Forum Discussion
Azure Sentinel REST API create incident
Trying to create a new incident using https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/createorupdate
'Tryit' from the above page does not work for Create Incident. The List Incidents API works using 'Tryit'.
Request:
PUT https://management.azure.com/subscriptions/<tenant id>/resourceGroups/<groupname>/providers/Microsoft.OperationalInsights/workspaces/<workspacename>/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2020-01-01
Authorization: Bearer ey.....
Content-type: application/jsonBody:
{
properties.severity: "High",
properties.status: "New",
properties.title: "Example Title"
}
Response: 400 for bad request
{
"": [
"Invalid JavaScript property identifier character: .. Path '', line 2, position 11."
]
}Also, what is recommended way to create an incident ID for a new incident?
Thank You
baddeacs In addition to what Sarah_Young wrote about the ID (which should actually be a GUID), the default body listed is not correct. I had to modify it to look like:
{ properties: { severity: "High", status: "New", title: "Example Title" } }
3 Replies
baddeacs In addition to what Sarah_Young wrote about the ID (which should actually be a GUID), the default body listed is not correct. I had to modify it to look like:
{ properties: { severity: "High", status: "New", title: "Example Title" } }GaryBushey Thank you, all good.
- Sarah_Young
Microsoft
baddeacs you can put any incident number you like, as long as it hasn't been used in the workspace previously. You do need to input an incident number, otherwise the PUT will fail.
