Open BWC-TomW opened 2 weeks ago
Are you using the API to get the additional alert properties or retrieving them via log analytics query? Can you include the full code of the function?
Maybe we change the parameter to also accept a string like alerts="full" or add another parameter "all_alert_details=True"
Are you using the API to get the additional alert properties or retrieving them via log analytics query? Can you include the full code of the function?
Maybe we change the parameter to also accept a string like alerts="full" or add another parameter "all_alert_details=True"
It's included in the API response, the current behavior is to only return ID, Name when alerts=True
We've made an override like this that dumps all the properties into "OtherProps" as a quick fix
`class MicrosoftSentinelOverides(MicrosoftSentinel): """ Function to overide functionality of MicrosoftSentinel class""" def init(self, kwargs) -> None: super().init(kwargs)
def get_incident_alerts(self, incident: str) -> list:
"""
Get the alerts from an incident.
Parameters
----------
incident : str
Incident GUID or Name.
Returns
-------
list
A list of alerts.
"""
self.check_connected() # type: ignore
incident_id = self._get_incident_id(incident)
alerts_url = self.sent_urls["incidents"] + f"/{incident_id}/alerts" # type: ignore
alerts_parameters = {"api-version": "2021-04-01"}
alerts_resp = httpx.post(
alerts_url,
headers=get_api_headers(self._token), # type: ignore
params=alerts_parameters,
timeout=get_http_timeout(),
)
return (
[
{
"ID": alrts["properties"]["systemAlertId"],
"Name": alrts["properties"]["alertDisplayName"],
"OtherProps": alrts["properties"]
}
for alrts in alerts_resp.json()["value"]
]
if alerts_resp.status_code == 200
else []
)
`
thx I've changed the code slightly - it puts the alert properties into a key called "AlertProperties", which I thought sounded a bit more "official". Hope that doesn't mess you up. I will try to publish a new version when this branch gets merged.
Is your feature request related to a problem? Please describe.
I would like a way to pull more details from the sentinel incident alerts so that I can process the query results.
currently when retrieving incidents you can specify alerts=True however the data returned here is currently heavily limited.
https://github.com/microsoft/msticpy/blob/c0ef238db4ddeaec5b038401c09b28855b88d50b/msticpy/context/azure/sentinel_incidents.py#L116
We have a use case that is currently not using msticpy that retrieves the associated events for a given alert by extracting the query and timeframe from the extended properties. This is currently how it's functioning.
Describe the solution you'd like
Either a new method for retrieval of alert details for a given alert id or expand the param alerts=True on get_incident to return the entire alert object.