Forum Discussion

Kristof's avatar
Kristof
Copper Contributor
Dec 02, 2024

Pending actions notification via KQL / Graph API

Hello,

I'm looking for a way to get notifications when an investigation is in Pending Approval state. I have tried searching the logs in Defender and Sentinel and have tried finding a graph request that could get this information, but no luck.

Is this something that exists? 

Thank you for any help regarding this topic.

Kristof

alerts
automation
microsoft defender for office 365
  • DylanInfosec's avatar
    DylanInfosec
    Iron Contributor
    Dec 04, 2024

    Hey Kristof ,

    I believe I know what you're talking about and it seems like the API endpoint you'd want to hit is here: https://learn.microsoft.com/en-us/defender-endpoint/api/investigation

     

    Have a script that retrieves a List of investigations and the filters for "PendingApproval" and pipe those Investigation IDs into a loop or something to Start investigation. I don't see a built-in function for alerting of this state for an Investigation but we can quickly create a logic app to do this for us.

    Or, as seen in this thread ( https://www.reddit.com/r/DefenderATP/comments/192zinv/notifications_for_pending_actions/ ) we can create an alerts in Sentinel and then trigger an automation rule. There's already a Playbook Template for you to use, "Send basic email" which can be installed via the Content Hub in the resource "SentinelSOARessentials". 

    1. Create a Sentinel analytic rule that alerts on PendingApproval with the query provided by the good folks on Reddit
    2. Create a playbook from the template to send an email
    3. Create an automation rule to run the playbook when that particular Analytics rule is triggered

    Hopefully this helps. If you need any help building any of this out or exploring other ideas I'd be happy to provide some guidance. Let me know.

     

    Best regards,

    Dylan

    • Kristof's avatar
      Kristof
      Copper Contributor
      Dec 05, 2024

      Hi DylanInfosec

      Thank you for taking the time to respond! 

      I'll have a look at the investigation api.

      I also saw the reddit post, but When I ran the query, or variations of it, it didn't produce results. 

      I had a check and there isn't a Status property in my ExtendedProperties in my SecurityAlert table, so no luck there. Also no other property indicating something similar. So no luck there.

      I can move on with the api.

      Thx!

       

      Br,

      Kristof

Resources