Playbook for Sentinel to receive alerts from service, parse response and fill Incidents table

CohesitySiem 1 Reputation point
2022-11-10T19:35:31.57+00:00

Hi!

Can someone point me to an example of a playbook or another automation that does the following

  • Calls REST API to get the list of incidents in the form of JSON response
  • Parses JSON to remove duplicates (incidents have unique ids), so only new data can go to the next step
  • Adds only new incidents to the Incidents table

?

I'd love to run this playbook every 5 mins. The standard analytic rule doesn't work for me as I can't really remove dups because it looks back to only 1 day of data (see below)?

"
Run query every 5 minutes
Rule period - last 1 day data
"

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
990 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 28,486 Reputation points Microsoft Employee
    2022-11-11T13:15:22.287+00:00

    @CohesitySiem Thank you for reaching out to us, never tested this scenario at my end, but this approach should help the incidents API can be used to Get, Create or Update Sentinel Incidents.

    LogicApps have an HTTP action that can be used to GET the incidents using the incidents API, you might need to play around a little to parse (using the parse json action in LogicApps) and de-dup, but once you do, should be able to modify or delete the incidents based on incident IDs.

    Reference:
    https://learn.microsoft.com/en-us/rest/api/securityinsights/stable/incidents
    https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-create-api-app

    Also you can refer to this GitHub repository https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks will guide in developing your approach you are looking for.

    Let me know if you have any further questions.

    0 comments