Forum Discussion
Pending actions notification via KQL / Graph API
Hey Kristof ,
I believe I know what you're talking about and it seems like the API endpoint you'd want to hit is here: https://learn.microsoft.com/en-us/defender-endpoint/api/investigation
Have a script that retrieves a List of investigations and the filters for "PendingApproval" and pipe those Investigation IDs into a loop or something to Start investigation. I don't see a built-in function for alerting of this state for an Investigation but we can quickly create a logic app to do this for us.
Or, as seen in this thread ( https://www.reddit.com/r/DefenderATP/comments/192zinv/notifications_for_pending_actions/ ) we can create an alerts in Sentinel and then trigger an automation rule. There's already a Playbook Template for you to use, "Send basic email" which can be installed via the Content Hub in the resource "SentinelSOARessentials".
- Create a Sentinel analytic rule that alerts on PendingApproval with the query provided by the good folks on Reddit
- Create a playbook from the template to send an email
- Create an automation rule to run the playbook when that particular Analytics rule is triggered
Hopefully this helps. If you need any help building any of this out or exploring other ideas I'd be happy to provide some guidance. Let me know.
Best regards,
Dylan
Hi DylanInfosec ,
Thank you for taking the time to respond!
I'll have a look at the investigation api.
I also saw the reddit post, but When I ran the query, or variations of it, it didn't produce results.
I had a check and there isn't a Status property in my ExtendedProperties in my SecurityAlert table, so no luck there. Also no other property indicating something similar. So no luck there.
I can move on with the api.
Thx!
Br,
Kristof
