Still trying to extract IP addressess from an Alert using the API

%3CLINGO-SUB%20id%3D%22lingo-sub-1577235%22%20slang%3D%22en-US%22%3EStill%20trying%20to%20extract%20IP%20addressess%20from%20an%20Alert%20using%20the%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1577235%22%20slang%3D%22en-US%22%3E%3CP%3EOk%20so%20I%20know%20this%20was%20posted%20-%26gt%3B%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fget-entities-for-a-sentinel-incidient-by-api%2Fm-p%2F1422643%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fget-entities-for-a-sentinel-incidient-by-api%2Fm-p%2F1422643%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20life%20of%20me%20I%20cannot%20get%20this%20working%2C%20has%20anyone%20else%20successfully%20used%20the%20'expand'%20function%20with%20a%20POST%20request%20to%20grab%20IP's%20and%20such%20like%3F%20I%20cant%20really%20find%20any%20documentation%20on%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20to%20try%20and%20do%20this%20via%20the%20API%20as%20I%20essentially%20want%20to%20call%20this%20Playbook%20via%20a%20URL%20as%20its%20being%20called%20by%20another%20playbook%2C%20so%20I%20cannot%20use%20the%20normal%20triggers%20that%20would%20capture%20all%20this%20entity%20information%20(like%20the%20trigger%20'When%20a%20response%20to%20an%20Azure%20Sentinel%20alert%20is%20triggered').%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1578034%22%20slang%3D%22en-US%22%3ERe%3A%20Still%20trying%20to%20extract%20IP%20addressess%20from%20an%20Alert%20using%20the%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1578034%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F754173%22%20target%3D%22_blank%22%3E%40stevebennett500%3C%2FA%3E%26nbsp%3BI%20see%20that%20you%20replied%20to%20the%20other%20posting%20leading%20me%20to%20believe%20that%20you%20have%20solved%20this%20issue.%26nbsp%3B%20Is%20that%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1578053%22%20slang%3D%22en-US%22%3ERe%3A%20Still%20trying%20to%20extract%20IP%20addressess%20from%20an%20Alert%20using%20the%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1578053%22%20slang%3D%22en-US%22%3EYes%20that%E2%80%99s%20correct.%20A%20rookie%20error%20that%20has%20been%20sending%20me%20nuts%20for%20days!%3CBR%20%2F%3EOn%20the%20plus%20side%20we%20now%20have%20Sentinel%20talking%20very%20nicely%20back%20and%20forth%20with%20TheHive.%3C%2FLINGO-BODY%3E
New Contributor

Ok so I know this was posted -> https://techcommunity.microsoft.com/t5/azure-sentinel/get-entities-for-a-sentinel-incidient-by-api/m...

 

For the life of me I cannot get this working, has anyone else successfully used the 'expand' function with a POST request to grab IP's and such like? I cant really find any documentation on this.

 

I need to try and do this via the API as I essentially want to call this Playbook via a URL as its being called by another playbook, so I cannot use the normal triggers that would capture all this entity information (like the trigger 'When a response to an Azure Sentinel alert is triggered').

 

Any ideas?

2 Replies

@stevebennett500 I see that you replied to the other posting leading me to believe that you have solved this issue.  Is that correct?

Yes that’s correct. A rookie error that has been sending me nuts for days!
On the plus side we now have Sentinel talking very nicely back and forth with TheHive.