Microsoft Sentinel (Preview)
Cloud-native SIEM with a built-in AI so you can focus on what matters most
This connector is available in the following products and regions:
Service | Class | Regions |
---|---|---|
Logic Apps | Standard | All Logic Apps regions |
Contact | |
---|---|
Name | Microsoft |
URL | Microsoft LogicApps Support |
Connector Metadata | |
---|---|
Publisher | Microsoft |
Website | https://azure.microsoft.com/services/azure-sentinel/ |
Microsoft Sentinel Connector
Connector in depth
Learn more about how to use this connector:
- Authenticate playbooks to Azure Sentinel
- Use triggers and actions in playbooks
- Tutorial: Use playbooks with automation rules in Microsoft Sentinel
Authentication
Triggers and actions in the Mcirosoft Sentinel connector can operate on behalf of any identity that has the necessary permissions (read and/or write) on the relevant workspace. The connector supports multiple identity types:
- Managed identity (preview)
- Microsoft Entra ID user
- Service principal (Microsoft Entra ID application)
Permissions required
Roles / Connector components | Triggers | "Get" actions | Update incident, add a comment |
---|---|---|---|
Microsoft Sentinel Reader | ✓ | ✓ | ✗ |
Microsoft Sentinel Responder/Contributor | ✓ | ✓ | ✓ |
Learn more about permissions in Microsoft Sentinel.
Learn how to use the different authentication options.
Known issues and limitations
Cannot trigger a Logic App called by an Microsoft Sentinel trigger using the "Run Trigger" button
A user cannot use the Run trigger button on the Overview blade of the Logic Apps service to trigger an Microsoft Sentinel playbook.
Azure Logic Apps are triggered by a POST REST call, whose body is the input for the trigger. Logic Apps that start with Microsoft Sentinel triggers expect to see the content of an Microsoft Sentinel alert or incident in the body of the call. When the call comes from the Logic Apps Overview blade, the body of the call is empty, and therefore an error is generated.
These are the only proper ways to trigger Microsoft Sentinel playbooks:
- Manual trigger in Microsoft Sentinel
- Automated response of an analytics rule (directly or through an automation rule) in Microsoft Sentinel
- Use "Resubmit" button in an existing Logic Apps run blade
- Call the Logic Apps endpoint directly (attaching an alert/incident as the body)
Updating the same incident in parallel For each loops
For each loops are set by default to run in parallel, but can be easily set to run sequentially. If a for each loop might update the same Microsoft Sentinel incident in separate iterations, it should be configured to run sequentially.
Restoring alert's original query is currently not supported via Logic Apps
Usage of the Azure Monitor Logs connector to retrieve the events captured by the scheduled alert analytics rule is not consistently reliable.
- Azure Monitor Logs do not support the definition of a custom time range. Restoring the exact same query results requires defining the exact same time range as in the original query.
- Alerts may be delayed in appearing in the Log Analytics workspace after the rule triggers the playbook.
Available resources
Microsoft Sentinel docs
- Advance automation with playbooks
- Tutorial: Use playbooks with automation rules in Microsoft Sentinel
- Authenticate playbooks to Microsoft Sentinel
- Use triggers and actions in playbooks
Microsoft Sentinel References
Azure Logic Apps
Creating a connection
The connector supports the following authentication types:
Default | Parameters for creating connection. | All regions | Not shareable |
Default
Applicable: All regions
Parameters for creating connection.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
Throttling Limits
Name | Calls | Renewal Period |
---|---|---|
API calls per connection | 600 | 60 seconds |
Actions
Add alert to incident |
Add an alert to an existing incident. The alert joins the incident as any other alert and will be shown in portal. |
Add comment to incident (V2) |
Adds comment to selected incident |
Add comment to incident (V3) |
Adds comment to selected incident |
Add comment to incident [DEPRECATED] |
This action has been deprecated. Please use Add comment to incident (V3) instead.
