Forum Discussion
Fetch Azure Sentinel Incidents Via API
Hi,
I want to fetch incidents from azure sentinel via api. As Sentinel hasn't API, I have to use Graph api. I need a sample or endpoint.
Any advice o document suggestion would be appreciated.
Best
Yasemen
Hi jojo_the_coder, current available APIs to fetch incidents can be found here.
To fetch alerts related to an incident without using Log Analytics API, you can do that via the Microsoft Graph Security API. Please refer to the documentation https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0#alerts Below is an example query to get all alerts provided by Azure Sentinel via the Graph Security API. A list of curated sample queries can be found https://github.com/microsoftgraph/security-api-solutions/tree/master/Queries
https://graph.microsoft.com/v1.0/security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.
14 Replies
Hi jojo_the_coder, current available APIs to fetch incidents can be found here.
To fetch alerts related to an incident without using Log Analytics API, you can do that via the Microsoft Graph Security API. Please refer to the documentation https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0#alerts Below is an example query to get all alerts provided by Azure Sentinel via the Graph Security API. A list of curated sample queries can be found https://github.com/microsoftgraph/security-api-solutions/tree/master/Queries
https://graph.microsoft.com/v1.0/security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.
- This solution doesn't seems to work anymore, any ideas ?
Hi Chi_Nguyen
I'm not sure your query examples are the ideal solution.
The Graph API fields don't include details such as source,destination, username, eventid.
How can we get those details from the graph api query?
Those details do exist in the 'Entities' field, but that's not pulled down in the json, is it?
SocInABox , those fields that are not populated by Graph Security API is because they aren't part of the alert schema. The team is still working on enriching the alerts with more fields.
If you'd like to get incidents with all the details, I suggest you try the https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json
You'll need to make a few calls to get to the level of details you need, but here is a post about it.
Hi,
I would like to filter the cases API results to get lastest 30days of data by setting a filter not based on from and todays instead just mentioning 30days. how do i achieve this ? I do not want to hard code from and todate here.
$filter = properties/createdTimeUtc le <30days>
I still wonder why microsoft has not given access to incident data to effectively use KQL queries instead of going through API.
Thanks.
PrashTechTalk We recently released Azure Sentinel Management API that you can leverage to directly get all incidents and filter them based on a time range. This https://attack.mitre.org/ has an overview of different Azure Sentinel APIs including this one.
In terms of using KQL, you can now query your incidents directly using the KQL via the SecurityIncident table in your Azure Sentinel workspace.
Hope that helps!
