Forum Discussion

SanderWannet's avatar
SanderWannet
Copper Contributor
May 28, 2020

Get entities for a Sentinel Incidient by API

Hi,

I'm trying to get some information about incidents in Sentinel via the API (https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json)

I can successfully query incidents via ".../providers/Microsoft.SecurityInsights/incidents

 

And when I query the relations of the incident via "..../providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations" I get SecurityAlert where I can see there is 1 account and 1 IP involved with the SecurityAlert

{
  "Total Account Entities": "1",
  "Total IP Entities": "1"
}


I was hoping to get the Entity information by getting the relations of the SecurityAlert Entity, but then I only get the Incident as relation.


However when I query the entities via "..../providers/Microsoft.SecurityInsights/entities" I see the Account Entity and the IP Enity and the information of them, But I can’t see the SecurityAlert event.


Is there a way so I can get the related entities of the Incident / SecurityAlert(s) via the API?

Resources