03-05-2019 08:53 AM
I see documentation for how to create KQL queries within the Azure Sentinel panel. Is there a way to query via an API, by using a a cURL request, for example?
03-11-2019 05:27 PM
Are there any plans to add externally-exposed APIs - for example, being able to query Sentinel for alerts, change alert statuses, etc?
I looked through the GitHub repo and didn't see anything really referencing that (primarily related to Notebooks and Hunting Queries).
Is there perhaps any documentation around any externally-exposed APIs like that that you can pass along?
03-11-2019 05:38 PM
@Marticus2425 Azure Sentinel alerts are available for query via Graph Security API. Here's the link to that documentation.
03-12-2019 01:02 PM
Azure Sentinel API is coming soon so you can query cases, manage them and update rules as well.
11-13-2019 05:43 AM
05-15-2020 04:48 AM
Sentinel incidents API is available in preview version and included in Sentinel's API swagger spec - https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...
The stable version of the API will be released in about 2-3 weeks and should basically be the same as the preview version
05-15-2020 04:53 AM
@SanderWannet the Azure Sentinel API is in preview and examples can be found here: https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...
To query for incidents you can make a get request to:
05-15-2020 11:34 PM
@kobiga Thanks for you fast reply. I found indeed the /incidents/* actions in the preview version but didn't see them n the stable version (2020-01-01) right now. Can you conform they will be added in the following 2-3 weeks?
@wadstromdev: Thanks for you example. Did some successful testing with it! I hope the /incidents/* actions will be added in the stable (2020-01-01) because they are now only available inn the preview version..
05-16-2020 03:41 PM
@SanderWannet I have a series of blog posts on using the Azure Sentinel REST API including how to get Incidents into a Log Analytics workspace at https://www.garybushey.com To start off I would suggest this one: https://www.garybushey.com/2020/01/11/your-first-azure-sentinel-rest-api-call/