Get entities for a Sentinel Incidient by API

SanderWannet 

currently the only way to achieve this is by:

1. Getting the system alert id by running the relation API call 

get:

https://management.azure.com/subscriptions/xxxxx-5731-4780-8f96-2078ddxxxx/resourceGroups/cxp-azuresecurity/providers/Microsoft.OperationalInsights/workspaces/CXP/providers/Microsoft.SecurityInsights/Incidents/803f3d58-a406-4953-a1df-953143313a74/relations?api-version=2019-01-01-preview

in my example the system alert id value located here 

2.  run a POST request on entities API with the system Alert ID based on the first phase

where the expansionId is constant for get all entities 

Post

https://management.azure.com/subscriptions/xxxxxxx-5731-4780-xxxx-2078dd96fd96/resourceGroups/cxp-azuresecurity/providers/Microsoft.OperationalInsights/workspaces/CxP/providers/Microsoft.SecurityInsights/entities/fc4faf6f-03b7-3c57-6892-100a0f960f9d/expand?api-version=2019-01-01-preview

body 

{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}

This days product team are debating on  how to make this process more user friendly with less calls.

happy to share once we will have final decision.