API for Sentinel Alerts and Cases

%3CLINGO-SUB%20id%3D%22lingo-sub-359077%22%20slang%3D%22en-US%22%3EAPI%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359077%22%20slang%3D%22en-US%22%3E%3CP%3EWhere%20can%20I%20find%20docs%20to%20query%20new%20alerts%20and%20cases%20and%20interact%20with%20then%20in%20Azure%20Sentinel.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-365113%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-365113%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Sentinel%20API%20is%20coming%20soon%20so%20you%20can%20query%20cases%2C%20manage%20them%20and%20update%20rules%20as%20well.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EKoby%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-364552%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-364552%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F299004%22%20target%3D%22_blank%22%3E%40Marticus2425%3C%2FA%3E%20Azure%20Sentinel%20alerts%20are%20available%20for%20query%20via%20Graph%20Security%20API.%20Here's%20the%20link%20to%20that%20documentation.%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fsecurity-api-overview%3Fview%3Dgraph-rest-beta%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fapi%2Fresources%2Fsecurity-api-overview%3Fview%3Dgraph-rest-beta%3C%2FA%3E%3C%2FFONT%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-364551%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-364551%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44888%22%20target%3D%22_blank%22%3E%40Ryan%20Heffernan%3C%2FA%3E-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20there%20any%20plans%20to%20add%20externally-exposed%20APIs%20-%20for%20example%2C%20being%20able%20to%20query%20Sentinel%20for%20alerts%2C%20change%20alert%20statuses%2C%20etc%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20looked%20through%20the%20GitHub%20repo%20and%20didn't%20see%20anything%20really%20referencing%20that%20(primarily%20related%20to%20Notebooks%20and%20Hunting%20Queries).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20perhaps%20any%20documentation%20around%20any%20externally-exposed%20APIs%20like%20that%20that%20you%20can%20pass%20along%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-360558%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360558%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Ryan%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20see%20documentation%20for%20how%20to%20create%20KQL%20queries%20within%20the%20Azure%20Sentinel%20panel.%26nbsp%3B%20Is%20there%20a%20way%20to%20query%20via%20an%20API%2C%20by%20using%20a%20a%20cURL%20request%2C%20for%20example%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-359476%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359476%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20you%20feedback.%3C%2FP%3E%0A%3CP%3EThe%20team%20is%20currently%20working%20on%20adding%20them%20as%20part%20for%20the%20experience.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-359451%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359451%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20feedback%2C%20thanks%20Lachlan!%20(CC%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F187254%22%20target%3D%22_blank%22%3E%40Koby%20Koren%3C%2FA%3E%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F16203%22%20target%3D%22_blank%22%3E%40Shalini%20Pasupneti%3C%2FA%3E)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-359445%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359445%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20would%20be%20great%20to%20include%20with%20a%20deployment%20of%20Sentinel%20would%20be%20default%20alerts%20based%20on%20the%20Data%20Collections%20that%20you%20add.%3CBR%20%2F%3E%3CBR%20%2F%3EBecause%20then%20they%20almost%20have%20a%20story%20to%20try%20to%20use%20the%20data%20with%20and%20set%20up%20playbooks%20for.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44888%22%20target%3D%22_blank%22%3E%40Ryan%20Heffernan%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-359280%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359280%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20a%20GitHub%20repo%20with%20sample%20queries%20and%20detections%3A%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGeneral%20documentation%20is%20here%3A%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2F%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20me%20know%20if%20that%20doesn't%20give%20you%20what%20you%20need.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005240%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005240%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20updates%20here%3F%20No%20API%20for%20now%20and%20even%20Microsoft.Graph%20still%20cannot%20manipulate%20with%20Sentinel%20incidents(cases).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1009747%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1009747%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F456591%22%20target%3D%22_blank%22%3E%40kastromatos%3C%2FA%3E%26nbsp%3Bhave%20you%20look%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%3C%2FA%3E%26nbsp%3Bto%20understand%20the%20API%20%2C%20there%20is%20no%20official%20documention%20but%20they%20built%20a%20powerhell%20module%20in%20order%20to%20create%20%2F%20get%20rules%2C%20incidents%20...