Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use the Microsoft Sentinel recommendations API to programmatically interact with SOC optimization recommendations, helping you to close coverage gaps against specific threats and tighten ingestion rates. You can get details about all current recommendations across your workspaces or a specific SOC optimization recommendation, or you can reevaluate a recommendation if you've made changes in your environment.
For example, use the recommendations API to:
- Build custom reports and dashboards. For example, see Visualize custom SOC optimization data.
- Integrate with third-party tools, such as for SOAR and ITSM services
- Get automated, real-time access to SOC optimization data, triggering evaluations and responding promptly to the suggestions
For customers or MSSPs managing multiple environments, the recommendations API provides a scalable way to handle recommendations across multiple workspaces. You can also export data from the API and store it externally for audit, archiving, or tracking trends.
Important
Starting in July 2026, all customers using Microsoft Sentinel in the Azure portal will be redirected to the Defender portal and will use Microsoft Sentinel in the Defender portal only. Starting in July 2025, many new users are also automatically onboarded and redirected from the Azure portal to the Defender portal. If you're still using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender. For more information, see It’s Time to Move: Retiring Microsoft Sentinel’s Azure portal for greater security.
The recommendations API is in PREVIEW and uses version 2024-01-01-preview or later. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Get, update, or reevaluate recommendations
Use the following examples of the recommendations` API to interact with SOC optimization recommendations programmatically:
Get a list of all current SOC optimization recommendations in your workspace:
GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations?api-version=2024-01-01-previewGet a specific recommendation by recommendation ID:
GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations/{recommendationId}Find a recommendation's ID value by first getting a list of all recommendations in your workspace.
Update a recommendation's status to Active, In Progress, Completed, Dismissed, or Reactivate:
PATCH /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations/{recommendationId}Manually trigger an evaluation for a specific recommendation:
POST /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/recommendations/{recommendationId} /triggerEvaluation
Visualize custom SOC optimization data
The Microsoft Sentinel Optimization Workbook uses the recommendations API to visualize SOC optimization data. Install and customize the workbook in your workspace to create your own custom SOC optimization dashboard.
In the Microsoft Sentinel Optimization Workbooks, select the SOC Optimization tab and expand the items under Details to drill down into to view SOC optimization data. Edit the workbook to modify the data shown as needed for your organization.
For example:
For more information, see:
- Discover and manage Microsoft Sentinel out-of-the-box content
- Visualize and monitor your data by using workbooks in Microsoft Sentinel.
Related content
For more information, see: