SOLVED

Get entities for a Sentinel Incidient by API

Copper Contributor

Hi,

I'm trying to get some information about incidents in Sentinel via the API (https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-ma...)

I can successfully query incidents via ".../providers/Microsoft.SecurityInsights/incidents

 

And when I query the relations of the incident via "..../providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations" I get SecurityAlert where I can see there is 1 account and 1 IP involved with the SecurityAlert

{
  "Total Account Entities": "1",
  "Total IP Entities": "1"
}


I was hoping to get the Entity information by getting the relations of the SecurityAlert Entity, but then I only get the Incident as relation.


However when I query the entities via "..../providers/Microsoft.SecurityInsights/entities" I see the Account Entity and the IP Enity and the information of them, But I can’t see the SecurityAlert event.


Is there a way so I can get the related entities of the Incident / SecurityAlert(s) via the API?

15 Replies
best response confirmed by SanderWannet (Copper Contributor)
Solution

@SanderWannet 

currently the only way to achieve this is by:

 

1. Getting the system alert id by running the relation API call 

 

get:

https://management.azure.com/subscriptions/xxxxx-5731-4780-8f96-2078ddxxxx/resourceGroups/cxp-azures...

 

in my example the system alert id value located here 

 

1.png

 

2.  run a POST request on entities API with the system Alert ID based on the first phase

where the expansionId is constant for get all entities 

 

Post

https://management.azure.com/subscriptions/xxxxxxx-5731-4780-xxxx-2078dd96fd96/resourceGroups/cxp-az...

 

body 

{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}

 

2.png

 

This days product team are debating on  how to make this process more user friendly with less calls.

happy to share once we will have final decision. 

@YanivSh 

 

Thank you so much for your help! I've got it working 🙂

Is there any documentation about the expand action and the id's you can send to the API, so I can explore more of the possibilities of the API? Of is the expansionId you put in your example currently the only one?

@SanderWannet 

please:

 

 "98b974fd-cc64-48b8-9bd0-3a209f5b944b", // Alert related entities

    "27f76e63-c41b-480f-bb18-12ad2e011d49", // Bookmark related entities

    "a77992f3-25e9-4d01-99a4-5ff606cc410a", // Account related alerts

    "4a014a1b-c5a1-499f-9f54-3f7b99b0a675", // AzureResource related alerts

    "f74ad13a-ae93-47b9-8782-b1142b95d046", // CloudApplication related alerts

    "80218599-45b4-4402-95cc-86f9929dd43d", // DNS related alerts

    "0f0bccef-4512-4530-a866-27056a39dcd6", // File related alerts

    "b6eaa3ad-e69b-437e-9c13-bb5273dd34ab", // FileHash related alerts

    "055a5692-555f-42bd-ac17-923a5a9994ed", // Host related alerts

    "58c1516f-b78a-4d78-9e71-77c40849c27b", // IP related alerts

    "b8407195-b9a3-4565-bf08-7b23e5c57e3a", // Malware related alerts

    "63a4fa2f-f89d-4cf5-96a2-cb2479e49731", // Process related alerts

    "d788cd65-a7ef-448e-aa34-81185ac0e611", // RegistryKey related alerts

    "3a45a7e3-80e0-4e05-84db-b97bd1ae452b", // RegistryValue related alerts

    "7b61d5e2-4b66-40a7-bb0f-9145b445104e", // URL related alerts

    "4daeed0e-0e74-4f2d-990c-a958210e9dd7", // IoTDevice related alerts

    "504ea455-3bf7-47ef-8555-dc747b465f99", // Account related bookmarks

    "e36c2ceb-4caf-4919-8433-d61dbc3e294a", // Host related bookmarks

    "6a6a5dcb-605c-4dad-8bb6-c8c439db4f0a", // IP related bookmarks

    "855ea9fe-2fdd-4890-8daa-c895c136eef3", // URL related bookmarks

@YanivSh 

I tried the post request you listed with the body of:

body

{

"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",

}

..and variations of this.

 

I keep getting an UnsupportedMediaType (Status 415). Can you assist? I am desperate to try and extract IP's from an incident using the API and keep hitting a brick wall.

@stevebennett500 

 

I see a comma and the end of the GUID... Did you try to remove it? Also make sure you've set the 'Content-Type' header of your post request to 'application/json'

 

Can you check if that's works for you?

@SanderWannet you are a legend! Thankyou so so much this worked perfectly.

@YanivSh is there also a way to write alert entities?

 

According to this documentation it is possible to create incidents trough the REST API: https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/createorupdate 

 

It would be nice if I could add entities to my incident as well.

 

Thanks!

 

@YanivSh Could you possibly share the JSON entity kind names for each of those related entity types?

 

e.g. I know about `Ip`, `Host`, `Address`, I have not seen incidents yet with the others.

 

To successfully parse these entity kinds from the JSON API response, I need to know the correct kind string (including capitalization) of each of those

I found the entity kind names in https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-ma...

Account

AzureResource

CloudApplication

DnsResolution

File

FileHash

Host

Insight

IoTDevice

Ip

MailCluster

MailMessage

Mailbox

Malware

Process

RegistryKey

RegistryValue

SecurityAlert

SecurityGroup

SubmissionMail

Url

 

Hi Jeroen,

Adding entities to incidents is indeed planned. Stay tuned for updates on our blog for this.
In the man time, another route you can take is by adding bookmarks to entities. In a bookmark you can map an entity and add it to the incident. Once you do, the entity will be added as well.

Thanks,
Ely

I wrote a blog post about how to get Sentinel Incidents including Entities (based on the information in this thread). It is how-to based, you can find it here:

 

https://blogs.infosupport.com/how-to-get-azure-sentinel-incidents-via-api/

 

 

Hi,

 

Does anyone know where I can get a reference of the output JSON schema for all entity types?

 

I'm aware of this page: https://docs.microsoft.com/en-us/azure/sentinel/entities-reference

But that's good as a reference for entity mappings in analytics rules, it doesn't really tell me which field set is output for each type.

 

Thanks

Hey, thanks, it was helpful at the time.
Hello @YanivSh,
thank you so much for providing this!
Please advise, were there any updates regarding this since?
How safe is to still use the expansion ids? Alert's entities is particular? (are there any plans to deprecate them?)

Thank you!
1 best response

Accepted Solutions
best response confirmed by SanderWannet (Copper Contributor)
Solution

@SanderWannet 

currently the only way to achieve this is by:

 

1. Getting the system alert id by running the relation API call 

 

get:

https://management.azure.com/subscriptions/xxxxx-5731-4780-8f96-2078ddxxxx/resourceGroups/cxp-azures...

 

in my example the system alert id value located here 

 

1.png

 

2.  run a POST request on entities API with the system Alert ID based on the first phase

where the expansionId is constant for get all entities 

 

Post

https://management.azure.com/subscriptions/xxxxxxx-5731-4780-xxxx-2078dd96fd96/resourceGroups/cxp-az...

 

body 

{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}

 

2.png

 

This days product team are debating on  how to make this process more user friendly with less calls.

happy to share once we will have final decision. 

View solution in original post