Skip to content

Commit 942f66a

Browse files
batamigbatamig
committed
adding ed's comments
1 parent a10f6a5 commit 942f66a

File tree

1 file changed

+10
-26
lines changed

1 file changed

+10
-26
lines changed

articles/sentinel/move-to-defender.md

Lines changed: 10 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -150,35 +150,19 @@ For more information, see [Automation in the Microsoft Defender portal](/azure/s
150150

151151
The unified experience in the Defender portal introduces notable changes to incidents and alerts from APIs. It supports API calls based on the [Microsoft Graph REST API v1.0](/graph/api/resources/security-api-overview?view=graph-rest-1.0), which can be used for automation related to alerts, incidents, advanced hunting, and more.
152152

153-
The [Microsoft Sentinel `SecurityInsights` API](/rest/api/securityinsights/api-versions) continues to support actions against Microsoft Sentinel resources, like analytics rules, automation rules and more. For interacting with unified incidents and alerts, we recommend that you use the Microsoft Graph REST API.
154-
155-
For example, when using an HTTP GET command for a specific unified incident with the Microsoft Graph REST API, the body response has the following differences:
156-
157-
- The `incidentWebUrl` field provides the direct link to the incident, which can be used to synchronize this information with a third-party ticketing system like ServiceNow.
158-
159-
- If the response doesn't contain the `alertProductNames` array, retrieve it by updating the initial HTTP GET command to add `?$expand=alerts` after the GET command. For example: `https://graph.microsoft.com/v1.0/security/incidents/368?$expand=alerts`
160-
161-
If you're using the Microsoft Sentinel `SecurityInsights` API to interact with Microsoft Sentinel incidents, you may need to update your automation conditions and trigger criteria due to changes in the response body.
153+
The [Microsoft Sentinel API](/rest/api/securityinsights/api-versions) continues to support actions against Microsoft Sentinel resources, like analytics rules, automation rules and more. For interacting with unified incidents and alerts, we recommend that you use the Microsoft Graph REST API.
154+
If you're using the Microsoft Sentinel `SecurityInsights` API to interact with Microsoft Sentinel incidents, you may need to update your automation conditions and trigger criteria due to changes in the response body. The following fields are important in the response snippets:
162155

163156
The following table lists fields that are important in the response snippets, and compares them across the Azure and Defender portals:
164157

165-
|Functionality | Azure portal |Defender portal |
166-
|---------|---------|---------|
167-
|The source that triggered the detection and published the alert | `alertProductNames` | `productName` |
168-
|Link to the incident | `incidentUrl`, links to the incident in Microsoft Sentinel in the Azure portal | `providerIncidentUrl`, links to the incident in the Defender portal |
169-
|The name of the alert provider | `providerName` | `providerName` always shows as `Microsoft XDR` |
170-
171-
<!--is this microsoft xdr or microsoft defender xdr? check with ed-->
172-
173-
The following table lists all elements that are added or changed in the Microsoft Sentinel `SecurityInsights` API after onboarding your workspace to the Defender portal:
174-
175-
| Field | Change Description |
176-
|----------------------|----------|
177-
| `detectionSource` | Added. The detection technology or sensor that identified the notable component or activity. |
178-
| `productName` | Added. The name of the product that published this alert. |
179-
| `providerIncidentUrl`| Added. Provides the direct URL to the incident in the unified portal. |
180-
| `providerName` | Updated. The providerName field value has been changed from *"Azure Sentinel"* to *"Microsoft XDR"*. |
181-
| `serviceSource` | Added. The service or product that created the alert. |
158+
| Functionality | Azure portal | Defender portal |
159+
|----------------|--------------|----------------|
160+
| Link to the incident| `incidentUrl`: The direct URL to the incident in the Microsoft Sentinel portal | `providerIncidentUrl` : This additional field provides a direct link to the incident, which can be used to synchronize this information with a third-party ticketing system like ServiceNow. `incidentUrl` is still available, but it points to the Microsoft Sentinel portal. |
161+
| The sources that triggered the detection and published the alert | `alertProductNames` | `alertProductNames`: Requires adding `?$expand=alerts` to the GET. For example, `https://graph.microsoft.com/v1.0/security/incidents/368?$expand=alerts`|
162+
| The name of the alert provider| `providerName` = "Azure Sentinel" | `providerName` = "Microsoft XDR" |
163+
| The service or product that created the alert | |`serviceSource` For example, "microsoftDefenderForCloudApps" |
164+
| The detection technology or sensor that identified the notable component or activity | | `detectionSource` For example, "cloudAppSecurity"|
165+
| The name of the product which published this alert. | |`productName` For example, "Microsoft Defender for Cloud Apps" |
182166

183167
## Run operations in the Defender portal
184168

0 commit comments

Comments
 (0)