|
Add labels to incident (deprecated) [DEPRECATED] |
Adds labels to selected incident |
Add task to incident |
Adds a task to an existing incident |
Alert - Get incident |
Returns the incident associated with selected alert |
Alert - Get incident |
Returns the incident associated with selected alert |
ASI trigger unsubscribe [DEPRECATED] |
Unsubscribe |
Bookmarks (V2) - Create a new bookmark (json input) (Preview) |
Bookmarks (V2) - Create a valid new bookmark (json). |
Bookmarks (V3) - Creates new bookmark with separate fields (Preview) |
Bookmarks (V3) - Create a new bookmark. |
Bookmarks - Creates new bookmark (Preview) |
Bookmarks - Creates a new bookmark. |
Bookmarks - Delete a bookmark |
Bookmarks - Delete a bookmark |
Bookmarks - Get a bookmark |
Bookmarks - Get a bookmarks by Id |
Bookmarks - Get all bookmarks |
Bookmarks - Get all bookmarks for a given workspace |
Change incident description (V2) (deprecated) [DEPRECATED] |
changes description to selected incident |
Change incident description [DEPRECATED] |
changes description to selected incident |
Change incident severity (deprecated) [DEPRECATED] |
changes severity to selected incident |
Change incident status (deprecated) [DEPRECATED] |
changes status to selected incident |
Change incident title (V2) (deprecated) [DEPRECATED] |
changes title to selected incident |
Change incident title [DEPRECATED] |
changes title to selected incident |
Create incident |
Create incident with provided fields |
Entities - Get Accounts |
Returns list of accounts associated with the alert |
Entities - Get DNS |
Returns list of DNS records associated with the alert |
Entities - Get File |
Returns list of File Hashes associated with the alert |
Entities - Get Hosts |
Returns list of hosts associated with the alert |
Entities - Get IPs |
Returns list of IPs associated with the alert |
Entities - Get URLs |
Returns list of URLs associated with the alert |
Get incident |
Get an incident by ARM ID |
Mark a task as completed |
Mark a task as completed |
Remove alert from incident |
Remove an alert from an existing incident. |
Remove labels from incident (deprecated) [DEPRECATED] |
Removes labels to selected incident |
Threat Intelligence - Upload Indicators of Compromise (Deprecated) |
Threat Intelligence - Upload Indicators of Compromise |
Threat Intelligence - Upload Indicators of Compromise (V2) (Preview) |
Upload indicators in bulk using the Threat Intelligence Upload Indicators API. |
Threat Intelligence - Upload STIX Objects (Preview) |
Upload STIX Objects in bulk using the Threat Intelligence Upload API. |
Update incident |
Update incident with provided fields |
Watchlists - Add a new Watchlist Item |
Watchlists - Add a new Watchlist Item |
Watchlists - Create a large Watchlist using a SAS Uri |
Watchlists - Create a large Watchlist using a SAS Uri |
Watchlists - Create a new Watchlist with data (Raw Content) |
Watchlists - Create a new Watchlist with data (Raw Content) |
Watchlists - Delete a Watchlist |
Watchlists - Delete a Watchlist |
Watchlists - Delete a Watchlist Item |
Watchlists - Delete a Watchlist Item |
Watchlists - Get a Watchlist by alias |
Watchlists - Get a Watchlist by alias |
Watchlists - Get a Watchlist Item by ID (guid) |
Watchlists - Get a Watchlist Item |
Watchlists - Get all Watchlist Items for a given watchlist |
Watchlists - Get all Watchlist Items for a given watchlist |
Watchlists - Get all Watchlist Items for a given Watchlist (V2) |
Watchlists - Get all Watchlist Items for a given Watchlist (V2) |
Watchlists - Update an existing Watchlist Item |
Watchlists - Update an existing Watchlist Item |
Add alert to incident
Add an alert to an existing incident. The alert joins the incident as any other alert and will be shown in portal.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Incident ARM Id
|
incidentArmId | True | string |
Incident ARM ID. Retrieve from Incident trigger, Alert - Get incident action or Azure Monitor Logs query. |
System Alert Id
|
relatedResourceId | True | string |
System alert ID which will be added / removed to / from the incident. Retrieve from Azure Monitor Logs query or Alert Trigger. For example: dfc09ba0-c218-038d-2ad8-b198a0033bdb. |
Returns
Represents an incident relation
- Body
- IncidentRelation
Add comment to incident (V2)
Adds comment to selected incident
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Identifier
|
identifier | True | string |
Incident / alert |
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
Specify comment
|
Value | True | string |
Comment value |
Returns
- response
- string
Add comment to incident (V3)
Adds comment to selected incident
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Incident ARM id
|
incidentArmId | True | string |
Incident ARM id |
Incident comment message
|
message | True | html |
Incident comment message |
Returns
Represents an incident comment item
- Incident Comment
- IncidentComment
Add comment to incident [DEPRECATED]
This action has been deprecated. Please use Add comment to incident (V3) instead.
