from an Incident using Azure Sentinel Incident Relation API

I have a few questions recently asking if we can get an associated alert for an incident. The idea is to know which alert that caused an incident so SecOps team could better investigate the issue.

In this article, let’s explore Azure Incident Relation API that can help find an associated alert for your incident.

Problem

The current response when you call Azure Sentinel Incident doesn’t provide you any associated alert ID. Below is the sample response from Incident API:

{
    "id": "/subscriptions/XXXXX-XXXXX-XXXXX/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/eafc996f-45bd-4ac4-9262-a95282a74962",
    "name": "eafc996f-45bd-4ac4-9262-a95282a74962",
    "etag": "\"4900a706-0000-0100-0000-5f0bb77a0000\"",
    "type": "Microsoft.SecurityInsights/Incidents",
    "properties": {
        "title": "PREVIEW - Website is tagged as malicious in threat intelligence feed",
        "description": "Your website as described below is marked as a malicious site by Windows SmartScreen. Contact Windows SmartScreen via the link provided in the remediation steps below.",
        "severity": "Medium",
        "status": "New",
        "relatedAnalyticRuleIds": [
            "/subscriptions/XXXXX-XXXXX-XXXXX/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/alertRules/c6923c04-12ab-4378-b66b-b86101b6a828"
        ],
        "owner": {
            "objectId": null,
            "email": null,
            "assignedTo": null,
            "userPrincipalName": null
        },
        "labels": [],
        "firstActivityTimeUtc": "2020-07-13T01:23:00.0811259Z",
        "lastActivityTimeUtc": "2020-07-13T01:23:00.0811259Z",
        "lastModifiedTimeUtc": "2020-07-13T01:23:06.8899797Z",
        "createdTimeUtc": "2020-07-13T01:23:06.8780987Z",
        "incidentNumber": 566,
        "additionalData": {
            "alertsCount": 1,
            "bookmarksCount": 0,
            "commentsCount": 0,
            "alertProductNames": [
                "Azure Security Center"
            ],
            "tactics": []
        },
        "firstActivityTimeGenerated": "2020-07-13T01:23:00.0811259Z",
        "lastActivityTimeGenerated": "2020-07-13T01:23:00.0811259Z",
        "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/XXXXX-XXXXX-XXXXX/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/eafc996f-45bd-4ac4-9262-a95282a74962"
    }
}

Use Case

A common use case can be seen in a SOAR system in which you would like to feed data to a ticking system which provides enough information about an incident especially an associated alert which caused the incident. Specific to Azure environment where you have Azure Security Center connector enabled in Azure Sentinel, you would like to grab alert ID so you can use it to query SecurityAlert table like you normally do from Azure Sentinel Investigation portal.

Incident Relation API

To get the associated alert ID you can use the following API:

https://management.azure.com" + $workspaceId + "/providers/Microsoft.SecurityInsights/incidents?/incidents/$incidentId/relations?api-version=2020-01-01"
  • WorkspaceId is the Id of the Log Analytics workspace that Azure Sentinel connects to.
  • IncidentId: the unique ID of the incident. Refer to this article to learn about Incident API.

This API accepts GET method. Below is the sample converted  response’s value  of the Invoke-RestMethod function against the Uri in format of JSON:

{
    "id": "/subscriptions/67d6179d-a99d-4aad-8c11-4d3ff2e12249/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/Incidents/52668a53-85df-4bc2-90fe-c94ed40adc69/relations/52668a53-85af-4cc1-00fe-c94ed40adc69_63ad2c2a-555f-6714-e989-328faa684c1d",
    "name": "52668a53-85af-4cc1-00fe-c94ed40adc69_63ad2c2a-555f-6714-e989-328faa684c1d",
    "type": "Microsoft.SecurityInsights/Incidents/relations",
    "properties": {
        "relatedResourceId": "/subscriptions/67d6179d-a99d-4aad-8c11-4d3ff2e12249/resourceGroups/azsec-corporate-rg/providers/Microsoft.OperationalInsights/workspaces/azsec-shared-workspace/providers/Microsoft.SecurityInsights/entities/63ad2c2a-555f-6714-e989-328faa684c1d",
        "relatedResourceName": "63ad2c2a-555f-6714-e989-328faa684c1d",
        "relatedResourceType": "Microsoft.SecurityInsights/entities",
        "relatedResourceKind": "SecurityAlert"
    }
}

relatedResourceName is what you need.

The API is available in both API version 2019-01-01-preview and 2020-01-01.

This entry was posted in Security Automation and tagged , , . Bookmark the permalink.

Leave a Reply