Forum Discussion
API for Sentinel Alerts and Cases
MicrosoftSentinel incidents API is available in preview version and included in Sentinel's API swagger spec - https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights
The stable version of the API will be released in about 2-3 weeks and should basically be the same as the preview version
kobiga Thanks for you fast reply. I found indeed the /incidents/* actions in the preview version but didn't see them n the stable version (2020-01-01) right now. Can you conform they will be added in the following 2-3 weeks?
wadstromdev: Thanks for you example. Did some successful testing with it! I hope the /incidents/* actions will be added in the stable (2020-01-01) because they are now only available inn the preview version..
dinvlad The only thing that comes to mind is to create a Logic App that reads the Event Hub and uses the Azure Monitor action to write an entry to a custom log in Azure Sentinel.
GaryBushey tbh I'm just looking for a way to "import" alerts, recommendations, findings, security score and compliance reports from Event Hub into either Security Center or Sentinel (I don't really care which one). So far there appears to be no way to do it from what I can tell, other than maybe through Sentinel incidents like you noted. Any other ideas here? Thanks
dinvlad I don't see anything about creating alerts, only incidents. Is there a reason you would rather create an alert?
- Would it be possible to expose an API method to POST alerts from an external source? For example, I'd like to import all alerts from an Event Hub via a Logic App into Security Center or Sentinel. Neither of those currently seem to support Event Hub as a source or provide an API method to create alerts (but only to get/update/list them). Thanks!
- kobiga
SanderWannet, yes you can expect them to be included in a stable version in the next 2-3 weeks
SanderWannet I have a series of blog posts on using the Azure Sentinel REST API including how to get Incidents into a Log Analytics workspace at https://www.garybushey.com To start off I would suggest this one: https://www.garybushey.com/2020/01/11/your-first-azure-sentinel-rest-api-call/
