Forum Discussion
Get entities for a Sentinel Incidient by API
currently the only way to achieve this is by:
1. Getting the system alert id by running the relation API call
get:
in my example the system alert id value located here
2. run a POST request on entities API with the system Alert ID based on the first phase
where the expansionId is constant for get all entities
Post
body
{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}This days product team are debating on how to make this process more user friendly with less calls.
happy to share once we will have final decision.
I wrote a blog post about how to get Sentinel Incidents including Entities (based on the information in this thread). It is how-to based, you can find it here:
https://blogs.infosupport.com/how-to-get-azure-sentinel-incidents-via-api/
Hi,
Does anyone know where I can get a reference of the output JSON schema for all entity types?
I'm aware of this page: https://docs.microsoft.com/en-us/azure/sentinel/entities-reference
But that's good as a reference for entity mappings in analytics rules, it doesn't really tell me which field set is output for each type.
Thanks
- Probably the best place to look is at the REST API definitions: https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights
- Hey, thanks, it was helpful at the time.
