Get entities for a Sentinel Incidient by API

New Contributor


I'm trying to get some information about incidents in Sentinel via the API (

I can successfully query incidents via ".../providers/Microsoft.SecurityInsights/incidents


And when I query the relations of the incident via "..../providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations" I get SecurityAlert where I can see there is 1 account and 1 IP involved with the SecurityAlert

  "Total Account Entities": "1",
  "Total IP Entities": "1"

I was hoping to get the Entity information by getting the relations of the SecurityAlert Entity, but then I only get the Incident as relation.

However when I query the entities via "..../providers/Microsoft.SecurityInsights/entities" I see the Account Entity and the IP Enity and the information of them, But I can’t see the SecurityAlert event.

Is there a way so I can get the related entities of the Incident / SecurityAlert(s) via the API?

7 Replies
Best Response confirmed by SanderWannet (New Contributor)


currently the only way to achieve this is by:


1. Getting the system alert id by running the relation API call 




in my example the system alert id value located here 




2.  run a POST request on entities API with the system Alert ID based on the first phase

where the expansionId is constant for get all entities 





"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",




This days product team are debating on  how to make this process more user friendly with less calls.

happy to share once we will have final decision. 

@Yaniv Shasha 


Thank you so much for your help! I've got it working :)

Is there any documentation about the expand action and the id's you can send to the API, so I can explore more of the possibilities of the API? Of is the expansionId you put in your example currently the only one?




 "98b974fd-cc64-48b8-9bd0-3a209f5b944b", // Alert related entities

    "27f76e63-c41b-480f-bb18-12ad2e011d49", // Bookmark related entities

    "a77992f3-25e9-4d01-99a4-5ff606cc410a", // Account related alerts

    "4a014a1b-c5a1-499f-9f54-3f7b99b0a675", // AzureResource related alerts

    "f74ad13a-ae93-47b9-8782-b1142b95d046", // CloudApplication related alerts

    "80218599-45b4-4402-95cc-86f9929dd43d", // DNS related alerts

    "0f0bccef-4512-4530-a866-27056a39dcd6", // File related alerts

    "b6eaa3ad-e69b-437e-9c13-bb5273dd34ab", // FileHash related alerts

    "055a5692-555f-42bd-ac17-923a5a9994ed", // Host related alerts

    "58c1516f-b78a-4d78-9e71-77c40849c27b", // IP related alerts

    "b8407195-b9a3-4565-bf08-7b23e5c57e3a", // Malware related alerts

    "63a4fa2f-f89d-4cf5-96a2-cb2479e49731", // Process related alerts

    "d788cd65-a7ef-448e-aa34-81185ac0e611", // RegistryKey related alerts

    "3a45a7e3-80e0-4e05-84db-b97bd1ae452b", // RegistryValue related alerts

    "7b61d5e2-4b66-40a7-bb0f-9145b445104e", // URL related alerts

    "4daeed0e-0e74-4f2d-990c-a958210e9dd7", // IoTDevice related alerts

    "504ea455-3bf7-47ef-8555-dc747b465f99", // Account related bookmarks

    "e36c2ceb-4caf-4919-8433-d61dbc3e294a", // Host related bookmarks

    "6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a", // IP related bookmarks

    "855ea9fe-2fdd-4890-8daa-c895c136eef3", // URL related bookmarks

@Yaniv Shasha 

I tried the post request you listed with the body of:



"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",


..and variations of this.


I keep getting an UnsupportedMediaType (Status 415). Can you assist? I am desperate to try and extract IP's from an incident using the API and keep hitting a brick wall.



I see a comma and the end of the GUID... Did you try to remove it? Also make sure you've set the 'Content-Type' header of your post request to 'application/json'


Can you check if that's works for you?

@SanderWannet you are a legend! Thankyou so so much this worked perfectly.

@Yaniv Shasha is there also a way to write alert entities?


According to this documentation it is possible to create incidents trough the REST API: 


It would be nice if I could add entities to my incident as well.