@Yaniv Shasha 

Thank you so much for your help! I've got it working :)

Is there any documentation about the expand action and the id's you can send to the API, so I can explore more of the possibilities of the API? Of is the expansionId you put in your example currently the only one?

@SanderWannet 

please:

 "98b974fd-cc64-48b8-9bd0-3a209f5b944b", // Alert related entities

    "27f76e63-c41b-480f-bb18-12ad2e011d49", // Bookmark related entities

    "a77992f3-25e9-4d01-99a4-5ff606cc410a", // Account related alerts

    "4a014a1b-c5a1-499f-9f54-3f7b99b0a675", // AzureResource related alerts

    "f74ad13a-ae93-47b9-8782-b1142b95d046", // CloudApplication related alerts

    "80218599-45b4-4402-95cc-86f9929dd43d", // DNS related alerts

    "0f0bccef-4512-4530-a866-27056a39dcd6", // File related alerts

    "b6eaa3ad-e69b-437e-9c13-bb5273dd34ab", // FileHash related alerts

    "055a5692-555f-42bd-ac17-923a5a9994ed", // Host related alerts

    "58c1516f-b78a-4d78-9e71-77c40849c27b", // IP related alerts

    "b8407195-b9a3-4565-bf08-7b23e5c57e3a", // Malware related alerts

    "63a4fa2f-f89d-4cf5-96a2-cb2479e49731", // Process related alerts

    "d788cd65-a7ef-448e-aa34-81185ac0e611", // RegistryKey related alerts

    "3a45a7e3-80e0-4e05-84db-b97bd1ae452b", // RegistryValue related alerts

    "7b61d5e2-4b66-40a7-bb0f-9145b445104e", // URL related alerts

    "4daeed0e-0e74-4f2d-990c-a958210e9dd7", // IoTDevice related alerts

    "504ea455-3bf7-47ef-8555-dc747b465f99", // Account related bookmarks

    "e36c2ceb-4caf-4919-8433-d61dbc3e294a", // Host related bookmarks

    "6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a", // IP related bookmarks

    "855ea9fe-2fdd-4890-8daa-c895c136eef3", // URL related bookmarks

@Yaniv Shasha 

I tried the post request you listed with the body of:

body

{

"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",

}

..and variations of this.

I keep getting an UnsupportedMediaType (Status 415). Can you assist? I am desperate to try and extract IP's from an incident using the API and keep hitting a brick wall.

@stevebennett500 

I see a comma and the end of the GUID... Did you try to remove it? Also make sure you've set the 'Content-Type' header of your post request to 'application/json'

Can you check if that's works for you?

@SanderWannet you are a legend! Thankyou so so much this worked perfectly.

@Yaniv Shasha is there also a way to write alert entities?

According to this documentation it is possible to create incidents trough the REST API: https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/createorupdate 

It would be nice if I could add entities to my incident as well.

Thanks!

@Yaniv Shasha Could you possibly share the JSON entity kind names for each of those related entity types?

e.g. I know about `Ip`, `Host`, `Address`, I have not seen incidents yet with the others.

To successfully parse these entity kinds from the JSON API response, I need to know the correct kind string (including capitalization) of each of those

I found the entity kind names in https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...

Account

AzureResource

CloudApplication

DnsResolution

File

FileHash

Host

Insight

IoTDevice

Ip

MailCluster

MailMessage

Mailbox

Malware

Process

RegistryKey

RegistryValue

SecurityAlert

SecurityGroup

SubmissionMail

Url

Hi,

Does anyone know where I can get a reference of the output JSON schema for all entity types?

I'm aware of this page: https://docs.microsoft.com/en-us/azure/sentinel/entities-reference

But that's good as a reference for entity mappings in analytics rules, it doesn't really tell me which field set is output for each type.

Thanks