List Incident Entities

5 min

description retrieve all entities related to a specific incident in microsoft azure sentinel, requiring subscriptionid, resourcegroupname, workspacename, and incidentid endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/entities method post inputs path parameters (object) – required path parameters subscriptionid (string) – required the id of the target subscription resourcegroupname (string) – required the name of the resource group the name is case insensitive workspacename (string) – required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ incidentid (string) – required incident id parameters (object) – required url query parameters api version (string) – required the api version to use for this action output example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "server" "kestrel", "x ms ratelimit remaining subscription resource requests" "499", "x ms request id" "48c22610 cfa7 4ba0 9315 fd8bbd2aadba", "x ms correlation request id" "48c22610 cfa7 4ba0 9315 fd8bbd2aadba", "x ms routing request id" "southindia 20230729t122235z 48c22610 cfa7 4ba0 9315 fd8bbd2aadba", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "sat, 29 jul 2023 12 22 34 gmt" }, "reason" "ok", "json body" { "entities" \[ { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/providers/microsoft operationalinsights/workspaces/myworkspace/providers/microsoft securityinsights/entities/e1d3d618 e11f 478b 98e3 bb381539a8e1", "name" "e1d3d618 e11f 478b 98e3 bb381539a8e1", "type" "microsoft securityinsights/entities", "kind" "account", "properties" { "friendlyname" "administrator", "accountname" "administrator", "ntdomain" "domain" } } ], "metadata" \[ { "entitykind" "account", "count" 1 } ] } } ] output parameters status code (number) reason (string) json body (object) entities (array) id (string) name (string) type (string) kind (string) properties (object) friendlyname (string) accountname (string) ntdomain (string) metadata (array) entitykind (string) count (number) response headers header type cache control string pragma string transfer encoding string content type string content encoding string expires string vary string server string x ms ratelimit remaining subscription resource requests string x ms request id string x ms correlation request id string x ms routing request id string strict transport security string x content type options string date string

List Incident Comments

List Incidents