SOLVED

Get entities for a Sentinel Incidient by API

%3CLINGO-SUB%20id%3D%22lingo-sub-1422643%22%20slang%3D%22en-US%22%3EGet%20entities%20for%20a%20Sentinel%20Incidient%20by%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1422643%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20trying%20to%20get%20some%20information%20about%20incidents%20in%20Sentinel%20via%20the%20API%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-rest-api-specs%2Fblob%2Fmaster%2Fspecification%2Fsecurityinsights%2Fresource-manager%2FMicrosoft.SecurityInsights%2Fpreview%2F2019-01-01-preview%2FSecurityInsights.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2Fazure-rest-api-specs%2Fblob%2Fmaster%2Fspecification%2Fsecurityinsights%2Fresource-manager%2FMicrosoft.SecurityInsights%2Fpreview%2F2019-01-01-preview%2FSecurityInsights.json%3C%2FA%3E)%3CBR%20%2F%3E%3CBR%20%2F%3EI%20can%20successfully%20query%20incidents%20via%20%22...%2Fproviders%2FMicrosoft.SecurityInsights%2Fincidents%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20when%20I%20query%20the%20relations%20of%20the%20incident%20via%20%22....%2Fproviders%2FMicrosoft.SecurityInsights%2Fincidents%2F%7BincidentId%7D%2Frelations%22%20I%20get%20SecurityAlert%20where%20I%20can%20see%20there%20is%201%20account%20and%201%20IP%20involved%20with%20the%20SecurityAlert%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-javascript%22%3E%3CCODE%3E%7B%0A%20%20%22Total%20Account%20Entities%22%3A%20%221%22%2C%0A%20%20%22Total%20IP%20Entities%22%3A%20%221%22%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%3CBR%20%2F%3EI%20was%20hoping%20to%20get%20the%20Entity%20information%20by%20getting%20the%20relations%20of%20the%20SecurityAlert%20Entity%2C%20but%20then%20I%20only%20get%20the%20Incident%20as%20relation.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EHowever%20when%20I%20query%20the%20entities%20via%20%22....%2Fproviders%2FMicrosoft.SecurityInsights%2Fentities%22%20I%20see%20the%20Account%20Entity%20and%20the%20IP%20Enity%20and%20the%20information%20of%20them%2C%26nbsp%3BBut%20I%20can%E2%80%99t%20see%20the%20SecurityAlert%20event.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIs%20there%20a%20way%20so%20I%20can%20get%20the%20related%20entities%20of%20the%20Incident%20%2F%20SecurityAlert(s)%20via%20the%20API%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1430665%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20entities%20for%20a%20Sentinel%20Incidient%20by%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1430665%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F668795%22%20target%3D%22_blank%22%3E%40SanderWannet%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ecurrently%20the%20only%20way%20to%20achieve%20this%20is%20by%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Getting%20the%20system%20alert%20id%20by%20running%20the%26nbsp%3B%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F6b1ceacd-5731-4780-8f96-2078dd96fd96%2FresourceGroups%2Fcxp-azuresecurity%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FCxP-AzureSecurityWS%2Fproviders%2FMicrosoft.SecurityInsights%2FIncidents%2F803f3d58-a406-4953-a1df-953143313a74%2Frelations%3Fapi-version%3D2019-01-01-preview%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Erelation%3C%2FA%3E%26nbsp%3BAPI%20call%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eget%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F6b1ceacd-5731-4780-8f96-2078dd96fd96%2FresourceGroups%2Fcxp-azuresecurity%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FCxP-AzureSecurityWS%2Fproviders%2FMicrosoft.SecurityInsights%2FIncidents%2F803f3d58-a406-4953-a1df-953143313a74%2Frelations%3Fapi-version%3D2019-01-01-preview%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2Fxxxxx-5731-4780-8f96-2078ddxxxx%2FresourceGroups%2Fcxp-azuresecurity%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FCXP%2Fproviders%2FMicrosoft.SecurityInsights%2FIncidents%2F803f3d58-a406-4953-a1df-953143313a74%2F%3CSTRONG%3Erelations%3C%2FSTRONG%3E%3Fapi-version%3D2019-01-01-preview%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ein%20my%20example%20the%20system%20alert%20id%20value%20located%20here%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195685iAFB62512E4A866D7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%221.png%22%20alt%3D%221.