Adds comment to selected incident
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Identifier
|
identifier | True | string |
Incident / alert |
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
Specify incident comment
|
comment | True | string |
Incident comment |
Returns
- response
- string
Add labels to incident (deprecated) [DEPRECATED]
Adds labels to selected incident
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Identifier
|
identifier | True | string |
Incident / alert |
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
label
|
Label | True | string |
label |
Returns
- response
- string
Add task to incident
Adds a task to an existing incident
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Incident ARM id
|
incidentArmId | True | string |
Incident ARM id |
Title
|
taskTitle | True | string |
Task title |
Description
|
taskDescription | html |
Task description |
Returns
Represents an incident task item
- Incident task
- IncidentTask
Alert - Get incident
Returns the incident associated with selected alert
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify alert id
|
alertId | True | string |
System Alert Id |
Returns
Represents an incident in Azure Security Insights.
- Body
- Incident
Alert - Get incident
Returns the incident associated with selected alert
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify alert id
|
alertId | True | string |
System alert id |
Returns
- Body
- OldIncident
ASI trigger unsubscribe [DEPRECATED]
Bookmarks (V2) - Create a new bookmark (json input) (Preview)
Bookmarks (V2) - Create a valid new bookmark (json).
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Bookmark Display Name
|
displayName | True | string |
The display name of the bookmark |
Bookmark query
|
bookmarkQuery | True | string |
Bookmark query (Ex. 'SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)') |
Bookmark query result
|
bookmarkQueryResult | True | string |
Bookmark query result (Ex. 'Security Event query result') |
Bookmark notes
|
bookmarkNotes | string |
Bookmark notes (Ex. 'My Bookmark notes') |
Returns
Represents a bookmark in Azure Security Insights.
- Body
- Bookmark
Bookmarks (V3) - Creates new bookmark with separate fields (Preview)
Bookmarks (V3) - Create a new bookmark.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify bookmark display name
|
bookmarkName | True | string |
Bookmark Display Name (Ex. 'My Bookmark') |
Specify bookmark query
|
bookmarkQuery | True | string |
Bookmark query (Ex. 'SecurityEvent | where TimeGenerated > ago(1d) and TimeGenerated < ago(2d)') |
Specify bookmark query result
|
bookmarkQueryResult | True | string |
Bookmark query result (Ex. 'Security Event query result') |
Specify bookmark notes
|
bookmarkNotes | True | string |
Bookmark notes (Ex. 'My Bookmark notes') |
Returns
Represents a bookmark in Azure Security Insights.
- Body
- Bookmark
Bookmarks - Creates new bookmark (Preview)
Bookmarks - Creates a new bookmark.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify Bookmark Id
|
bookmarkId | True | string |
Id of Bookmark |
created
|
created | date-time |
The time the bookmark was created |
|
email
|
string |
The email of the user. |
||
name
|
name | string |
The name of the user. |
|
objectId
|
objectId | uuid |
The object id of the user. |
|
displayName
|
displayName | True | string |
The display name of the bookmark |
labels
|
labels | string |
Label that will be used to tag and filter on. |
|
notes
|
notes | string |
The notes of the bookmark |
|
query
|
query | True | string |
The query of the bookmark. |
queryResult
|
queryResult | string |
The query result of the bookmark. |
|
updated
|
updated | date-time |
The last time the bookmark was updated |
|
eventTime
|
eventTime | date-time |
The bookmark event time |
|
queryStartTime
|
queryStartTime | date-time |
The start time for the query |
|
queryEndTime
|
queryEndTime | date-time |
The end time for the query |
|
Incident ARM ID
|
id | string |
The full qualified ARM ID of the incident. |
|
Incident ARM Name
|
name | string |
The ARM name of the incident (GUID) |
|
Incident Alerts Count
|
alertsCount | integer |
The number of alerts in the incident |
|
Incident Bookmarks Count
|
bookmarksCount | integer |
The number of bookmarks in the incident |
|
Incident Comments Count
|
commentsCount | integer |
The number of comments in the incident |
|
Incident Alert product names
|
alertProductNames | array of string |
List of product names of alerts in the incident |
|
Provider Incident Url
|
providerIncidentUrl | string |
The provider incident url to the incident in Microsoft 365 Defender portal |
|
Incident Tactics
|
Incident Tactics | string |
Represents a tactic item which is associated with the incident |
|
Incident Techniques
|
techniques | array of string |
The techniques associated with incident's tactics' |
|
Incident Classification
|
classification | string |
The reason the incident was closed |
|
Incident Classification Comment
|
classificationComment | string |
Describes the reason the incident was closed |
|
Incident Classification Reason
|
classificationReason | string |
The classification reason the incident was closed with |
|
Incident Created Time Utc
|
