This code snippet retreieves a set period of Incidents from Microsoft Sentinel.
It's useful for trying to automate enrichment activities related to that particular alert / incident.
<#
Function: Get-SentinelIncidents
Purpose: To write data (JSON format) to a Log Analytics Workspace.
Parameters: -WorkspaceId = Log Analytics Workspace GUID
-sharedKey = Log Analytics shared key (either primary or secondary)
-Header = A hashtable (header) with valid authentication for Graph
-logType = The name of the Log within a workspace to write to.
-DaystoRetrieve = Number of days of alerts to retrieve (future use - not functional)
-SentinelSubscriptionID = The Subscription ID of the Sentinel Service
-SentinelResourcegroupName = The Resource Group containing Sentinel
-Sentinelworkspacename = The Sentinel Workspace name `
Example:
Get-SentinelIncidents `
-WorkspaceId "aaaaaaaa-1111-2222-3333-555555555555" `
-sharedKey $SharedKey `
-LogType "SentinelIncidents" `
-Header $header (hashtable) `
-SentinelSubscriptionID "aaaaaaaa-1111-2222-3333-555555555555" `
-SentinelResourcegroupName "azureautomation" `
-Sentinelworkspacename "security-workspace-vms" `
-DaystoRetrieve 60
#>
function Get-SentinelIncidents(){
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)] [string] $WorkspaceId ,
[Parameter(Mandatory = $true)] [string] $SharedKey ,
[Parameter(Mandatory = $false)] [string] $LogType="SentinelIncidents" ,
[Parameter(Mandatory = $true)] [Hashtable] $Header,
[Parameter(Mandatory = $true)] [string] $SentinelSubscriptionID ,
[Parameter(Mandatory = $true)] [string] $SentinelResourcegroupName ,
[Parameter(Mandatory = $true)] [string] $Sentinelworkspacename ,
[Parameter(Mandatory = $false)] [int] $DaystoRetrieve
)
$startdate = (get-date).AddDays(-$int) | get-date -Format s
$uri = "https://management.azure.com/subscriptions/$($SentinelSubscriptionID)/resourceGroups/$($SentinelResourcegroupName)/providers/Microsoft.OperationalInsights/workspaces/$($Sentinelworkspacename)/providers/Microsoft.SecurityInsights/Incidents?api-version=2021-09-01-preview&`$filter=properties/CreatedTimeUTC gt $(Get-Date -date (Get-Date).AddDays(-$DaystoRetrieve).ToUniversalTime() -Format o)"
# Retrieve Policy Definitions
$response = ""
$response = Invoke-WebRequest -Uri $uri -Method GET -Headers $Header -TimeoutSec 0 -UseBasicParsing
# Write-Debug "response = $($response.Content) "
$incidentdata = ($response.Content) | convertfrom-json
if ( ($incidentdata.value).count -gt 0){
#Create an array of incidents as there are probably many incidents in a particular period
$IncidentArray =@()
#Define the Sentinel Incident Class
class azSentinelIncidentCsv{
[Object]$IncidentUniqueId
[Object]$IncidentTile
[Object]$IncidentNumber
[Object]$incidentUrl
[Object]$Severity
[Object]$Status
[Object]$Label
[Object]$CloseReason
[Object]$EndTimeUTC
[Object]$StartTimeUTC
[Object]$Owner
[Object]$OwnerEmail
[Object]$LastUpdatedTimeUTC
[Object]$CreatedTimeUTC
[Object]$RelatedAlertIds
[Object]$AlertProductName
[Object]$TotalComments
[Object]$FirstAlertTimeGenerated
[Object]$LastAlertTimeGenerated
}
foreach ($incidentobj in $incidentdata.value ){
$icdObj = [azSentinelIncidentCsv]::new()
# Incident Unique ID is important if you want to get specific incident by ID
$icdObj.IncidentUniqueId = $incidentobj.id.Split('/')[12]
$icdObj.IncidentTile = $incidentobj.properties.title
$icdObj.IncidentNumber = $incidentobj.properties.caseNumber
$icdObj.incidentUrl = $incidentobj.properties.incidentUrl
$icdObj.Severity = $incidentobj.properties.severity
$icdObj.Status = $incidentobj.properties.status
$icdObj.Label = $incidentobj.properties.label
$icdObj.CloseReason = $incidentobj.properties.closeReason
$icdObj.EndTimeUTC = $incidentobj.properties.endTimeUtc
$icdObj.StartTimeUTC = $incidentobj.properties.startTimeUtc
$icdObj.Owner = $incidentobj.properties.owner.name
$icdObj.OwnerEmail = $incidentobj.properties.owner.email
$icdObj.LastUpdatedTimeUTC = $incidentobj.properties.lastUpdatedTimeUtc
$icdObj.CreatedTimeUTC = $incidentobj.properties.createdTimeUtc
$icdObj.RelatedAlertIds = $incidentobj.properties.relatedAlertIds | Out-String
$icdObj.AlertProductName = $incidentobj.properties.relatedAlertProductNames | Out-String
$icdObj.TotalComments = $incidentobj.properties.TotalComments
$icdObj.FirstAlertTimeGenerated = $incidentobj.properties.firstAlertTimeGenerated
$icdObj.LastAlertTimeGenerated = $incidentobj.properties.lastAlertTimeGenerated
#Add the Incident to the object array
$IncidentArray += [azSentinelIncidentCsv]$icdObj
}
<#
#Convert the collection of Incidents to JSON
$data = ConvertTo-Json -Depth 10 -InputObject $IncidentArray
$response = ""
$Response = Write-LogAnalyticsData -WorkspaceId $WorkspaceId `
-sharedKey $SharedKey `
-body $data `
-logType $logtype
#>
#Pass Back and Incident Array
$IncidentArray
}else{
write-output "No events detected"
}
}
- Log in to post comments