Forum Discussion
Get entities for a Sentinel Incidient by API
currently the only way to achieve this is by:
1. Getting the system alert id by running the relation API call
get:
in my example the system alert id value located here
2. run a POST request on entities API with the system Alert ID based on the first phase
where the expansionId is constant for get all entities
Post
body
{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}This days product team are debating on how to make this process more user friendly with less calls.
happy to share once we will have final decision.
Thank you so much for your help! I've got it working 🙂
Is there any documentation about the expand action and the id's you can send to the API, so I can explore more of the possibilities of the API? Of is the expansionId you put in your example currently the only one?
Microsoftplease:
"98b974fd-cc64-48b8-9bd0-3a209f5b944b", // Alert related entities
"27f76e63-c41b-480f-bb18-12ad2e011d49", // Bookmark related entities
"a77992f3-25e9-4d01-99a4-5ff606cc410a", // Account related alerts
"4a014a1b-c5a1-499f-9f54-3f7b99b0a675", // AzureResource related alerts
"f74ad13a-ae93-47b9-8782-b1142b95d046", // CloudApplication related alerts
"80218599-45b4-4402-95cc-86f9929dd43d", // DNS related alerts
"0f0bccef-4512-4530-a866-27056a39dcd6", // File related alerts
"b6eaa3ad-e69b-437e-9c13-bb5273dd34ab", // FileHash related alerts
"055a5692-555f-42bd-ac17-923a5a9994ed", // Host related alerts
"58c1516f-b78a-4d78-9e71-77c40849c27b", // IP related alerts
"b8407195-b9a3-4565-bf08-7b23e5c57e3a", // Malware related alerts
"63a4fa2f-f89d-4cf5-96a2-cb2479e49731", // Process related alerts
"d788cd65-a7ef-448e-aa34-81185ac0e611", // RegistryKey related alerts
"3a45a7e3-80e0-4e05-84db-b97bd1ae452b", // RegistryValue related alerts
"7b61d5e2-4b66-40a7-bb0f-9145b445104e", // URL related alerts
"4daeed0e-0e74-4f2d-990c-a958210e9dd7", // IoTDevice related alerts
"504ea455-3bf7-47ef-8555-dc747b465f99", // Account related bookmarks
"e36c2ceb-4caf-4919-8433-d61dbc3e294a", // Host related bookmarks
"6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a", // IP related bookmarks
"855ea9fe-2fdd-4890-8daa-c895c136eef3", // URL related bookmarks
YanivSh Could you possibly share the JSON entity kind names for each of those related entity types?
e.g. I know about `Ip`, `Host`, `Address`, I have not seen incidents yet with the others.
To successfully parse these entity kinds from the JSON API response, I need to know the correct kind string (including capitalization) of each of those
I found the entity kind names in https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/entities
Account
AzureResource
CloudApplication
DnsResolution
File
FileHash
Host
Insight
IoTDevice
Ip
MailCluster
MailMessage
Mailbox
Malware
Process
RegistryKey
RegistryValue
SecurityAlert
SecurityGroup
SubmissionMail
Url
I tried the post request you listed with the body of:
body
{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}
..and variations of this.
I keep getting an UnsupportedMediaType (Status 415). Can you assist? I am desperate to try and extract IP's from an incident using the API and keep hitting a brick wall.
I see a comma and the end of the GUID... Did you try to remove it? Also make sure you've set the 'Content-Type' header of your post request to 'application/json'
Can you check if that's works for you?
SanderWannet you are a legend! Thankyou so so much this worked perfectly.