createdTimeUtc | date-time |
The time the incident was created |
|
Incident Description
|
description | string |
The description of the incident |
|
Incident First Activity Time UTC
|
firstActivityTimeUtc | date-time |
The time of the first activity in the incident |
|
Incident URL
|
incidentUrl | string |
The deep-link url to the incident in Azure portal |
|
Incident Sentinel ID
|
incidentNumber | integer |
A sequential number used to identify the incident in Microsoft Sentinel. |
|
Incident Last Activity Time UTC
|
lastActivityTimeUtc | date-time |
The time of the last activity in the incident |
|
Incident Severity
|
severity | string |
The severity of the incident |
|
Incident Status
|
status | string |
The status of the incident |
|
Incident Title
|
title | string |
The title of the incident |
|
Name
|
labelName | True | string |
The name of the tag |
Type
|
labelType | string |
The type of the tag |
|
Incident Last Modified Time UTC
|
lastModifiedTimeUtc | date-time |
The last time the incident was updated |
|
Email
|
string |
The email of the user the incident is assigned to. |
||
Assigned To
|
assignedTo | string |
The name of the user the incident is assigned to. (assignedTo field) |
|
ObjectId
|
objectId | uuid |
The object id of the user the incident is assigned to. |
|
User Principal Name
|
userPrincipalName | string |
The user principal name of the user the incident is assigned to. |
|
Incident Related Analytic Rule Ids
|
relatedAnalyticRuleIds | array of string |
List of resource ids of Analytic rules related to the incident |
|
ID
|
id | string |
The full qualified ARM ID of the comment. |
|
Name
|
name | string |
The ARM name of the comment (GUID) |
|
properties
|
properties |
Represents Incident Comment Properties JSON. |
Returns
Represents a bookmark in Azure Security Insights.
- Body
- Bookmark
Bookmarks - Delete a bookmark
Bookmarks - Delete a bookmark
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify Bookmark Id
|
bookmarkId | True | string |
Id of Bookmark |
Returns
- response
- string
Bookmarks - Get a bookmark
Bookmarks - Get a bookmarks by Id
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify Bookmark Id
|
bookmarkId | True | string |
Id of Bookmark |
Returns
Represents a bookmark in Azure Security Insights.
- Body
- Bookmark
Bookmarks - Get all bookmarks
Bookmarks - Get all bookmarks for a given workspace
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify number of bookmarks
|
numberOfBookmarks | True | integer |
Number of Bookmarks to return. 0 or negative to return all bookmarks |
Returns
List all the bookmarks.
- Body
- BookmarkList
Change incident description (V2) (deprecated) [DEPRECATED]
changes description to selected incident
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Identifier
|
identifier | True | string |
Incident / alert |
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
Specify description
|
Value | True | string |
Description value |
Returns
- response
- string
Change incident description [DEPRECATED]
changes description to selected incident
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Identifier
|
identifier | True | string |
Incident / alert |
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
Specify description
|
fieldValue | True | string |
Description value |
Returns
- response
- string
Change incident severity (deprecated) [DEPRECATED]
changes severity to selected incident
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Identifier
|
identifier | True | string |
Incident / alert |
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
Specify severity
|
severity | True | string |
Severity value |
Returns
- response
- string
Change incident status (deprecated) [DEPRECATED]
changes status to selected incident
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Identifier
|
identifier | True | string |
Incident / alert |
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
Specify status
|
status | True | string |
Status value |
dynamicStatusChangerSchema
|
dynamicStatusChangerSchema | dynamic |
Dynamic Schema of incident status changer |
Returns
- response
- string
Change incident title (V2) (deprecated) [DEPRECATED]
changes title to selected incident
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Identifier
|
identifier | True | string |
Incident / alert |
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
Specify title
|
Value | True | string |
Title value |
Returns
- response
- string
Change incident title [DEPRECATED]
changes title to selected incident
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Identifier
|
identifier | True | string |
Incident / alert |
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
Specify title
|
fieldValue | True | string |
Title value |
Returns
- response
- string
Create incident
Create incident with provided fields
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Subscription
|
subscriptionId | True | string |
Select subscription |
Resource Group
|
resourceGroup | True | string |
Select resource group |
Workspace Name
|
workspaceName | True | string |
Select Workspace |
Specify incident fields
|
body | True | dynamic |
Incident fields |
Returns
Represents an incident in Azure Security Insights.
