Mar 01 2019 09:34 AM
Where can I find docs to query new alerts and cases and interact with then in Azure Sentinel.
Mar 01 2019 05:23 PM
Hello,
We have a GitHub repo with sample queries and detections: https://github.com/Azure/Azure-Sentinel
General documentation is here: https://docs.microsoft.com/en-us/azure/sentinel/
Let me know if that doesn't give you what you need.
Mar 02 2019 08:16 PM
What would be great to include with a deployment of Sentinel would be default alerts based on the Data Collections that you add.
Because then they almost have a story to try to use the data with and set up playbooks for. @Ryan Heffernan
Mar 02 2019 09:21 PM
Great feedback, thanks Lachlan! (CC: @Koby Koren and @Shalini Pasupneti)
Mar 03 2019 05:40 AM
Thank you for you feedback.
The team is currently working on adding them as part for the experience.
Mar 05 2019 08:53 AM
Hello Ryan,
I see documentation for how to create KQL queries within the Azure Sentinel panel. Is there a way to query via an API, by using a a cURL request, for example?
Mar 11 2019 05:27 PM
Are there any plans to add externally-exposed APIs - for example, being able to query Sentinel for alerts, change alert statuses, etc?
I looked through the GitHub repo and didn't see anything really referencing that (primarily related to Notebooks and Hunting Queries).
Is there perhaps any documentation around any externally-exposed APIs like that that you can pass along?
Thanks!
Mar 11 2019 05:38 PM
@Marticus2425 Azure Sentinel alerts are available for query via Graph Security API. Here's the link to that documentation.
https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-beta
Mar 12 2019 01:02 PM
Hi,
Azure Sentinel API is coming soon so you can query cases, manage them and update rules as well.
Thanks,
Koby
Nov 13 2019 05:43 AM
Nov 14 2019 12:30 PM
@kastromatos have you look at https://github.com/wortell/AZSentinel to understand the API , there is no official documention but they built a powerhell module in order to create / get rules, incidents ... maybe it can help 🙂
Feb 06 2020 04:35 AM
Feb 09 2020 12:01 AM
May 15 2020 12:02 AM
@kobiga Is there any update yet? I can't find the Incidents API.
May 15 2020 04:48 AM
Sentinel incidents API is available in preview version and included in Sentinel's API swagger spec - https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...
The stable version of the API will be released in about 2-3 weeks and should basically be the same as the preview version
May 15 2020 04:53 AM
@SanderWannet the Azure Sentinel API is in preview and examples can be found here: https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...
To query for incidents you can make a get request to:
https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/microsoft.operationalinsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/?api-version=2019-01-01-preview
May 15 2020 11:34 PM
@kobiga Thanks for you fast reply. I found indeed the /incidents/* actions in the preview version but didn't see them n the stable version (2020-01-01) right now. Can you conform they will be added in the following 2-3 weeks?
@wadstromdev: Thanks for you example. Did some successful testing with it! I hope the /incidents/* actions will be added in the stable (2020-01-01) because they are now only available inn the preview version..
May 16 2020 03:41 PM
@SanderWannet I have a series of blog posts on using the Azure Sentinel REST API including how to get Incidents into a Log Analytics workspace at https://www.garybushey.com To start off I would suggest this one: https://www.garybushey.com/2020/01/11/your-first-azure-sentinel-rest-api-call/
May 16 2020 10:24 PM
@SanderWannet, yes you can expect them to be included in a stable version in the next 2-3 weeks
Jul 09 2021 04:38 PM