Forum Discussion
Fetch Azure Sentinel Incidents Via API
Hi jojo_the_coder, current available APIs to fetch incidents can be found here.
To fetch alerts related to an incident without using Log Analytics API, you can do that via the Microsoft Graph Security API. Please refer to the documentation here. Below is an example query to get all alerts provided by Azure Sentinel via the Graph Security API. A list of curated sample queries can be found here.
https://graph.microsoft.com/v1.0/security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.
MicrosoftHi jojo_the_coder, current available APIs to fetch incidents can be found here.
To fetch alerts related to an incident without using Log Analytics API, you can do that via the Microsoft Graph Security API. Please refer to the documentation here. Below is an example query to get all alerts provided by Azure Sentinel via the Graph Security API. A list of curated sample queries can be found here.
https://graph.microsoft.com/v1.0/security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.
Hi,
I would like to filter the cases API results to get lastest 30days of data by setting a filter not based on from and todays instead just mentioning 30days. how do i achieve this ? I do not want to hard code from and todate here.
$filter = properties/createdTimeUtc le <30days>
I still wonder why microsoft has not given access to incident data to effectively use KQL queries instead of going through API.
Thanks.
- Chi_Nguyen
PrashTechTalk We recently released Azure Sentinel Management API that you can leverage to directly get all incidents and filter them based on a time range. This article has an overview of different Azure Sentinel APIs including this one.
In terms of using KQL, you can now query your incidents directly using the KQL via the SecurityIncident table in your Azure Sentinel workspace.
Hope that helps!
Chi_Nguyen - Awesome - Good to see the SentinelIncidents table is now available. That solves most of the problem :-). Cheers
Hi Chi_Nguyen
I'm not sure your query examples are the ideal solution.
The Graph API fields don't include details such as source,destination, username, eventid.
How can we get those details from the graph api query?
Those details do exist in the 'Entities' field, but that's not pulled down in the json, is it?
- Chi_Nguyen
SocInABox , those fields that are not populated by Graph Security API is because they aren't part of the alert schema. The team is still working on enriching the alerts with more fields.
If you'd like to get incidents with all the details, I suggest you try the Azure Sentinel API.
You'll need to make a few calls to get to the level of details you need, but here is a post about it.
Hi Chi_Nguyen
I greatly appreciate your feedback, however you may be assuming I'm DevOps, which I'm not :).If you had a wget example of how to pull Sentinel Incidents with the additional fields that would be super helpful - then I could present a query example to our DevOps team and they could run with it, knowing I wasn't suggesting they chase something up a tree.
I suspect@Yaniv Shasha is on the right track with this:
"98b974fd-cc64-48b8-9bd0-3a209f5b944b", // Alert related entities
But I don't know how I can translate that knowledge into a wget example for Sentinel, or use the Graph Explorer to query the same results.
Your help is greatly appreciated.
- This solution doesn't seems to work anymore, any ideas ?