- Body
- Incident
Entities - Get Accounts
Returns list of accounts associated with the alert
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Entities list
|
body | True | string |
Entities list |
Returns
A list of accounts associated with the alert
- Body
- BatchResponseAccount
Entities - Get DNS
Returns list of DNS records associated with the alert
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Entities list
|
body | True | string |
Entities list |
Returns
A list of DNS domains associated with the alert
- Body
- BatchResponseDNS
Entities - Get FileHashes
Returns list of File Hashes associated with the alert
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Entities list
|
body | True | string |
Entities list |
Returns
A list of File Hashes associated with the alert
Entities - Get Hosts
Returns list of hosts associated with the alert
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Entities list
|
body | True | string |
Entities list |
Returns
A list of hosts associated with the alert
- Body
- BatchResponseHost
Entities - Get IPs
Returns list of IPs associated with the alert
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Entities list
|
body | True | string |
Entities list |
Returns
A list of IPs associated with the alert
- Body
- BatchResponseIP
Entities - Get URLs
Returns list of URLs associated with the alert
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Entities list
|
body | True | string |
Entities list |
Returns
A list of URLs associated with the alert
- Body
- BatchResponseUrl
Get incident
Get an incident by ARM ID
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Incident ARM id
|
incidentArmId | True | string |
Incident ARM id |
Returns
Represents an incident in Azure Security Insights.
- Body
- Incident
Mark a task as completed
Mark a task as completed
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Task ARM id
|
taskArmId | True | string |
Task ARM id |
Returns
Represents an incident task item
- Incident task
- IncidentTask
Remove alert from incident
Remove an alert from an existing incident.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Incident ARM Id
|
incidentArmId | True | string |
Incident ARM ID. Retrieve from Incident trigger, Alert - Get incident action or Azure Monitor Logs query. |
System Alert Id
|
relatedResourceId | True | string |
System alert ID which will be added / removed to / from the incident. Retrieve from Azure Monitor Logs query or Alert Trigger. For example: dfc09ba0-c218-038d-2ad8-b198a0033bdb. |
Returns
- response
- string
Remove labels from incident (deprecated) [DEPRECATED]
Removes labels to selected incident
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Identifier
|
identifier | True | string |
Incident / alert |
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
label
|
Label | True | string |
label |
Returns
- response
- string
Threat Intelligence - Upload Indicators of Compromise (Deprecated)
Threat Intelligence - Upload Indicators of Compromise
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Returns
Response from Threat Intelligence Uplaod Indicators.
Threat Intelligence - Upload Indicators of Compromise (V2) (Preview)
Upload indicators in bulk using the Threat Intelligence Upload Indicators API.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Returns
Response from Threat Intelligence Uplaod API. These are errors for invalid objects in the request body.
Threat Intelligence - Upload STIX Objects (Preview)
Upload STIX Objects in bulk using the Threat Intelligence Upload API.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Returns
Response from Threat Intelligence Uplaod API. These are errors for invalid objects in the request body.
Update incident
Update incident with provided fields
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify incident fields to update
|
body | True | dynamic |
Incident fields to update |
Returns
Represents an incident in Azure Security Insights.
- Body
- Incident
Watchlists - Add a new Watchlist Item
Watchlists - Add a new Watchlist Item
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify watchlist alias
|
watchlistAlias | True | string |
Watchlist alias |
Returns
Represents an WatchlistItem in Azure Security Insights.
- Body
- WatchlistItem
Watchlists - Create a large Watchlist using a SAS Uri
Watchlists - Create a large Watchlist using a SAS Uri
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify watchlist alias
|
watchlistAlias | True | string |
Watchlist alias |
Returns
Represents a Watchlist in Azure Security Insights.
- Body
- Watchlist
Watchlists - Create a new Watchlist with data (Raw Content)
Watchlists - Create a new Watchlist with data (Raw Content)
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify watchlist alias
|
watchlistAlias | True | string |
Watchlist alias |
Returns
Represents a Watchlist in Azure Security Insights.
- Body
- Watchlist
Watchlists - Delete a Watchlist
Watchlists - Delete a Watchlist
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify watchlist alias
|
watchlistAlias | True | string |
Watchlist alias |
Returns
- response
- string
Watchlists - Delete a Watchlist Item
Watchlists - Delete a Watchlist Item
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify watchlist alias
|
watchlistAlias | True | string |
Watchlist alias |
Specify Watchlist Item Id
|
watchlistItemId | True | string |
Unique identifier for a watchlist item (GUID) |
Returns
- response
- string
Watchlists - Get a Watchlist by alias
Watchlists - Get a Watchlist by alias
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify watchlist alias
|
watchlistAlias | True | string |
Watchlist alias |
Returns
Represents a Watchlist in Azure Security Insights.
- Body
- Watchlist
Watchlists - Get a Watchlist Item by ID (guid)
Watchlists - Get a Watchlist Item
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify watchlist alias
|
watchlistAlias | True | string |
Watchlist alias |
Specify Watchlist Item Id
|
watchlistItemId | True | string |
Unique identifier for a watchlist item (GUID) |
Returns
Represents an WatchlistItem in Azure Security Insights.
- Body
- WatchlistItem
Watchlists - Get all Watchlist Items for a given watchlist
Watchlists - Get all Watchlist Items for a given watchlist
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify watchlist alias
|
watchlistAlias | True | string |
Watchlist alias |
Returns
List all the watchlist items.
- response
- WatchlistItemList
Watchlists - Get all Watchlist Items for a given Watchlist (V2)
Watchlists - Get all Watchlist Items for a given Watchlist (V2)
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify watchlist alias
|
watchlistAlias | True | string |
Watchlist alias |
Skip Token
|
skipToken | string |
Skip token for the next set of 100 items to return |
Returns
List all the watchlist items.
- response
- WatchlistItemList
Watchlists - Update an existing Watchlist Item
Watchlists - Update an existing Watchlist Item
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Specify subscription id
|
subscriptionId | True | string |
Subscription id |
Specify resource group
|
resourceGroup | True | string |
Resource group |
Specify workspace Id
|
workspaceId | True | string |
Workspace id |
Specify watchlist alias
|
watchlistAlias | True | string |
Watchlist alias |
Specify Watchlist Item Id
|
watchlistItemId | True | string |
Unique identifier for a watchlist item (GUID) |
Returns
Represents an WatchlistItem in Azure Security Insights.
- Body
- WatchlistItem
Triggers
Microsoft Sentinel alert |
When a response to an Microsoft Sentinel alert is triggered. This playbook is triggered by an analytics rule when a new alert is created or by manual triggering. Playbook receives the alert as its input. |
Microsoft Sentinel entity |
Run playbook on Microsoft Sentinel entity |
Microsoft Sentinel incident |
When a response to an Microsoft Sentinel incident is triggered. This playbook is triggered by an automation rule when a new incident is created or updated. Playbook receives the Microsoft Sentinel incident as its input, including alerts and entities. |
When a response to an Microsoft Sentinel alert is triggered [DEPRECATED] |
When a response to an Microsoft Sentinel alert is triggered. This playbook must be triggered using Microsoft Sentinel Real Time or from Azure |
Microsoft Sentinel alert
When a response to an Microsoft Sentinel alert is triggered. This playbook is triggered by an analytics rule when a new alert is created or by manual triggering. Playbook receives the alert as its input.
Returns
- Body
- Alert
Microsoft Sentinel entity
Run playbook on Microsoft Sentinel entity
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Entity type
|
entityType | True | string |
Entity type |
Returns
Microsoft Sentinel incident
When a response to an Microsoft Sentinel incident is triggered. This playbook is triggered by an automation rule when a new incident is created or updated. Playbook receives the Microsoft Sentinel incident as its input, including alerts and entities.
Returns
When a response to an Microsoft Sentinel alert is triggered [DEPRECATED]
When a response to an Microsoft Sentinel alert is triggered. This playbook must be triggered using Microsoft Sentinel Real Time or from Azure
Returns
- Body
- Alert
Definitions
UploadApiValidationErrors
Response from Threat Intelligence Uplaod API. These are errors for invalid objects in the request body.
