Forum Discussion
SanderWannet
May 28, 2020Copper Contributor
Get entities for a Sentinel Incidient by API
Hi, I'm trying to get some information about incidents in Sentinel via the API (https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft....
- Jun 01, 2020
currently the only way to achieve this is by:
1. Getting the system alert id by running the relation API call
get:
in my example the system alert id value located here
2. run a POST request on entities API with the system Alert ID based on the first phase
where the expansionId is constant for get all entities
Post
body
{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}This days product team are debating on how to make this process more user friendly with less calls.
happy to share once we will have final decision.
SanderWannet
Mar 16, 2021Copper Contributor
I wrote a blog post about how to get Sentinel Incidents including Entities (based on the information in this thread). It is how-to based, you can find it here:
https://blogs.infosupport.com/how-to-get-azure-sentinel-incidents-via-api/
- Rodrigo_PereiraJul 23, 2021Copper Contributor
Hi,
Does anyone know where I can get a reference of the output JSON schema for all entity types?
I'm aware of this page: https://docs.microsoft.com/en-us/azure/sentinel/entities-reference
But that's good as a reference for entity mappings in analytics rules, it doesn't really tell me which field set is output for each type.
Thanks
- GaryBusheyJul 23, 2021Bronze ContributorProbably the best place to look is at the REST API definitions: https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights
- Rodrigo_PereiraAug 13, 2022Copper ContributorHey, thanks, it was helpful at the time.