Forum Discussion
graph api query sentinel CEF log
haimmag To answer your questions
1) The Azure Security graph only allows queries of data in the security graph itself. From what I have seen in the documentation, you cannot add a new Security alert, only update an existing one
2) Not quite sure what you are asking for here. You can create an Analytic rule to create an alert when a new row is added to the CommonSecurityLog which is where a CEF feed would place the data. You would use KQL to search CommonSecurityLog and filter to find only those rows you care about:
CommonSecurityLog
| where <filter term>
thanks for your answer
alerts created by analytics can be query in https://graph.microsoft.com/v1.0/security/alerts ?
where can i find samples on analytics rules to create alert per row ?
analytics rules run on schedule times it not triggered per row insert, when creating alert how can iterate each row?
haimmag While you cannot guarantee that each new row will generate its own Alert at this time, that functionality should be available very soon (Disclaimer: I don't work for MS so I am just going off of rumors)
