Forum Discussion
Fetch Events of Sentinel incidents via Api
Hello, i need to get the data of the Events related to a Incident of Sentinel but i don't find any info in the docs about that
I need in specifict that 2 events of that incident
@Chi_Nguyen
- atiya_sarwarCopper ContributorCan someone please guide is there any API introduced now or any other method to fetch events' data of incidents in sentinel.
- Chi_NguyenMicrosoft
madmvx You can use IncidentRelation API to get entities associated with an incident (this is closest to getting evidence).
Note this API is currently in preview. That's why we don't have documentation about it. However, you can view the API specs here: https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents/entities/GetAllIncidentEntities.jsonIf you want to get evidence table, then using the Log Analytics, as shoando mentioned above. API: https://dev.loganalytics.io/documentation/Using-the-API
- madmvxCopper Contributor
Yes, i used the entities api but i don't need that information, i need to get the evidence of the table, but how can i get a relation with that?
In incident api i cant get a query to call the logAnalytics Api Chi_Nguyen
- shoandoBrass ContributorI understand that Events can be retrieved using the Log Analytics API, but currently cannot be retrieved using the Sentinel API.
https://dev.loganalytics.io/documentation/Using-the-API