Forum Discussion
Solved
Get entities for a Sentinel Incidient by API
Hi, I'm trying to get some information about incidents in Sentinel via the API (https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft....
currently the only way to achieve this is by:
1. Getting the system alert id by running the relation API call
get:
in my example the system alert id value located here
2. run a POST request on entities API with the system Alert ID based on the first phase
where the expansionId is constant for get all entities
Post
body
{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}This days product team are debating on how to make this process more user friendly with less calls.
happy to share once we will have final decision.
YanivSh
Microsoft
Microsoftcurrently the only way to achieve this is by:
1. Getting the system alert id by running the relation API call
get:
in my example the system alert id value located here
2. run a POST request on entities API with the system Alert ID based on the first phase
where the expansionId is constant for get all entities
Post
body
{
"expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}
This days product team are debating on how to make this process more user friendly with less calls.
happy to share once we will have final decision.
Hello YanivSh,
thank you so much for providing this!
Please advise, were there any updates regarding this since?
How safe is to still use the expansion ids? Alert's entities is particular? (are there any plans to deprecate them?)
Thank you!
thank you so much for providing this!
Please advise, were there any updates regarding this since?
How safe is to still use the expansion ids? Alert's entities is particular? (are there any plans to deprecate them?)
Thank you!
