Forum Discussion

Microsoft

Nov 11, 2020

What's New: Tags column is now available in Azure Sentinel incidents page!

Hello everyone, We are happy to share with you a small but important improvement we added to our incidents blade – a new tag column is now available as part of the Incidents list! Tags are...

what's new

Paolo1490

Copper Contributor

Feb 07, 2023

Hi Cristhofer Munoz is it possible to search for these tags via KQL?

Specifically I am running a search of security incidents this year, and I would like to 'not' include any tickets with an 'auto close' tag. This would provide me with a list and number of tickets by 'humans' in my team rather than including ones closed by playbooks and automation etc.

Cheers.

Clive_Watson

Bronze Contributor

Feb 07, 2023

Labels == Tags

SecurityIncident
| extend Tags = parse_json(Labels)
| extend labelName_ = tostring(Tags[0].labelName)
| where isnotempty(labelName_)

Patclementine
Copper Contributor
Jan 17, 2024
Clive_Watson
Hi Clive
I was reading though the documentation on how to create a Sentinel Incident with API but unfortunately I am not able to add labels/tags while creating a Sentinel Incident Manually with API Payload
any suggestions I could try?
- GBushey
  Former Employee
  Jan 17, 2024
  They are referred to as "labels" in the REST API documentation. I have an example with them in my Sentinel development EBook: https://garybushey.com/2023/11/27/programming-book-version-1-0-finally-ready/
  - Patclementine
    Copper Contributor
    Jan 17, 2024
    GBushey
    Hello
    thank you for the link I tried that and I am receiving some error like below:
    
    Bad Request: Error converting value [] to type Microsoft.Azure.Sentinel.CasesArmApi.Controllers.Stable.Version_2020_01_01.IncidentLabelArmModel
    
    P.S. I am using the 2023 api version
    
    not sure what is the reason as I have my code in Python