Using SOC optimizations programmatically (Preview)

Use the Microsoft Sentinel recommendations API to programmatically interact with SOC optimization recommendations, helping you to close coverage gaps against specific threats and tighten ingestion rates. You can get details about all current recommendations across your workspaces or a specific SOC optimization recommendation, or you can reevaluate a recommendation if you've made changes in your environment.

For example, use the recommendations API to:

  • Build custom reports and dashboards. For example, see Visualize custom SOC optimization data.
  • Integrate with third-party tools, such as for SOAR and ITSM services
  • Get automated, real-time access to SOC optimization data, triggering evaluations and responding promptly to the suggestions

For customers or MSSPs managing multiple environments, the recommendations API provides a scalable way to handle recommendations across multiple workspaces. You can also export data from the API and store it externally for audit, archiving, or tracking trends.

Important

Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

The recommendations API is in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Get, update, or reevaluate recommendations

Use the following examples of the recommendations API to interact with SOC optimization recommendations programmatically:

  • Get a list of all current SOC optimization recommendations in your workspace:

    GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations 
    
  • Get a specific recommendation by recommendation ID:

    GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations/{recommendationId} 
    

    Find a recommendation's ID value by first getting a list of all recommendations in your workspace.

  • Update a recommendation's status to Active, In Progress, Completed, Dismissed, or Reactivate:

    PATCH /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations/{recommendationId} 
    
  • Manually trigger an evaluation for a specific recommendation:

    POST /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations/{recommendationId} /triggerEvaluation 
    

Visualize custom SOC optimization data

The Microsoft Sentinel Optimization Workbook uses the recommendations API to visualize SOC optimization data. Install and customize the workbook in your workspace to create your own custom SOC optimization dashboard.

In the Microsoft Sentinel Optimization Workbooks, select the SOC Optimization tab and expand the items under Details to drill down into to view SOC optimization data. Edit the workbook to modify the data shown as needed for your organization.

For example:

Screenshot of the Microsoft Sentinel Optimization Workbook.

For more information, see:

For more information, see: