Evidence and entities for a REST API created incident

%3CLINGO-SUB%20id%3D%22lingo-sub-1994266%22%20slang%3D%22en-US%22%3EEvidence%20and%20entities%20for%20a%20REST%20API%20created%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1994266%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20creating%20incidents%20using%20Sentinel%20REST%20API.%26nbsp%3B%20We%20have%20noticed%20the%20evidence%20and%20entities%20fields%20for%20these%20incidents%20remain%20at%20processing%20status%2C%20they%20do%20not%20complete%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-12-16%20115234.png%22%20style%3D%22width%3A%20496px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241101i6E864E144C4B95FE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screenshot%202020-12-16%20115234.png%22%20alt%3D%22Screenshot%202020-12-16%20115234.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20the%20above%20investigation%20error%20message%20is%20always%20displayed.%26nbsp%3B%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1995086%22%20slang%3D%22en-US%22%3ERe%3A%20Evidence%20and%20entities%20for%20a%20REST%20API%20created%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1995086%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F397015%22%20target%3D%22_blank%22%3E%40baddeacs%3C%2FA%3E%26nbsp%3BI%20see%20the%20same%20thing.%26nbsp%3B%20It%20may%20be%20due%20to%20there%20not%20being%20any%20alerts%20associated%20with%20the%20incident.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1995353%22%20slang%3D%22en-US%22%3ERe%3A%20Evidence%20and%20entities%20for%20a%20REST%20API%20created%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1995353%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%20Thanks%2C%20good%20thought.%26nbsp%3B%20We%20don't%20see%20a%20way%20to%20provide%20this%20information%20via%20Sentinel%20API.%26nbsp%3B%20Separate%20question%20-%26nbsp%3B%20Are%20product%20names%20configurable%3F%26nbsp%3B%20Only%20MSFT%20products%20in%20the%20product%20name%20list.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-12-16%20155301.png%22%20style%3D%22width%3A%20466px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F241172i660CA3871A2DC42C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screenshot%202020-12-16%20155301.png%22%20alt%3D%22Screenshot%202020-12-16%20155301.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1997312%22%20slang%3D%22en-US%22%3ERe%3A%20Evidence%20and%20entities%20for%20a%20REST%20API%20created%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1997312%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F397015%22%20target%3D%22_blank%22%3E%40baddeacs%3C%2FA%3E%26nbsp%3BThere%20is%20a%20field%20for%20the%20product%20name%20but%20it%20is%20hidden%20a%20bit%20down%20(in%20the%20IncidentAdditionalData)%26nbsp%3B%20and%20is%20read-only%20so%20you%20will%20not%20be%20able%20to%20set%20it%20yourself%20(which%20makes%20sense).%26nbsp%3B%20%26nbsp%3BI%20also%20don't%20see%20how%20to%20set%20the%20alert%20ID(s)%20when%20creating%20the%20Incident.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20sure%20what%20your%20use%20case%20is%20but%20you%20may%20be%20better%20off%20creating%20an%20entry%20in%20a%20custom%20table%20that%20has%20the%20information%20you%20need%20and%20then%20creating%20an%20analytics%20rule%20that%20looks%20at%20that%20custom%20table%20to%20let%20Azure%20Sentinel%20create%20the%20Incident.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We are creating incidents using Sentinel REST API.  We have noticed the evidence and entities fields for these incidents remain at processing status, they do not complete?

 

 Screenshot 2020-12-16 115234.png

 

Also the above investigation error message is always displayed.  ?

 

  

3 Replies

@baddeacs I see the same thing.  It may be due to there not being any alerts associated with the incident.

@Gary Bushey  Thanks, good thought.  We don't see a way to provide this information via Sentinel API.  Separate question -  Are product names configurable?  Only MSFT products in the product name list.

 

Screenshot 2020-12-16 155301.png

@baddeacs There is a field for the product name but it is hidden a bit down (in the IncidentAdditionalData)  and is read-only so you will not be able to set it yourself (which makes sense).   I also don't see how to set the alert ID(s) when creating the Incident.

 

Not sure what your use case is but you may be better off creating an entry in a custom table that has the information you need and then creating an analytics rule that looks at that custom table to let Azure Sentinel create the Incident.