Open in app

Sign in

Write

Sign in

Getting Azure Sentinel Entities by Rest API (an undocumented feature)

Jeroen Niesen
Wortell
Published in
2 min readNov 12, 2020

This week I had the great opportunity to work with the REST API of Azure Sentinel. For the SOAR platform my team and I are creating, we had to implement the Azure Sentinel API so we could get data out of Azure Sentinel and update data that resides in Azure Sentinel.

In the first place, this didn’t look challenging as Microsoft has decent documentation related to this API. When working with the documented API I came to the conclusion that the “entities” (the alert indicators in Azure Sentinel) are not part of the incident object of which the REST API documentation is described here.

Unfortunately having the incident without any data on what resource, user or computer the incident has taken place doesn’t make sense. When looking at the further documentation of the Azure Sentinel REST API, I found out that there is no separate API endpoint described that will full-fill this need.

Luckily, after some research and investigation I found out that it is possible to get the incident entities trough the Azure Sentinel REST API. In order to get the entities trough the REST API you have to execute two rest calls:

GET https://management.azure.com/subscriptions/##SUBSCRIPTIONID##/resourceGroups/##RESOURCEGROUP##/providers/Microsoft.OperationalInsights/workspaces/{2}/providers/Microsoft.SecurityInsights/incidents/##INCIDENTID##/relations?api-version=2019-01-01-preview

The above API call returns the following JSON response:

In the above API response the “relatedResourceName” (which is actually an ID) is important. This value is required in the next API call:

POST https://management.azure.com/subscriptions/##SUBSCRIPTIONID##/resourceGroups/##RESOURCEGROUP##/providers/Microsoft.OperationalInsights/workspaces/{2}/providers/Microsoft.SecurityInsights/entities/##RelatedResourceName##/expand?api-version=2019-01-01-previewThe following HTTP-body should be used:
{
   "expansionId": "98b974fd-cc64-48b8-9bd0-3a209f5b944b",
}

The return of this API call will be:

Conclusion

It is possible to get Azure Sentinel Incident entities out of the REST API. With two HTTP calls it is possible to get the entities out of Azure Sentinel.

Microsoft doesn’t have this API described; that can potentially have a reason. For example: there are plans to change the API in the future. Therefore, use this API with caution.

Enjoy working with entities!
— Jeroen Niesen

Azure Sentinel
Rest Api
Wortell
Soar

--

--

Jeroen Niesen
Wortell

Written by Jeroen Niesen

69 Followers
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams