1

I am trying to pull the base events related to an alert no Sentinel via API, however Graph Security API really doesn't return much. I am unable to see mapped entities or the extended properties.

I've tried using the "expand" option in url to expand the properties but no luck. Honestly I really don't see a lot of info in Graph API that I would normally see in a search.

Also, is there a way for the for me to find the base events of a search from the alert id?

https://graph.microsoft.com/v1.0/security/alerts/{alert id}?$expand=extendedproperties

https://graph.microsoft.com/v1.0/security/alerts/{alert id}?$expand=extended

https://graph.microsoft.com/v1.0/security/alerts/{alert id}?$expand=properties

https://graph.microsoft.com/v1.0/security/alerts/{alert id}?$expand=extensions

enter image description here

Jay
  • 549
  • 1
  • 8
  • 18
  • May I know what extended properties are you looking for? – Nishant Jun 04 '20 at 16:20
  • The extended properties field in the screenshot (from running a native search in GUI of Log Analytics), it has the Analytic rule id, and the query related to the security Alert. I mostly want that Query field to be returned by the API. – Jay Jun 06 '20 at 04:22

1 Answers1

1

The alert properties including extended properties from multiple security providers (Azure Sentinel is one of them) are mapped to a common schema of Graph Security API. The details of the Query field in Azure Sentinel may appear under different fields in Graph Security alert. If any of the fields aren't there, then they will be added in the product roadmap as we are continuing enriching the alert contextual information.

Chi
  • 21
  • 1