Forum Discussion
Fetch Azure Sentinel Incidents Via API
Hi jojo_the_coder, current available APIs to fetch incidents can be found here.
To fetch alerts related to an incident without using Log Analytics API, you can do that via the Microsoft Graph Security API. Please refer to the documentation https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0#alerts Below is an example query to get all alerts provided by Azure Sentinel via the Graph Security API. A list of curated sample queries can be found https://github.com/microsoftgraph/security-api-solutions/tree/master/Queries
https://graph.microsoft.com/v1.0/security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.
Hi,
I would like to filter the cases API results to get lastest 30days of data by setting a filter not based on from and todays instead just mentioning 30days. how do i achieve this ? I do not want to hard code from and todate here.
$filter = properties/createdTimeUtc le <30days>
I still wonder why microsoft has not given access to incident data to effectively use KQL queries instead of going through API.
Thanks.
PrashTechTalk We recently released Azure Sentinel Management API that you can leverage to directly get all incidents and filter them based on a time range. This https://attack.mitre.org/ has an overview of different Azure Sentinel APIs including this one.
In terms of using KQL, you can now query your incidents directly using the KQL via the SecurityIncident table in your Azure Sentinel workspace.
Hope that helps!
Chi_Nguyen - Awesome - Good to see the SentinelIncidents table is now available. That solves most of the problem :-). Cheers