Forum Discussion

Copper Contributor

May 28, 2020

Solved

Get entities for a Sentinel Incidient by API

Hi, I'm trying to get some information about incidents in Sentinel via the API (https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft....

YanivSh
Jun 01, 2020
SanderWannet

currently the only way to achieve this is by:

1. Getting the system alert id by running the relation API call

get:

https://management.azure.com/subscriptions/xxxxx-5731-4780-8f96-2078ddxxxx/resourceGroups/cxp-azuresecurity/providers/Microsoft.OperationalInsights/workspaces/CXP/providers/Microsoft.SecurityInsights/Incidents/803f3d58-a406-4953-a1df-953143313a74/relations?api-version=2019-01-01-preview

in my example the system alert id value located here

2. run a POST request on entities API with the system Alert ID based on the first phase

where the expansionId is constant for get all entities

Post

https://management.azure.com/subscriptions/xxxxxxx-5731-4780-xxxx-2078dd96fd96/resourceGroups/cxp-azuresecurity/providers/Microsoft.OperationalInsights/workspaces/CxP/providers/Microsoft.SecurityInsights/entities/fc4faf6f-03b7-3c57-6892-100a0f960f9d/expand?api-version=2019-01-01-preview

body

{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}

This days product team are debating on how to make this process more user friendly with less calls.

happy to share once we will have final decision.

YanivSh

Microsoft

Jun 01, 2020

SanderWannet

currently the only way to achieve this is by:

1. Getting the system alert id by running the relation API call

get:

https://management.azure.com/subscriptions/xxxxx-5731-4780-8f96-2078ddxxxx/resourceGroups/cxp-azuresecurity/providers/Microsoft.OperationalInsights/workspaces/CXP/providers/Microsoft.SecurityInsights/Incidents/803f3d58-a406-4953-a1df-953143313a74/relations?api-version=2019-01-01-preview

in my example the system alert id value located here

2. run a POST request on entities API with the system Alert ID based on the first phase

where the expansionId is constant for get all entities

Post

https://management.azure.com/subscriptions/xxxxxxx-5731-4780-xxxx-2078dd96fd96/resourceGroups/cxp-azuresecurity/providers/Microsoft.OperationalInsights/workspaces/CxP/providers/Microsoft.SecurityInsights/entities/fc4faf6f-03b7-3c57-6892-100a0f960f9d/expand?api-version=2019-01-01-preview

body

{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}

This days product team are debating on how to make this process more user friendly with less calls.

happy to share once we will have final decision.

Dmitry2115
Copper Contributor
Jun 18, 2023
Hello YanivSh,
thank you so much for providing this!
Please advise, were there any updates regarding this since?
How safe is to still use the expansion ids? Alert's entities is particular? (are there any plans to deprecate them?)

Thank you!
Jeroen Niesen
Copper Contributor
Nov 12, 2020
YanivSh is there also a way to write alert entities?

According to this documentation it is possible to create incidents trough the REST API: https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/createorupdate

It would be nice if I could add entities to my incident as well.

Thanks!
- Ely_Abramovitch
  Microsoft
  Mar 08, 2021
  Hi Jeroen,
  
  Adding entities to incidents is indeed planned. Stay tuned for updates on our blog for this.
  In the man time, another route you can take is by adding bookmarks to entities. In a bookmark you can map an entity and add it to the incident. Once you do, the entity will be added as well.
  
  Thanks,
  Ely
SanderWannet
Copper Contributor
Jun 04, 2020
YanivSh

Thank you so much for your help! I've got it working 🙂

Is there any documentation about the expand action and the id's you can send to the API, so I can explore more of the possibilities of the API? Of is the expansionId you put in your example currently the only one?
- YanivSh
  Microsoft
  Jun 04, 2020
  SanderWannet
  
  please:
  
  "98b974fd-cc64-48b8-9bd0-3a209f5b944b", // Alert related entities
  
      "27f76e63-c41b-480f-bb18-12ad2e011d49", // Bookmark related entities
  
      "a77992f3-25e9-4d01-99a4-5ff606cc410a", // Account related alerts
  
      "4a014a1b-c5a1-499f-9f54-3f7b99b0a675", // AzureResource related alerts
  
      "f74ad13a-ae93-47b9-8782-b1142b95d046", // CloudApplication related alerts
  
      "80218599-45b4-4402-95cc-86f9929dd43d", // DNS related alerts
  
      "0f0bccef-4512-4530-a866-27056a39dcd6", // File related alerts
  
      "b6eaa3ad-e69b-437e-9c13-bb5273dd34ab", // FileHash related alerts
  
      "055a5692-555f-42bd-ac17-923a5a9994ed", // Host related alerts
  
      "58c1516f-b78a-4d78-9e71-77c40849c27b", // IP related alerts
  
      "b8407195-b9a3-4565-bf08-7b23e5c57e3a", // Malware related alerts
  
      "63a4fa2f-f89d-4cf5-96a2-cb2479e49731", // Process related alerts
  
      "d788cd65-a7ef-448e-aa34-81185ac0e611", // RegistryKey related alerts
  
      "3a45a7e3-80e0-4e05-84db-b97bd1ae452b", // RegistryValue related alerts
  
      "7b61d5e2-4b66-40a7-bb0f-9145b445104e", // URL related alerts
  
      "4daeed0e-0e74-4f2d-990c-a958210e9dd7", // IoTDevice related alerts
  
      "504ea455-3bf7-47ef-8555-dc747b465f99", // Account related bookmarks
  
      "e36c2ceb-4caf-4919-8433-d61dbc3e294a", // Host related bookmarks
  
      "6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a", // IP related bookmarks
  
      "855ea9fe-2fdd-4890-8daa-c895c136eef3", // URL related bookmarks
  - EwanChalmers
    Copper Contributor
    Mar 04, 2021
    YanivSh Could you possibly share the JSON entity kind names for each of those related entity types?
    
    e.g. I know about `Ip`, `Host`, `Address`, I have not seen incidents yet with the others.
    
    To successfully parse these entity kinds from the JSON API response, I need to know the correct kind string (including capitalization) of each of those

Forum Discussion

Get entities for a Sentinel Incidient by API

Share

Resources