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%26nbsp%3B%20run%20a%20POST%20request%20on%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F6b1ceacd-5731-4780-8f96-2078dd96fd96%2FresourceGroups%2Fcxp-azuresecurity%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FCxP-AzureSecurityWS%2Fproviders%2FMicrosoft.SecurityInsights%2Fentities%2Ffc4faf6f-03b7-3c57-6892-100a0f960f9d%2Fexpand%3Fapi-version%3D2019-01-01-preview%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eentities%3C%2FA%3E%26nbsp%3BAPI%20with%20the%20system%20Alert%20ID%20based%20on%20the%20first%20phase%3C%2FP%3E%0A%3CP%3Ewhere%20the%26nbsp%3BexpansionId%20is%20constant%20for%20get%20all%20entities%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%3CSTRONG%3EPost%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F6b1ceacd-5731-4780-8f96-2078dd96fd96%2FresourceGroups%2Fcxp-azuresecurity%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FCxP-AzureSecurityWS%2Fproviders%2FMicrosoft.SecurityInsights%2Fentities%2Ffc4faf6f-03b7-3c57-6892-100a0f960f9d%2Fexpand%3Fapi-version%3D2019-01-01-preview%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2Fxxxxxxx-5731-4780-xxxx-2078dd96fd96%2FresourceGroups%2Fcxp-azuresecurity%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FCxP%2Fproviders%2FMicrosoft.SecurityInsights%2Fentities%2F%3CSTRONG%3Efc4faf6f-03b7-3c57-6892-100a0f960f9d%3C%2FSTRONG%3E%2Fexpand%3Fapi-version%3D2019-01-01-preview%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3Ebody%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%7B%3CBR%20%2F%3E%22expansionId%22%3A%20%22%3CSTRONG%3E98b974fd-cc64-48b8-9bd0-3a209f5b944b%3C%2FSTRONG%3E%22%2C%3CBR%20%2F%3E%7D%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F195687i4335E814D8415D96%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%222.png%22%20alt%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EThis%20days%20product%20team%20are%20debating%20on%26nbsp%3B%20how%20to%20make%20this%20process%20more%20user%20friendly%20with%20less%20calls.%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3Ehappy%20to%20share%20once%20we%20will%20have%20final%20decision.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1439328%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20entities%20for%20a%20Sentinel%20Incidient%20by%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1439328%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185177%22%20target%3D%22_blank%22%3E%40Yaniv%20Shasha%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20so%20much%20for%20your%20help!%20I've%20got%20it%20working%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20there%20any%20documentation%20about%20the%20expand%20action%20and%20the%20id's%20you%20can%20send%20to%20the%20API%2C%20so%20I%20can%20explore%20more%20of%20the%20possibilities%20of%20the%20API%3F%20Of%20is%20the%20expansionId%20you%20put%20in%20your%20example%20currently%20the%20only%20one%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1440359%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20entities%20for%20a%20Sentinel%20Incidient%20by%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1440359%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F668795%22%20target%3D%22_blank%22%3E%40SanderWannet%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eplease%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%2298b974fd-cc64-48b8-9bd0-3a209f5b944b%22%2C%26nbsp%3B%2F%2F%26nbsp%3BAlert%26nbsp%3Brelated%26nbsp%3Bentities%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2227f76e63-c41b-480f-bb18-12ad2e011d49%22%2C%26nbsp%3B%2F%2F%26nbsp%3BBookmark%26nbsp%3Brelated%26nbsp%3Bentities%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22a77992f3-25e9-4d01-99a4-5ff606cc410a%22%2C%26nbsp%3B%2F%2F%26nbsp%3BAccount%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%224a014a1b-c5a1-499f-9f54-3f7b99b0a675%22%2C%26nbsp%3B%2F%2F%26nbsp%3BAzureResource%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22f74ad13a-ae93-47b9-8782-b1142b95d046%22%2C%26nbsp%3B%2F%2F%26nbsp%3BCloudApplication%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2280218599-45b4-4402-95cc-86f9929dd43d%22%2C%26nbsp%3B%2F%2F%26nbsp%3BDNS%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%220f0bccef-4512-4530-a866-27056a39dcd6%22%2C%26nbsp%3B%2F%2F%26nbsp%3BFile%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22b6eaa3ad-e69b-437e-9c13-bb5273dd34ab%22%2C%26nbsp%3B%2F%2F%26nbsp%3BFileHash%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22055a5692-555f-42bd-ac17-923a5a9994ed%22%2C%26nbsp%3B%2F%2F%26nbsp%3BHost%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2258c1516f-b78a-4d78-9e71-77c40849c27b%22%2C%26nbsp%3B%2F%2F%26nbsp%3BIP%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22b8407195-b9a3-4565-bf08-7b23e5c57e3a%22%2C%26nbsp%3B%2F%2F%26nbsp%3BMalware%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2263a4fa2f-f89d-4cf5-96a2-cb2479e49731%22%2C%26nbsp%3B%2F%2F%26nbsp%3BProcess%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22d788cd65-a7ef-448e-aa34-81185ac0e611%22%2C%26nbsp%3B%2F%2F%26nbsp%3BRegistryKey%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%223a45a7e3-80e0-4e05-84db-b97bd1ae452b%22%2C%26nbsp%3B%2F%2F%26nbsp%3BRegistryValue%