Dec 16 2020 08:54 AM
We are creating incidents using Sentinel REST API. We have noticed the evidence and entities fields for these incidents remain at processing status, they do not complete?
Also the above investigation error message is always displayed. ?
Dec 16 2020 10:57 AM
@baddeacs I see the same thing. It may be due to there not being any alerts associated with the incident.
Dec 16 2020 12:53 PM
@Gary Bushey Thanks, good thought. We don't see a way to provide this information via Sentinel API. Separate question - Are product names configurable? Only MSFT products in the product name list.
Dec 17 2020 05:00 AM
@baddeacs There is a field for the product name but it is hidden a bit down (in the IncidentAdditionalData) and is read-only so you will not be able to set it yourself (which makes sense). I also don't see how to set the alert ID(s) when creating the Incident.
Not sure what your use case is but you may be better off creating an entry in a custom table that has the information you need and then creating an analytics rule that looks at that custom table to let Azure Sentinel create the Incident.