Forum Discussion
Fetch Events of Sentinel incidents via Api
madmvx You can use IncidentRelation API to get entities associated with an incident (this is closest to getting evidence).
Note this API is currently in preview. That's why we don't have documentation about it. However, you can view the API specs here: https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents/entities/GetAllIncidentEntities.json
If you want to get evidence table, then using the Log Analytics, as shoando mentioned above. API: https://dev.loganalytics.io/documentation/Using-the-API
- madmvxMay 14, 2021Copper Contributor
Yes, i used the entities api but i don't need that information, i need to get the evidence of the table, but how can i get a relation with that?
In incident api i cant get a query to call the logAnalytics Api Chi_Nguyen