Forum Discussion

Copper Contributor

May 28, 2020

Solved

Get entities for a Sentinel Incidient by API

Hi, I'm trying to get some information about incidents in Sentinel via the API (https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft....

YanivSh
Jun 01, 2020
SanderWannet

currently the only way to achieve this is by:

1. Getting the system alert id by running the relation API call

get:

https://management.azure.com/subscriptions/xxxxx-5731-4780-8f96-2078ddxxxx/resourceGroups/cxp-azuresecurity/providers/Microsoft.OperationalInsights/workspaces/CXP/providers/Microsoft.SecurityInsights/Incidents/803f3d58-a406-4953-a1df-953143313a74/relations?api-version=2019-01-01-preview

in my example the system alert id value located here

2. run a POST request on entities API with the system Alert ID based on the first phase

where the expansionId is constant for get all entities

Post

https://management.azure.com/subscriptions/xxxxxxx-5731-4780-xxxx-2078dd96fd96/resourceGroups/cxp-azuresecurity/providers/Microsoft.OperationalInsights/workspaces/CxP/providers/Microsoft.SecurityInsights/entities/fc4faf6f-03b7-3c57-6892-100a0f960f9d/expand?api-version=2019-01-01-preview

body

{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}

This days product team are debating on how to make this process more user friendly with less calls.

happy to share once we will have final decision.

SanderWannet

Copper Contributor

Jun 04, 2020

YanivSh

Thank you so much for your help! I've got it working 🙂

Is there any documentation about the expand action and the id's you can send to the API, so I can explore more of the possibilities of the API? Of is the expansionId you put in your example currently the only one?

YanivSh