PowerShell Function - Retrieving Microsoft Sentinel Incident data

This example brings together various examples I've used on this site to show how Incidents from Microsoft Sentinel can be queried using PowerShell.  References to pages that demonstrate the utilised code are at the bottom of this article.

A core example of the code is below


 
  $Tenant         = "laurierhodes.info"
  $subscriptionId = "aaaaaaaa-aaaa-aaaaaaaa-aaaaaaaaaa"


  $resourceGroupName = "sentinel"
  $workspacename    = "asesentinel"
  $workspaceID      = "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa"

  $AppId  = "aa73b052-6cea-4f17-b54b-xxxxxxxxx"
  $secret = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'


$DebugPreference = 'Continue' 


  # Get an authorised Azure Header
  $authHeader = Get-Header -scope "azure"  -Tenant $Tenant  -AppId $AppId -secret $secret

  $WorkspaceKey = Get-AnalyticsWorkspaceKey -SubscriptionId $subscriptionId -ResourceGroupName  $resourceGroupName -WorkspaceName $workspacename -Header $authHeader  
 
  

    Get-SentinelIncidents `
                -WorkspaceId   $workspaceID  `
                -sharedKey $WorkspaceKey `
                -LogType "SentinelIncidents" `
                -Header $authHeader   `
                -SentinelSubscriptionID $subscriptionId  `
                -SentinelResourcegroupName $resourceGroupName `
                -Sentinelworkspacename $workspacename   `
                -DaystoRetrieve 10

Notice that the code returns the IncidentUniqueId property.  By using the property we can retrieve all the details about the alerts that have been responsible for creating the incident.  This can be used if we have automation to query other systems to enrich the Incident.

    $incidentId = '86e46fee-7ba0-493a-93c2-507bfc0ad376'

    $uri = "https://management.azure.com/subscriptions/$($SubscriptionID)/resourceGroups/$($ResourcegroupName)/providers/Microsoft.OperationalInsights/workspaces/$($workspacename)/providers/Microsoft.SecurityInsights/incidents/$($incidentId)/alerts?api-version=2023-07-01-preview"

    $response   = ""
    $response   = Invoke-WebRequest -Uri $uri -Method POST -Headers $authHeader -TimeoutSec 0 -UseBasicParsing
    $responseobject = convertfrom-json  $response.Content
    $responseobject.value

The type of data returned with this alert type is shown below.

By using the Vendor Name, Product Name and Display Name of the alert we can establish automation processes for handling this type of alert.

PowerShell Function - Microsoft Cloud Tokens | Laurie Rhodes' Info

PowerShell Function - Get Microsoft Sentinel Incidents | Laurie Rhodes' Info

 

 

Tags