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%227b61d5e2-4b66-40a7-bb0f-9145b445104e%22%2C%26nbsp%3B%2F%2F%26nbsp%3BURL%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%224daeed0e-0e74-4f2d-990c-a958210e9dd7%22%2C%26nbsp%3B%2F%2F%26nbsp%3BIoTDevice%26nbsp%3Brelated%26nbsp%3Balerts%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22504ea455-3bf7-47ef-8555-dc747b465f99%22%2C%26nbsp%3B%2F%2F%26nbsp%3BAccount%26nbsp%3Brelated%26nbsp%3Bbookmarks%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22e36c2ceb-4caf-4919-8433-d61dbc3e294a%22%2C%26nbsp%3B%2F%2F%26nbsp%3BHost%26nbsp%3Brelated%26nbsp%3Bbookmarks%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%226a6a5dcb-605c-4dad-8bb6-c8c439db4f0a%22%2C%26nbsp%3B%2F%2F%26nbsp%3BIP%26nbsp%3Brelated%26nbsp%3Bbookmarks%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22855ea9fe-2fdd-4890-8daa-c895c136eef3%22%2C%26nbsp%3B%2F%2F%26nbsp%3BURL%26nbsp%3Brelated%26nbsp%3Bbookmarks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1577036%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20entities%20for%20a%20Sentinel%20Incidient%20by%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1577036%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185177%22%20target%3D%22_blank%22%3E%40Yaniv%20Shasha%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20the%20post%20request%20you%20listed%20with%20the%20body%20of%3A%3C%2FP%3E%3CP%3Ebody%3C%2FP%3E%3CP%3E%7B%3C%2FP%3E%3CP%3E%22expansionId%22%3A%20%2298b974fd-cc64-48b8-9bd0-3a209f5b944b%22%2C%3C%2FP%3E%3CP%3E%7D%3C%2FP%3E%3CP%3E..and%20variations%20of%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20keep%20getting%20an%20UnsupportedMediaType%20(Status%20415).%20Can%20you%20assist%3F%20I%20am%20desperate%20to%20try%20and%20extract%20IP's%20from%20an%20incident%20using%20the%20API%20and%20keep%20hitting%20a%20brick%20wall.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1577244%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20entities%20for%20a%20Sentinel%20Incidient%20by%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1577244%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F754173%22%20target%3D%22_blank%22%3E%40stevebennett500%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20see%20a%20comma%20and%20the%20end%20of%20the%20GUID...%20Did%20you%20try%20to%20remove%20it%3F%20Also%20make%20sure%20you've%20set%20the%26nbsp%3B'Content-Type'%20header%20of%20your%20post%20request%20to%20'application%2Fjson'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20check%20if%20that's%20works%20for%20you%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1577267%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20entities%20for%20a%20Sentinel%20Incidient%20by%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1577267%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F668795%22%20target%3D%22_blank%22%3E%40SanderWannet%3C%2FA%3E%26nbsp%3Byou%20are%20a%20legend!%20Thankyou%20so%20so%20much%20this%20worked%20perfectly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1623796%22%20slang%3D%22en-US%22%3ERe%3A%20Get%20entities%20for%20a%20Sentinel%20Incidient%20by%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1623796%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185177%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Yaniv%20Shasha%3C%2FA%3E%26nbsp%3BI%20have%20followed%20the%20directions%20and%20I%20continue%20to%20get%20the%20following%20error%3A%3C%2FP%3E%3CP%3E%22message%22%3A%22Entity%20'XXXX'%20was%20not%20found%20in%20workspace%20'XXXX'%22.%26nbsp%3B%20I%20am%20using%20the%20relatedResourceName%20from%20step%201%20in%20the%20post%20from%20step%202.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20using%20the%20following%20api%20query%20for%20the%20post%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2FXXXX%2FresourceGroups%2FXXXX%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FXXXX%2Fproviders%2FMicrosoft.SecurityInsights%2Fentities%2F%7BrelatedResourceName_from_step1%7D%2Fexpand%3Fapi-version%3D2019-01-01-preview%26quot%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2FXXXX%2FresourceGroups%2FXXXX%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FXXXX%2Fproviders%2FMicrosoft.SecurityInsights%2Fentities%2F%7BrelatedResourceName_from_step1%7D%2Fexpand%3Fapi-version%3D2019-01-01-preview%22%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20body%20of%20my%20post%3A%3C%2FP%3E%3CP%3E%7B%3CBR%20%2F%3E%22expansionId%22%3A%20%2298b974fd-cc64-48b8-9bd0-3a209f5b944b%22%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%20why%20I%20am%20unable%20to%20get%20entity%20information%20(hostname%20is%20the%20key%20item%20I%20am%20trying%20to%20correlate).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3ESteve%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

