Forum Discussion

Chris_321's avatar
Chris_321
Copper Contributor
Apr 06, 2022
Solved

Problem with Api Sentinel and the value "alertProductNames".

Hello,   While investigating the Sentinel API, I noticed that it does not pick up incidents reported by Portal M365D but it does pick up incidents reported by Microsoft Defender for Endpoint in the...
apis
azure
siem
  • Clive_Watson's avatar
    Clive_Watson
    Apr 07, 2022

    Chris_321 

     

    The api still reports the old names, and therefore other parts of the system that use it.

    e.g.

    SecurityIncident
| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) 
| summarize count() by tostring(Product)

    I suspect it will take Microsoft some time to make sure if they update the results, it doesn't break anything that relies on the "old names".

     

    The latest preview also doesn't address this (but I think the date was before or around the time of many of the product renames)  Incidents - Get - REST API (Azure Sentinel) | Microsoft Docs

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Apr 07, 2022

Chris_321 

 

The api still reports the old names, and therefore other parts of the system that use it.

e.g.

SecurityIncident
| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0])) 
| summarize count() by tostring(Product)

I suspect it will take Microsoft some time to make sure if they update the results, it doesn't break anything that relies on the "old names".

 

The latest preview also doesn't address this (but I think the date was before or around the time of many of the product renames)  Incidents - Get - REST API (Azure Sentinel) | Microsoft Docs

Resources