Using SOC optimizations programmatically (Preview)

• Gilt für:

  Microsoft Sentinel in the Microsoft Defender portal, Microsoft Sentinel in the Azure portal

Use the Microsoft Sentinel recommendations API to programmatically interact with SOC optimization recommendations, helping you to close coverage gaps against specific threats and tighten ingestion rates. You can get details about all current recommendations across your workspaces or a specific SOC optimization recommendation, or you can reevaluate a recommendation if you've made changes in your environment.

For example, use the recommendations API to:

• Build custom reports and dashboards. For example, see Visualize custom SOC optimization data.
• Integrate with third-party tools, such as for SOAR and ITSM services
• Get automated, real-time access to SOC optimization data, triggering evaluations and responding promptly to the suggestions

For customers or MSSPs managing multiple environments, the recommendations API provides a scalable way to handle recommendations across multiple workspaces. You can also export data from the API and store it externally for audit, archiving, or tracking trends.

Important

Microsoft Sentinel is available as part of the unified security operations platform in the Microsoft Defender portal. Microsoft Sentinel in the Defender portal is now supported for production use. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

The recommendations API is in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Get, update, or reevaluate recommendations

Use the following examples of the recommendations API to interact with SOC optimization recommendations programmatically:

• Get a list of all current SOC optimization recommendations in your workspace:

  GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations 
  

• Get a specific recommendation by recommendation ID:

  GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations/{recommendationId} 
  

  Find a recommendation's ID value by first getting a list of all recommendations in your workspace.

• Update a recommendation's status to Active, In Progress, Completed, Dismissed, or Reactivate:

  PATCH /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations/{recommendationId} 
  

• Manually trigger an evaluation for a specific recommendation:

  POST /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations/{recommendationId} /triggerEvaluation 
  

Visualize custom SOC optimization data

The Microsoft Sentinel Optimization Workbook uses the recommendations API to visualize SOC optimization data. Install and customize the workbook in your workspace to create your own custom SOC optimization dashboard.

In the Microsoft Sentinel Optimization Workbooks, select the SOC Optimization tab and expand the items under Details to drill down into to view SOC optimization data. Edit the workbook to modify the data shown as needed for your organization.

For example:

For more information, see:

• Discover and manage Microsoft Sentinel out-of-the-box content
• Visualize and monitor your data by using workbooks in Microsoft Sentinel.

Related content

For more information, see:

• Optimize your security operations
• SOC optimization reference of recommendations
• Blogs: Introducing the SOC Optimization API | Unlock the power of precision-driven security management