%20maybe%20it%20can%20help%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1155407%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1155407%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20any%20update%20on%20when%20this%20might%20be%20available%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3ESteven%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1162583%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1162583%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20new%20incidents%20API%20should%20be%20published%20by%20the%20end%20of%20the%20month%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1392044%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1392044%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F550483%22%20target%3D%22_blank%22%3E%40kobiga%3C%2FA%3E%26nbsp%3BIs%20there%20any%20update%20yet%3F%20I%20can't%20find%20the%20Incidents%20API.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1392616%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1392616%22%20slang%3D%22en-US%22%3E%3CP%3ESentinel%20incidents%20API%20is%20available%20in%20preview%20version%20and%20included%20in%20Sentinel's%20API%20swagger%20spec%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-rest-api-specs%2Ftree%2Fmaster%2Fspecification%2Fsecurityinsights%2Fresource-manager%2FMicrosoft.SecurityInsights%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2Fazure-rest-api-specs%2Ftree%2Fmaster%2Fspecification%2Fsecurityinsights%2Fresource-manager%2FMicrosoft.SecurityInsights%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20stable%20version%20of%20the%20API%20will%20be%20released%20in%20about%202-3%20weeks%20and%20should%20basically%20be%20the%20same%20as%20the%20preview%20version%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1392627%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1392627%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F668795%22%20target%3D%22_blank%22%3E%40SanderWannet%3C%2FA%3E%26nbsp%3Bthe%20Azure%20Sentinel%20API%20is%20in%20preview%20and%20examples%20can%20be%20found%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-rest-api-specs%2Ftree%2Fmaster%2Fspecification%2Fsecurityinsights%2Fresource-manager%2FMicrosoft.SecurityInsights%2Fpreview%2F2019-01-01-preview%2Fexamples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2Fazure-rest-api-specs%2Ftree%2Fmaster%2Fspecification%2Fsecurityinsights%2Fresource-manager%2FMicrosoft.SecurityInsights%2Fpreview%2F2019-01-01-preview%2Fexamples%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20query%20for%20incidents%20you%20can%20make%20a%20get%20request%20to%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-csharp%22%3E%3CCODE%3Ehttps%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F%7BsubscriptionId%7D%2Fresourcegroups%2F%7BresourceGroupName%7D%2Fproviders%2Fmicrosoft.operationalinsights%2Fworkspaces%2F%7BworkspaceName%7D%2Fproviders%2FMicrosoft.SecurityInsights%2Fincidents%2F%3Fapi-version%3D2019-01-01-preview%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1394810%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1394810%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F550483%22%20target%3D%22_blank%22%3E%40kobiga%3C%2FA%3E%26nbsp%3BThanks%20for%20you%20fast%20reply.%20I%20found%20indeed%20the%20%2Fincidents%2F*%20actions%20in%20the%20preview%20version%20but%20didn't%20see%20them%20n%20the%20stable%20version%20(2020-01-01)%20right%20now.%20Can%20you%20conform%20they%20will%20be%20added%20in%20the%20following%202-3%20weeks%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573665%22%20target%3D%22_blank%22%3E%40wadstromdev%3C%2FA%3E%3A%20Thanks%20for%20you%20example.%20Did%20some%20successful%20testing%20with%20it!%20I%20hope%20the%20%2Fincidents%2F*%20actions%20will%20be%20added%20in%20the%20stable%20(2020-01-01)%20because%20they%20are%20now%20only%20available%20inn%20the%20preview%20version..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1396008%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1396008%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F668795%22%20target%3D%22_blank%22%3E%40SanderWannet%3C%2FA%3E%26nbsp%3BI%20have%20a%20series%20of%20blog%20posts%20on%20using%20the%20Azure%20Sentinel%20REST%20API%20including%20how%20to%20get%20Incidents%20into%20a%20Log%20Analytics%20workspace%20at%20%3CA%20href%3D%22https%3A%2F%2Fwww.garybushey.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.garybushey.com%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BTo%20start%20off%20I%20would%20suggest%20this%20one%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F11%2Fyour-first-azure-sentinel-rest-api-call%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.garybushey.com%2F2020%2F01%2F11%2Fyour-first-azure-sentinel-rest-api-call%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1396335%22%20slang%3D%22en-US%22%3ERe%3A%20API%20for%20Sentinel%20Alerts%20and%20Cases%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1396335%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F668795%22%20target%3D%22_blank%22%3E%40SanderWannet%3C%2FA%3E%2C%20yes%20you%20can%20expect%20them%20to%20be%20included%20in%20a%20stable%20version%20in%20the%20next%202-3%20weeks%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Visitor

Where can I find docs to query new alerts and cases and interact with then in Azure Sentinel.

18 Replies
Highlighted

Hello, 

 

We have a GitHub repo with sample queries and detections: https://github.com/Azure/Azure-Sentinel

 

General documentation is here: https://docs.microsoft.com/en-us/azure/sentinel/

 

Let me know if that doesn't give you what you need. 

Highlighted

What would be great to include with a deployment of Sentinel would be default alerts based on the Data Collections that you add.

Because then they almost have a story to try to use the data with and set up playbooks for. @Ryan Heffernan 

Highlighted

Great feedback, thanks Lachlan! (CC: @Koby Koren and @Shalini Pasupneti)

Highlighted

Thank you for you feedback.

The team is currently working on adding them as part for the experience.

Highlighted

Hello Ryan,

 

I see documentation for how to create KQL queries within the Azure Sentinel panel.  Is there a way to query via an API, by using a a cURL request, for example?

Highlighted

@Ryan Heffernan-

 

Are there any plans to add externally-exposed APIs - for example, being able to query Sentinel for alerts, change alert statuses, etc?

 

I looked through the GitHub repo and didn't see anything really referencing that (primarily related to Notebooks and Hunting Queries).

 

Is there perhaps any documentation around any externally-exposed APIs like that that you can pass along?

 

Thanks!

Highlighted

@Marticus2425 Azure Sentinel alerts are available for query via Graph Security API. Here's the link to that documentation.

https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-beta 

Highlighted

Hi,

 

Azure Sentinel API is coming soon so you can query cases, manage them and update rules as well.

 

Thanks,

Koby

Highlighted
Hi,

Any updates here? No API for now and even Microsoft.Graph still cannot manipulate with Sentinel incidents(cases).
Highlighted

@kastromatos have you look at https://github.com/wortell/AZSentinel to understand the API , there is no official documention but they built a powerhell module in order to create / get rules, incidents ... maybe it can help :)

Highlighted
Hi,

Is there any update on when this might be available?

Thanks,
Steven
Highlighted
Hi,

The new incidents API should be published by the end of the month
Highlighted

@kobiga Is there any update yet? I can't find the Incidents API.

Highlighted

Sentinel incidents API is available in preview version and included in Sentinel's API swagger spec - https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...

 

The stable version of the API will be released in about 2-3 weeks and should basically be the same as the preview version

Highlighted

@SanderWannet the Azure Sentinel API is in preview and examples can be found here: https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...

To query for incidents you can make a get request to:

https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.operationalinsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/?api-version=2019-01-01-preview
Highlighted

@kobiga Thanks for you fast reply. I found indeed the /incidents/* actions in the preview version but didn't see them n the stable version (2020-01-01) right now. Can you conform they will be added in the following 2-3 weeks? 

 

@wadstromdev: Thanks for you example. Did some successful testing with it! I hope the /incidents/* actions will be added in the stable (2020-01-01) because they are now only available inn the preview version..

 

 

 

Highlighted

@SanderWannet I have a series of blog posts on using the Azure Sentinel REST API including how to get Incidents into a Log Analytics workspace at https://www.garybushey.com   To start off I would suggest this one: https://www.garybushey.com/2020/01/11/your-first-azure-sentinel-rest-api-call/

Highlighted

@SanderWannet, yes you can expect them to be included in a stable version in the next 2-3 weeks