SOLVED

Azure Sentinel REST API create incident

Occasional Contributor

Trying to create a new incident using https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/createorupdate

 

'Tryit' from the above page does not work for Create Incident.  The List Incidents API works using 'Tryit'.

 

Request:

 

PUT https://management.azure.com/subscriptions/<tenant id>/resourceGroups/<groupname>/providers/Microsoft.OperationalInsights/workspaces/<workspacename>/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2020-01-01
Authorization: Bearer ey.....
Content-type: application/json

Body:

 

{
     properties.severity: "High",
     properties.status: "New",
     properties.title: "Example Title"
}

 

Response: 400 for bad request

 

{
  "": [
    "Invalid JavaScript property identifier character: .. Path '', line 2, position 11."
  ]
}

Also, what is recommended way to create an incident ID for a new incident? 

 

Thank You

 

3 Replies

@baddeacs you can put any incident number you like, as long as it hasn't been used in the workspace previously. You do need to input an incident number, otherwise the PUT will fail.

best response confirmed by baddeacs (Occasional Contributor)
Solution

@baddeacs In addition to what @Sarah_Young wrote about the ID (which should actually be a GUID), the default body listed is not correct.  I had to modify it to look like:

 

{
  properties: {
    severity: "High",
    status: "New",
    title: "Example Title"
  }
}

@Gary Bushey Thank you, all good.