Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

API for Sentinel Alerts and Cases

Copper Contributor

Where can I find docs to query new alerts and cases and interact with then in Azure Sentinel.

22 Replies

Hello, 

 

We have a GitHub repo with sample queries and detections: https://github.com/Azure/Azure-Sentinel

 

General documentation is here: https://docs.microsoft.com/en-us/azure/sentinel/

 

Let me know if that doesn't give you what you need. 

What would be great to include with a deployment of Sentinel would be default alerts based on the Data Collections that you add.

Because then they almost have a story to try to use the data with and set up playbooks for. @Ryan Heffernan 

Great feedback, thanks Lachlan! (CC: @Koby Koren and @Shalini Pasupneti)

Thank you for you feedback.

The team is currently working on adding them as part for the experience.

Hello Ryan,

 

I see documentation for how to create KQL queries within the Azure Sentinel panel.  Is there a way to query via an API, by using a a cURL request, for example?

@Ryan Heffernan-

 

Are there any plans to add externally-exposed APIs - for example, being able to query Sentinel for alerts, change alert statuses, etc?

 

I looked through the GitHub repo and didn't see anything really referencing that (primarily related to Notebooks and Hunting Queries).

 

Is there perhaps any documentation around any externally-exposed APIs like that that you can pass along?

 

Thanks!

@Marticus2425 Azure Sentinel alerts are available for query via Graph Security API. Here's the link to that documentation.

https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-beta 

Hi,

 

Azure Sentinel API is coming soon so you can query cases, manage them and update rules as well.

 

Thanks,

Koby

Hi,

Any updates here? No API for now and even Microsoft.Graph still cannot manipulate with Sentinel incidents(cases).

@kastromatos have you look at https://github.com/wortell/AZSentinel to understand the API , there is no official documention but they built a powerhell module in order to create / get rules, incidents ... maybe it can help :)

Hi,

Is there any update on when this might be available?

Thanks,
Steven
Hi,

The new incidents API should be published by the end of the month

@kobiga Is there any update yet? I can't find the Incidents API.

Sentinel incidents API is available in preview version and included in Sentinel's API swagger spec - https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...

 

The stable version of the API will be released in about 2-3 weeks and should basically be the same as the preview version

@SanderWannet the Azure Sentinel API is in preview and examples can be found here: https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...

To query for incidents you can make a get request to:

https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.operationalinsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/?api-version=2019-01-01-preview

@kobiga Thanks for you fast reply. I found indeed the /incidents/* actions in the preview version but didn't see them n the stable version (2020-01-01) right now. Can you conform they will be added in the following 2-3 weeks? 

 

@wadstromdev: Thanks for you example. Did some successful testing with it! I hope the /incidents/* actions will be added in the stable (2020-01-01) because they are now only available inn the preview version..

 

 

 

@SanderWannet I have a series of blog posts on using the Azure Sentinel REST API including how to get Incidents into a Log Analytics workspace at https://www.garybushey.com   To start off I would suggest this one: https://www.garybushey.com/2020/01/11/your-first-azure-sentinel-rest-api-call/

@SanderWannet, yes you can expect them to be included in a stable version in the next 2-3 weeks

Would it be possible to expose an API method to POST alerts from an external source? For example, I'd like to import all alerts from an Event Hub via a Logic App into Security Center or Sentinel. Neither of those currently seem to support Event Hub as a source or provide an API method to create alerts (but only to get/update/list them). Thanks!