How to export Incident list from Azure Sentinel?

%3CLINGO-SUB%20id%3D%22lingo-sub-1198168%22%20slang%3D%22en-US%22%3EHow%20to%20export%20Incident%20list%20from%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1198168%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20requirement%20to%20export%20all%20incidents%20generated%20in%20Azure%20Sentinel%20and%20update%20customer%20with%20the%20incident%20which%20were%20false%20positives%2C%20true%20positives%2C%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20we%20achieve%20this%3F%20I%20didn't%20find%20any%20option%20to%20export%20incidents%20in%20the%20console.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EMitesh%20Agrawal%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1198283%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20export%20Incident%20list%20from%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1198283%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F539205%22%20target%3D%22_blank%22%3E%40MiteshAgrawal%3C%2FA%3E%26nbsp%3BYou%20are%20correct%20that%20you%20cannot%20do%20this%20via%20the%20console.%26nbsp%3B%20You%20can%20however%20make%20some%20PowerShell%20calls%20to%20get%20this%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20blog%20post%20that%20tells%20you%20how%20to%20do%20this%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F11%2Fyour-first-azure-sentinel-rest-api-call%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F11%2Fyour-first-azure-sentinel-rest-api-call%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20have%20on%20that%20shows%20you%20how%20to%20export%20the%20same%20data%20into%20PowerBI%20to%20make%20some%20nice%20charts%20and%20graphs%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F20%2Fazure-sentinel-incidents-in-powerbi%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F20%2Fazure-sentinel-incidents-in-powerbi%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1200059%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20export%20Incident%20list%20from%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200059%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20links%20aren't%20accessible.%20Please%20help.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERegards%2C%3C%2FP%3E%3CP%3EMitesh%20Agrawal%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1200555%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20export%20Incident%20list%20from%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200555%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F539205%22%20target%3D%22_blank%22%3E%40MiteshAgrawal%3C%2FA%3E%26nbsp%3B%20Looks%20like%20my%20server%20is%20down.%26nbsp%3B%20I'll%20see%20about%20getting%20it%20back%20up.%26nbsp%3B%20Thanks%20for%20letting%20me%20know%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi Team,

 

We have a requirement to export all incidents generated in Azure Sentinel and update customer with the incident which were false positives, true positives, etc.

 

How can we achieve this? I didn't find any option to export incidents in the console.

 

Please help.

 

Regards,

Mitesh Agrawal

3 Replies

@MiteshAgrawal You are correct that you cannot do this via the console.  You can however make some PowerShell calls to get this information.

 

I have a blog post that tells you how to do this: https://www.garybushey.com/2020/01/11/your-first-azure-sentinel-rest-api-call/

 

I also have on that shows you how to export the same data into PowerBI to make some nice charts and graphs: https://www.garybushey.com/2020/01/20/azure-sentinel-incidents-in-powerbi/

Hi @Gary Bushey ,

 

The links aren't accessible. Please help.


Regards,

Mitesh Agrawal

@MiteshAgrawal  Looks like my server is down.  I'll see about getting it back up.  Thanks for letting me know