Forum Discussion

jojo_the_coder's avatar
jojo_the_coder
Copper Contributor
Mar 17, 2020
Solved

Fetch Azure Sentinel Incidents Via API

Hi, I want to fetch incidents from azure sentinel via api. As Sentinel hasn't API, I have to use Graph api. I need a sample or endpoint. Any advice o document suggestion would be appreciated.   B...
  • Chi_Nguyen's avatar
    Chi_Nguyen
    Mar 17, 2020

    Hi jojo_the_coder, current available APIs to fetch incidents can be found here.

     

    To fetch alerts related to an incident without using Log Analytics API, you can do that via the Microsoft Graph Security API. Please refer to the  documentation https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0#alerts Below is an example query to get all alerts provided by Azure Sentinel via the Graph Security API. A list of curated sample queries can be found https://github.com/microsoftgraph/security-api-solutions/tree/master/Queries

    https://graph.microsoft.com/v1.0/security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.

     

Chi_Nguyen's avatar
Chi_Nguyen
Former Employee
Mar 17, 2020

Hi jojo_the_coder, current available APIs to fetch incidents can be found here.

 

To fetch alerts related to an incident without using Log Analytics API, you can do that via the Microsoft Graph Security API. Please refer to the  documentation https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0#alerts Below is an example query to get all alerts provided by Azure Sentinel via the Graph Security API. A list of curated sample queries can be found https://github.com/microsoftgraph/security-api-solutions/tree/master/Queries

https://graph.microsoft.com/v1.0/security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.

 

SocInABox's avatar
SocInABox
Iron Contributor
Aug 28, 2020

Hi Chi_Nguyen 

I'm not sure your query examples are the ideal solution.

The Graph API fields don't include details such as source,destination, username, eventid.

How can we get those details from the graph api query?

Those details do exist in the 'Entities' field, but that's not pulled down in the json, is it?

  • Chi_Nguyen's avatar
    Chi_Nguyen
    Former Employee
    Aug 28, 2020

    SocInABox , those fields that are not populated by Graph Security API is because they aren't part of the alert schema. The team is still working on enriching the alerts with more fields. 

    If you'd like to get incidents with all the details, I suggest you try the https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/stable/2020-01-01/SecurityInsights.json

    You'll need to make a few calls to get to the level of details you need, but here is a post about it.

    https://techcommunity.microsoft.com/t5/azure-sentinel/get-entities-for-a-sentinel-incidient-by-api/m-p/1422643

    • SocInABox's avatar
      SocInABox
      Iron Contributor
      Aug 30, 2020

      Hi Chi_Nguyen 
      I greatly appreciate your feedback, however you may be assuming I'm DevOps, which I'm not :).

      If you had a wget example of how to pull Sentinel Incidents with the additional fields that would be super helpful - then I could present a query example to our DevOps team and they could run with it, knowing I wasn't suggesting they chase something up a tree.
      I suspect@Yaniv Shasha is on the right track with this:
       "98b974fd-cc64-48b8-9bd0-3a209f5b944b", // Alert related entities
      But I don't know how I can translate that knowledge into a wget example for Sentinel, or use the Graph Explorer to query the same results.
      Your help is greatly appreciated.

       

       

Resources