I'm trying to get some information about incidents in Sentinel via the API (https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-ma...)

I can successfully query incidents via ".../providers/Microsoft.SecurityInsights/incidents

 

And when I query the relations of the incident via "..../providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations" I get SecurityAlert where I can see there is 1 account and 1 IP involved with the SecurityAlert

{
  "Total Account Entities": "1",
  "Total IP Entities": "1"
}


I was hoping to get the Entity information by getting the relations of the SecurityAlert Entity, but then I only get the Incident as relation.


However when I query the entities via "..../providers/Microsoft.SecurityInsights/entities" I see the Account Entity and the IP Enity and the information of them, But I can’t see the SecurityAlert event.


Is there a way so I can get the related entities of the Incident / SecurityAlert(s) via the API?

6 Replies
Highlighted
Best Response confirmed by SanderWannet (Occasional Contributor)
Solution

@SanderWannet 

currently the only way to achieve this is by:

 

1. Getting the system alert id by running the relation API call 

 

get:

https://management.azure.com/subscriptions/xxxxx-5731-4780-8f96-2078ddxxxx/resourceGroups/cxp-azures...

 

in my example the system alert id value located here 

 

1.png

 

2.  run a POST request on entities API with the system Alert ID based on the first phase

where the expansionId is constant for get all entities 

 

Post

https://management.azure.com/subscriptions/xxxxxxx-5731-4780-xxxx-2078dd96fd96/resourceGroups/cxp-az...

 

body 

{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}

 

2.png

 

This days product team are debating on  how to make this process more user friendly with less calls.

happy to share once we will have final decision. 

Highlighted

@Yaniv Shasha 

 

Thank you so much for your help! I've got it working :)

Is there any documentation about the expand action and the id's you can send to the API, so I can explore more of the possibilities of the API? Of is the expansionId you put in your example currently the only one?

Highlighted

@SanderWannet 

please:

 

 "98b974fd-cc64-48b8-9bd0-3a209f5b944b", // Alert related entities

    "27f76e63-c41b-480f-bb18-12ad2e011d49", // Bookmark related entities

    "a77992f3-25e9-4d01-99a4-5ff606cc410a", // Account related alerts

    "4a014a1b-c5a1-499f-9f54-3f7b99b0a675", // AzureResource related alerts

    "f74ad13a-ae93-47b9-8782-b1142b95d046", // CloudApplication related alerts

    "80218599-45b4-4402-95cc-86f9929dd43d", // DNS related alerts

    "0f0bccef-4512-4530-a866-27056a39dcd6", // File related alerts

    "b6eaa3ad-e69b-437e-9c13-bb5273dd34ab", // FileHash related alerts

    "055a5692-555f-42bd-ac17-923a5a9994ed", // Host related alerts

    "58c1516f-b78a-4d78-9e71-77c40849c27b", // IP related alerts

    "b8407195-b9a3-4565-bf08-7b23e5c57e3a", // Malware related alerts

    "63a4fa2f-f89d-4cf5-96a2-cb2479e49731", // Process related alerts

    "d788cd65-a7ef-448e-aa34-81185ac0e611", // RegistryKey related alerts

    "3a45a7e3-80e0-4e05-84db-b97bd1ae452b", // RegistryValue related alerts

    "7b61d5e2-4b66-40a7-bb0f-9145b445104e", // URL related alerts

    "4daeed0e-0e74-4f2d-990c-a958210e9dd7", // IoTDevice related alerts

    "504ea455-3bf7-47ef-8555-dc747b465f99", // Account related bookmarks

    "e36c2ceb-4caf-4919-8433-d61dbc3e294a", // Host related bookmarks

    "6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a", // IP related bookmarks

    "855ea9fe-2fdd-4890-8daa-c895c136eef3", // URL related bookmarks

Highlighted

@Yaniv Shasha 

I tried the post request you listed with the body of:

body

{

"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",

}

..and variations of this.

 

I keep getting an UnsupportedMediaType (Status 415). Can you assist? I am desperate to try and extract IP's from an incident using the API and keep hitting a brick wall.

Highlighted

@stevebennett500 

 

I see a comma and the end of the GUID... Did you try to remove it? Also make sure you've set the 'Content-Type' header of your post request to 'application/json'

 

Can you check if that's works for you?

Highlighted

@SanderWannet you are a legend! Thankyou so so much this worked perfectly.