Hi everyone,

i want to try to follow up on this discussion – https://techcommunity.microsoft.com/t5/microsoft-sentinel/get-entities-for-a-sentinel-incidient-by-api/m-p/1422643

We are using the recommended in that post “expansionId” to fetch entities for specific alerts, as per documentation Sentinel Incidents API returns “summed” list of entities for Incidents (all entities from all alerts that are part of the same Incident).

This is the expansion id we use for alert related entities:  “98b974fd-cc64-48b8-9bd0-3a209f5b944b”

I wanted to check, are there any updates regarding this”expansionId” option since?
How safe is to still use the expansion ids and alert’s entities is particular? 

Also, maybe there is a better way now to fetch entities per each alert in Incident via Sentinel REST API?

Thanks in advance!

​Hi everyone, i want to try to follow up on this discussion – https://techcommunity.microsoft.com/t5/microsoft-sentinel/get-entities-for-a-sentinel-incidient-by-api/m-p/1422643We are using the recommended in that post “expansionId” to fetch entities for specific alerts, as per documentation Sentinel Incidents API returns “summed” list of entities for Incidents (all entities from all alerts that are part of the same Incident).This is the expansion id we use for alert related entities:  “98b974fd-cc64-48b8-9bd0-3a209f5b944b” I wanted to check, are there any updates regarding this”expansionId” option since?How safe is to still use the expansion ids and alert’s entities is particular?  Also, maybe there is a better way now to fetch entities per each alert in Incident via Sentinel REST API? Thanks in advance!  Read More

​