How to Transfer Sentinel Incidents Between Tenants Using CSV and Azure

Select Language:

If you’re trying to move security incidents from one Microsoft Sentinel tenant to another, you might find it challenging because Sentinel doesn’t allow direct CSV imports for incidents. However, there are still ways to recreate these incidents in another tenant using available tools and some scripting.

First, understand that since the CSV file contains incident details like titles, severity levels, MITRE tactics, timestamps, assigned analysts, and links (which only work in the original tenant), you cannot simply upload this file into Sentinel. Instead, you can recreate the incidents programmatically.

One effective method is to use the Sentinel REST API. This API allows you to create, update, and manage incidents. You can write a script in PowerShell or Python that reads your CSV file, then for each incident, makes an API call to create a new incident in Tenant B.

Here’s a simple way to do it:

1. Authenticate to the Microsoft Graph/ Sentinel API: You’ll need an app registration in Azure AD with permissions to access Sentinel incidents.

2. Read your CSV file: Use a script to open and process each row, extracting incident details.

3. Create incidents via API: For each row, send a POST request to Sentinel’s incident API endpoint with the incident data.

4. Handle metadata only: Since you only want the incident information, skip logs or evidence — just create the incident metadata.

If scripting isn’t your thing, you could consider Azure Lighthouse to help with cross-tenant management, but it’s more suited for oversight rather than importing incidents directly.

Remember that links to incidents from the original tenant won’t work in the new one. You might want to update those links to point to relevant resources or remove them during recreation.

While the process involves some setup, this is the most reliable way to move your incident data from one tenant to another. Using a scripted approach with the API ensures you can automate the process and keep your incident metadata intact across tenants.

Add us on ChatGPT Add us on Perplexity