Name | Path | Type | Description |
---|---|---|---|
recordIndex
|
recordIndex | integer | |
validationErrorMessages
|
validationErrorMessages | array of string |
IndicatorValidationErrors
Response from Threat Intelligence Uplaod Indicators.
Name | Path | Type | Description |
---|---|---|---|
recordIndex
|
recordIndex | integer | |
errorMessages
|
errorMessages | array of string |
BatchResponseAccount
A list of accounts associated with the alert
Name | Path | Type | Description |
---|---|---|---|
Accounts
|
Accounts | array of Account |
A list of accounts associated with the alert |
Account
Name | Path | Type | Description |
---|---|---|---|
Name
|
Name | string |
Account name |
NT domain
|
NTDomain | string |
NETBIOS domain name as it appears in the alert format |
DnsDomain
|
DnsDomain | string |
The fully qualified domain DNS name |
UPN suffix
|
UPNSuffix | string |
User principal name suffix |
SID
|
Sid | string |
Account security identifier, e.g. S-1-5-18 |
Microsoft Entra ID tenant ID
|
AadTenantId | string |
Microsoft Entra ID tenant id, if known |
Microsoft Entra ID user ID
|
AadUserId | string |
Microsoft Entra ID user id, if known |
PUID
|
PUID | string |
The Microsoft Entra ID Passport User ID, if known |
Is domain joined
|
IsDomainJoined | boolean |
Determines whether this is a domain account |
ObjectGuid
|
ObjectGuid | string |
The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by Microsoft Entra ID |
BatchResponseUrl
A list of URLs associated with the alert
Name | Path | Type | Description |
---|---|---|---|
URLs
|
URLs | array of UrlEntity |
A list of URLs associated with the alert |
UrlEntity
Name | Path | Type | Description |
---|---|---|---|
Url
|
Url | string |
BatchResponseHost
A list of hosts associated with the alert
Name | Path | Type | Description |
---|---|---|---|
Hosts
|
Hosts | array of Host |
A list of hosts associated with the alert |
Host
Name | Path | Type | Description |
---|---|---|---|
DNS domain
|
DnsDomain | string |
DNS domain that this host belongs to |
NT domain
|
NTDomain | string |
NT domain that this host belongs to |
Hostname
|
HostName | string |
Hostname without the domain suffix |
NetBiosName
|
NetBiosName | string |
The host name (pre-windows2000) |
OMSAgentID
|
OMSAgentID | string |
The OMS agent id, if the host has OMS agent installed |
OSFamily
|
OSFamily | string |
One of the following values: Linux, Windows, Android, IOS |
OSVersion
|
OSVersion | string |
A free text representation of the operating system |
Is domain joined
|
IsDomainJoined | boolean |
Determines whether this host belongs to a domain |
AzureID
|
AzureID | string |
The azure resource id of the VM, if known |
BatchResponseIP
A list of IPs associated with the alert
Name | Path | Type | Description |
---|---|---|---|
IPs
|
IPs | array of IP |
A list of IPs associated with the alert |
IP
Name | Path | Type | Description |
---|---|---|---|
Address
|
Address | string |
IP address |
BatchResponseDNS
A list of DNS domains associated with the alert
Name | Path | Type | Description |
---|---|---|---|
DNS domains
|
Dnsresolutions | array of DNS |
A list of DNS domains associated with the alert |
DNS
Name | Path | Type | Description |
---|---|---|---|
Domain Name
|
DomainName | string |
The name of the DNS record associated with the alert |
BatchResponseFileHash
A list of File Hashes associated with the alert
Name | Path | Type | Description |
---|---|---|---|
FileHashes
|
Filehashes | array of FileHash |
A list of File Hashes associated with the alert |
FileHash
Name | Path | Type | Description |
---|---|---|---|
Value
|
Value | string |
File Hash value |
Algorithm
|
Algorithm | string |
The file hash algorithm types |
OldIncident
Name | Path | Type | Description |
---|---|---|---|
properties
|
properties | OldIncidentProperties |
OldIncidentProperties
Name | Path | Type | Description |
---|---|---|---|
Status
|
Status | string |
The status of the incident |
Labels
|
Labels | array of |
The labels of the incident |
Title
|
Title | string |
The title of the incident |
Description
|
Description | string |
The description of the incident |
End Time Utc
|
EndTimeUtc | string |
The time the incident ended |
Start Time Utc
|
StartTimeUtc | string |
The start time of the incident |
Last Updated Time Utc
|
LastUpdatedTimeUtc | string |
The update time of the incident |
Number
|
CaseNumber | string |
The number of the incident |
Created Time Utc
|
CreatedTimeUtc | string |
The time the incident created |
Severity
|
Severity | string |
The severity of the incident |
Related Alert Ids
|
RelatedAlertIds | array of |
The related alert ids of the incident |
IncidentAdditionalData
Incident additional data property bag.
