Microsoft has stated that they will be releasing the official version of the Azure
Sentinel APIs “soon”. While they may not be official, the APIs
are publishing on GitHub and, as far as I can tell, seem to be working
perfectly well. This post will introduce you to the APIs and how to use
them using PowerShell.
Why PowerShell you ask? Well, it is quite easy to use and is easily
translatable into other languages. Also, it is built upon .NET
technologies so it can use .NET based objects and you don’t need to
compile it so it is easy to make changes. Also, IMHO, it is quite cool
but that is another story
First, you need to get the APIs. To get them, go to
A couple of things to note about this link.
- It has “preview” in it a couple of times so things may change before the official release.
- It has “Microsoft.SecurityInsights” in the path. Azure Sentinel used to be called Security Insights and, like a lot of other things Microsoft related, the name has stuck with the URL. I don’t expect that to change even with the official release since there is a lot of code that uses these APIs already.
When you go to the site, there will be two entries. At least
there were two entries when this post was written. There could be more
The “examples” folder has a lot of example outputs from calling the various
parts of the API. This is quite useful for figuring out how to make the
calls and what data to expect back.
The “SecurityInsights.json” file contains all the API call
information. There is a lot of information in it so I suggest using
something like VSCode to look at it so you can show and hide various parts.
It is worth mentioning that the people at Wortell have used these APIs to create a
number of excellent PowerShell commands that you can already use as is or as a
basis for your own code. These can be found at https://github.com/wortell/AZSentinel
In the next posts I will look at how to use the various entries in the API to
add/edit/delete/list information from Azure Sentine