Forum Discussion

jojo_the_coder's avatar
jojo_the_coder
Copper Contributor
Mar 17, 2020

Fetch Azure Sentinel Incidents Via API

Hi,

I want to fetch incidents from azure sentinel via api. As Sentinel hasn't API, I have to use Graph api. I need a sample or endpoint.

Any advice o document suggestion would be appreciated.

 

Best

Yasemen

 

  • Hi jojo_the_coder, current available APIs to fetch incidents can be found here.

     

    To fetch alerts related to an incident without using Log Analytics API, you can do that via the Microsoft Graph Security API. Please refer to the  documentation here. Below is an example query to get all alerts provided by Azure Sentinel via the Graph Security API. A list of curated sample queries can be found here.

    https://graph.microsoft.com/v1.0/security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.

     

  • Hi jojo_the_coder, current available APIs to fetch incidents can be found here.

     

    To fetch alerts related to an incident without using Log Analytics API, you can do that via the Microsoft Graph Security API. Please refer to the  documentation here. Below is an example query to get all alerts provided by Azure Sentinel via the Graph Security API. A list of curated sample queries can be found here.

    https://graph.microsoft.com/v1.0/security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.

     

    • SocInABox's avatar
      SocInABox
      Iron Contributor

      Hi Chi_Nguyen 

      I'm not sure your query examples are the ideal solution.

      The Graph API fields don't include details such as source,destination, username, eventid.

      How can we get those details from the graph api query?

      Those details do exist in the 'Entities' field, but that's not pulled down in the json, is it?

    • PrashTechTalk's avatar
      PrashTechTalk
      Brass Contributor

      Chi_Nguyen  -

      Hi,

       

      I would like to filter the cases API results to get lastest 30days of data by setting a filter not based on from and todays instead just mentioning 30days.  how do i achieve this ?  I do not want to hard code from and todate here. 

       

      $filter = properties/createdTimeUtc  le <30days> 

       

      I still wonder why microsoft has not given access to incident data to effectively use KQL queries instead of going through API.

       

      Thanks.

      • Chi_Nguyen's avatar
        Chi_Nguyen
        Icon for Microsoft rankMicrosoft

        PrashTechTalk We recently released Azure Sentinel Management API that you can leverage to directly get all incidents and filter them based on a time range. This article has an overview of different Azure Sentinel APIs including this one. 

        In terms of using KQL, you can now query your incidents directly using the KQL via the SecurityIncident table in your Azure Sentinel workspace. 

        Hope that helps!

Resources