Forum Discussion
SanderWannet
May 28, 2020Copper Contributor
Get entities for a Sentinel Incidient by API
Hi, I'm trying to get some information about incidents in Sentinel via the API (https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft....
- Jun 01, 2020
currently the only way to achieve this is by:
1. Getting the system alert id by running the relation API call
get:
in my example the system alert id value located here
2. run a POST request on entities API with the system Alert ID based on the first phase
where the expansionId is constant for get all entities
Post
body
{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}This days product team are debating on how to make this process more user friendly with less calls.
happy to share once we will have final decision.
YanivSh
Microsoft
Jun 01, 2020currently the only way to achieve this is by:
1. Getting the system alert id by running the relation API call
get:
in my example the system alert id value located here
2. run a POST request on entities API with the system Alert ID based on the first phase
where the expansionId is constant for get all entities
Post
body
{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}
This days product team are debating on how to make this process more user friendly with less calls.
happy to share once we will have final decision.
- Dmitry2115Jun 18, 2023Copper ContributorHello YanivSh,
thank you so much for providing this!
Please advise, were there any updates regarding this since?
How safe is to still use the expansion ids? Alert's entities is particular? (are there any plans to deprecate them?)
Thank you! - Jeroen NiesenNov 12, 2020Copper Contributor
YanivSh is there also a way to write alert entities?
According to this documentation it is possible to create incidents trough the REST API: https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/createorupdate
It would be nice if I could add entities to my incident as well.
Thanks!
- Ely_AbramovitchMar 08, 2021
Microsoft
Hi Jeroen,
Adding entities to incidents is indeed planned. Stay tuned for updates on our blog for this.
In the man time, another route you can take is by adding bookmarks to entities. In a bookmark you can map an entity and add it to the incident. Once you do, the entity will be added as well.
Thanks,
Ely
- SanderWannetJun 04, 2020Copper Contributor
Thank you so much for your help! I've got it working 🙂
Is there any documentation about the expand action and the id's you can send to the API, so I can explore more of the possibilities of the API? Of is the expansionId you put in your example currently the only one?- YanivShJun 04, 2020
Microsoft
please:
"98b974fd-cc64-48b8-9bd0-3a209f5b944b", // Alert related entities
"27f76e63-c41b-480f-bb18-12ad2e011d49", // Bookmark related entities
"a77992f3-25e9-4d01-99a4-5ff606cc410a", // Account related alerts
"4a014a1b-c5a1-499f-9f54-3f7b99b0a675", // AzureResource related alerts
"f74ad13a-ae93-47b9-8782-b1142b95d046", // CloudApplication related alerts
"80218599-45b4-4402-95cc-86f9929dd43d", // DNS related alerts
"0f0bccef-4512-4530-a866-27056a39dcd6", // File related alerts
"b6eaa3ad-e69b-437e-9c13-bb5273dd34ab", // FileHash related alerts
"055a5692-555f-42bd-ac17-923a5a9994ed", // Host related alerts
"58c1516f-b78a-4d78-9e71-77c40849c27b", // IP related alerts
"b8407195-b9a3-4565-bf08-7b23e5c57e3a", // Malware related alerts
"63a4fa2f-f89d-4cf5-96a2-cb2479e49731", // Process related alerts
"d788cd65-a7ef-448e-aa34-81185ac0e611", // RegistryKey related alerts
"3a45a7e3-80e0-4e05-84db-b97bd1ae452b", // RegistryValue related alerts
"7b61d5e2-4b66-40a7-bb0f-9145b445104e", // URL related alerts
"4daeed0e-0e74-4f2d-990c-a958210e9dd7", // IoTDevice related alerts
"504ea455-3bf7-47ef-8555-dc747b465f99", // Account related bookmarks
"e36c2ceb-4caf-4919-8433-d61dbc3e294a", // Host related bookmarks
"6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a", // IP related bookmarks
"855ea9fe-2fdd-4890-8daa-c895c136eef3", // URL related bookmarks
- EwanChalmersMar 04, 2021Copper Contributor
YanivSh Could you possibly share the JSON entity kind names for each of those related entity types?
e.g. I know about `Ip`, `Host`, `Address`, I have not seen incidents yet with the others.
To successfully parse these entity kinds from the JSON API response, I need to know the correct kind string (including capitalization) of each of those