Forum Discussion
Fetch Azure Sentinel Incidents Via API
Hi jojo_the_coder, current available APIs to fetch incidents can be found here.
To fetch alerts related to an incident without using Log Analytics API, you can do that via the Microsoft Graph Security API. Please refer to the documentation here. Below is an example query to get all alerts provided by Azure Sentinel via the Graph Security API. A list of curated sample queries can be found here.
https://graph.microsoft.com/v1.0/security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.
Chi_Nguyen ,@Yaniv Shasha, I believe the easiest way for me to test this is using az rest.
eg:
az rest --method get --uri https://graph.microsoft.com/v1.0/users?$select=displayName
So knowing that, could you please provide me a url example that would query the extended Sentinel details?
Thanks VERY much.
SocInABox I don't think we can query the extended Properties for Sentinel incidents using Graph Security API, as it's dependent on the alert schema the API currently replies on. So the only way I'm aware of is calling the Azure Sentinel API.
If you are interested in using some sample code (no developer/devops skills needed to run this) we've built to get these details from Sentinel incidents, the code should be available soon on Azure Sentinel/Tools/Sample Code repo. Or if you'd like to be an early tester, then please reach out to asigtp_at_microsoft_com, for a request, and I can provide more instructions on how to use the code to run it.
Chi_Nguyen I tried emailing asigtp@microsoft.com and it was rejected.
SocInABox It won't allow you to send to our group email then.
You can post your question directly to Azure Sentinel TechCommunity for more assistance and tag my name there.
Hi Chi_Nguyen ,
Yes please!
I've sent out an email but anything you can do to get me started is appreciated.