Hello,
While investigating the Sentinel API, I noticed that it does not pick up incidents reported by Portal M365D but it does pick up incidents reported by Microsoft Defender for Endpoint in the field "alertProductNames".
Is there a possibility that in the field "alertProductNames" it tells me that it comes from the M365D portal? Is this normal, I should not understand why it should bring you the field "M365D" without problems?
Regards.
The api still reports the old names, and therefore other parts of the system that use it.
e.g.
SecurityIncident
| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0]))
| summarize count() by tostring(Product)
I suspect it will take Microsoft some time to make sure if they update the results, it doesn't break anything that relies on the "old names".
The latest preview also doesn't address this (but I think the date was before or around the time of many of the product renames) Incidents - Get - REST API (Azure Sentinel) | Microsoft Docs
Accepted Solutions
The api still reports the old names, and therefore other parts of the system that use it.
e.g.
SecurityIncident
| extend Product = todynamic((parse_json(tostring(AdditionalData.alertProductNames))[0]))
| summarize count() by tostring(Product)I suspect it will take Microsoft some time to make sure if they update the results, it doesn't break anything that relies on the "old names".
The latest preview also doesn't address this (but I think the date was before or around the time of many of the product renames) Incidents - Get - REST API (Azure Sentinel) | Microsoft Docs