Recent DiscussionsMost RecentNewest TopicsMost LikesSolutionsTagged:TagRe: Fetch Events of Sentinel incidents via Api madmvx You can use IncidentRelation API to get entities associated with an incident (this is closest to getting evidence). Note this API is currently in preview. That's why we don't have documentation about it. However, you can view the API specs here: https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents/entities/GetAllIncidentEntities.json If you want to get evidence table, then using the Log Analytics, as shoando mentioned above. API: https://dev.loganalytics.io/documentation/Using-the-API Re: Fetch Azure Sentinel Incidents Via API SocInABox It won't allow you to send to our group email then. You can post your question directly to Azure Sentinel TechCommunity for more assistance and tag my name there. Re: Fetch Azure Sentinel Incidents Via API SocInABox I don't think we can query the extended Properties for Sentinel incidents using Graph Security API, as it's dependent on the alert schema the API currently replies on. So the only way I'm aware of is calling the Azure Sentinel API. If you are interested in using some sample code (no developer/devops skills needed to run this) we've built to get these details from Sentinel incidents, the code should be available soon on Azure Sentinel/Tools/Sample Code repo. Or if you'd like to be an early tester, then please reach out to asigtp_at_microsoft_com, for a request, and I can provide more instructions on how to use the code to run it. Re: Custom Permissions for Azure Sentinel mergene , that is possible to customize the access as you described. Please refer to this article for Playbook custom access, and this doc for more details on Alert Rule Creation custom access. Re: Fetch Azure Sentinel Incidents Via API SocInABox , those fields that are not populated by Graph Security API is because they aren't part of the alert schema. The team is still working on enriching the alerts with more fields. If you'd like to get incidents with all the details, I suggest you try the Azure Sentinel API. You'll need to make a few calls to get to the level of details you need, but here is a post about it. https://techcommunity.microsoft.com/t5/azure-sentinel/get-entities-for-a-sentinel-incidient-by-api/m-p/1422643 Re: Fetch Azure Sentinel Incidents Via API PrashTechTalk We recently released Azure Sentinel Management API that you can leverage to directly get all incidents and filter them based on a time range. This article has an overview of different Azure Sentinel APIs including this one. In terms of using KQL, you can now query your incidents directly using the KQL via the SecurityIncident table in your Azure Sentinel workspace. Hope that helps! Re: ID of the Resource that generated the Secure Score Control igventurelli Currently there is no ResourceId property that is mapped to secureScoreControlProfile entity yet, and we are continuing looking into enriching the entity. Meanwhile, you can leverage the actionURL and other fields returned from Get one SecureScoreControlProfie action to view all related information about the control profile. Re: Graph Security API sandbox (subscription) Hi isaacroitman, we currently don't have a developer sandbox for Graph Security API, but there's an alternative way. On our alerts documentation page, there are a list of alert providers. You can click on relevant providers to get trials and simulate alerts to set this up in your own environment. Let us know if you need any further help with that. Re: 403 Forbidden response when requesting Microsoft Security Graph API anotherrohit The repo has been archived and that is for Graph API, which may be different from Graph Security API. You can also check out our Graph Security API's Quickstart samples that have authentication examples in C#, Python, Nodejs. Let us know if you still run into the issue. Re: Listing alerts in the Security & Compliance Center in enabling Office 365 Cloud App Security Hi simayosi, currently, $filter by vendor name for Office 365 using Graph Security API isn't supported. I'll contact the blog author and have him update this part as well. Re: Enable others to integrate with our products through the Microsoft Graph Security API Hi haimmag, to create custom provider, please contact graphsecfeedback@microsoft.com for detailed guidance. Thanks! Re: Graph Explorer API to list all service principals in App registration is not working correctly HIi Sagar_Lad, this techcommunity forum handles questions related to Graph Security API only. Please post your question on StackOverflow with tag Microsoft-Graph or in related techcommunity forum for Applications for better assistance. Thanks! Re: Subscriptions for Bookings Hi timparsons, this techcommunity forum handles questions only related to Microsoft Graph Security API. Please post your question on StackOverflow with tag Microsoft-Graph or in related techcommunity forum for Bookings for better assistance. Thanks. Re: Unable to fetch profile photo Hi SnehalJ1509, this techcommunity forum handles questions related to Microsoft Graph Security API. If you are experiencing an issue related to MSAL or Azure Active Directory authentication, please post a question on StackOverflow with tag MSAL or Azure-Active-Directory, or related techcommunity forums for better assistance. Thanks. Re: Microsoft.SecurityInsights Api Documentation Hi jojo_the_coder, by Security Insights API, are you referring to Graph Security API? If so, then please refer to this documentation. Please note, the Graph Security API returns alerts, and the alerts are provided onboard Microsoft security providers such as MCAS, Azure Sentinel, Microsoft Defender ATP, etc. The alerts can be from an incident provided by Azure Sentinel. However, it doesn't surface the incident itself. Re: Getting members of local admin group Hi neilcarden, this techcommunity forum handles responses to Microsoft Graph Security API related questions. For questions related to other Graph workloads, please submit the question on Stack Overflow and tag with Microsoft-Graph, or related techcommunity forum for your Graph workload. Thanks! Re: Retrieve MIP labels that have been assigned to O365 mail messages ? Hi Storexltd , Microsoft Graph Security API uses a unified alert schema from onboarded security providers such as AIP (AIP is part of MIP) and aggregates responses from the multiple providers. Because of this reason, there are certain fields such as label from AIP won't appear exactly via the Graph Security API as in the provider's portal. If you are using Graph API and not Graph Security API, please submit your question to StackOverflow and tag with Microsoft-Graph or related techcommunity forum for Microsoft Graph API. Thanks. Re: Inaccurate Graph API Results kylemiller061 , Our MDATP team has found and fixed the issue, so it should now work as expected. The issue wasn't related to the service health. Thank you for your feedback. Re: No funciona el cambio de usuario en el servicio de Power BI Hi lvillara , can you please verify if you are using the Power BI connector for the Graph API or Graph Security API? This forum handles responses to Microsoft Graph Security API related questions. If you are trying to update the user information, I think you are using Graph API connector. Please submit your question to StackOverflow and tag with Microsoft-Graph or related techcommunity forum for Microsoft Graph API. Thanks. Re: Fetch Azure Sentinel Incidents Via API Hi jojo_the_coder, current available APIs to fetch incidents can be found here. To fetch alerts related to an incident without using Log Analytics API, you can do that via the Microsoft Graph Security API. Please refer to the documentation here. Below is an example query to get all alerts provided by Azure Sentinel via the Graph Security API. A list of curated sample queries can be found here. https://graph.microsoft.com/v1.0/security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.
Recent Blog ArticlesNewest TopicsMost LikesTagged:TagConfigure a continuous data pipeline in Microsoft Sentinel for big data analytics! To work with Microsoft Sentinel datasets for big data analytics, you will need a continuous data pipeline to export logs from your Sentinel workspace to a data lake or blob storage. We are happy to a...Large Watchlist using SAS key is in Public Preview! There are many scenarios where you will need to reference and look up a larger watchlist dataset in your detection rules or investigation such as: Map database of IPv4 address networks with their...Security big data analytics with Azure Synapse and Microsoft Sentinel Notebooks! To power your own big data analytics, Azure Synapse is now built-in to Microsoft Sentinel, enabling you to build and run custom advanced analytics and machine learning models on data in Azure Sentine...Becoming a Microsoft Sentinel Notebooks Ninja - The Series! Introducing you to our new training series on Microsoft Sentinel Notebooks! What’s new: Detect credential leaks using built-in Azure Sentinel notebooks! Easily scan your logs in Azure Log Analytics, Azure Data Explorer, and Azure Blob Storage environments to uncover credential leaks! What's new: New Fusion detections and BYOML in public preview! Explore 32 new Fusion detections and Bring Your Own ML models in this post. What's new: Threat Intelligence menu item in Public Preview! Learn how to leverage the newest threat intelligence feature in Azure Sentinel in your threat detection, investigation, and response. What's new: Analytics FileHash entity hits GA! FileHash entity is now generally available in Azure Sentinel! But where and how to use it? Read on...