Name | Path | Type | Description |
---|---|---|---|
Incident Alerts Count
|
alertsCount | integer |
The number of alerts in the incident |
Incident Bookmarks Count
|
bookmarksCount | integer |
The number of bookmarks in the incident |
Incident Comments Count
|
commentsCount | integer |
The number of comments in the incident |
Incident Alert product names
|
alertProductNames | array of string |
List of product names of alerts in the incident |
Provider Incident Url
|
providerIncidentUrl | string |
The provider incident url to the incident in Microsoft 365 Defender portal |
Incident Tactics
|
tactics | array of AttackTactic |
The tactics associated with incident |
Incident Techniques
|
techniques | array of string |
The techniques associated with incident's tactics' |
IncidentLabel
Represents an incident tag
Name | Path | Type | Description |
---|---|---|---|
Name
|
labelName | string |
The name of the tag |
Type
|
labelType | string |
The type of the tag |
IncidentOwnerInfo
Information on the user an incident is assigned to
Name | Path | Type | Description |
---|---|---|---|
Email
|
string |
The email of the user the incident is assigned to. |
|
Assigned To
|
assignedTo | string |
The name of the user the incident is assigned to. (assignedTo field) |
ObjectId
|
objectId | uuid |
The object id of the user the incident is assigned to. |
User Principal Name
|
userPrincipalName | string |
The user principal name of the user the incident is assigned to. |
AttackTactic
Represents a tactic item which is associated with the incident
Represents a tactic item which is associated with the incident
AlertSeverity
HuntingBookmark
Represents a hunting bookmark item
Name | Path | Type | Description |
---|---|---|---|
ARM ID
|
id | string |
The full qualified ARM ID of the bookmark. |
ARM Name
|
name | string |
The ARM name of the bookmark (GUID) |
properties
|
properties | HuntingBookmarkProperties |
Represents HuntingBookmark Properties JSON. |
SecurityAlert
Represents a security alert item
Name | Path | Type | Description |
---|---|---|---|
ARM ID
|
id | string |
The full qualified ARM ID of the alert. |
ARM Name
|
name | string |
The ARM name of the alert (GUID) |
properties
|
properties | SecurityAlertProperties |
Represents Alert Properties JSON. |
HuntingBookmarkProperties
Represents HuntingBookmark Properties JSON.
Name | Path | Type | Description |
---|---|---|---|
Display Name
|
displayName | string |
The display name of the bookmark |
Created
|
created | date-time |
The created time of the bookmark |
Updated
|
updated | date-time |
The updated time of the bookmark |
Created By User Info
|
createdBy | CreatedByUserInfo |
Represents UserInfo Properties JSON. |
Updated By User Info
|
updatedBy | UpdatedByUserInfo |
Represents UserInfo Properties JSON. |
Event Time
|
eventTime | date-time |
The event time of the bookmark |
Notes
|
notes | string |
The notes of the bookmark |
Labels
|
labels | array of string |
The labels of the bookmark |
Query
|
query | string |
The query of the bookmark |
Query Result
|
queryResult | string |
The query result of the bookmark |
SecurityAlertProperties
Represents Alert Properties JSON.
Name | Path | Type | Description |
---|---|---|---|
Friendly Name
|
friendlyName | string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
Display Name
|
alertDisplayName | string |
The display name of the alert |
Type
|
alertType | string |
In schedule alert, this is the analytics rule id. |
URI
|
alertLink | string |
This is the link to the alert in the orignal vendor. |
Compromised Entity
|
compromisedEntity | string |
Display name of the main entity being reported on. |
Confidence Level
|
confidenceLevel | string |
The confidence level of this alert. |
Description
|
description | string |
The description of the alert. |
End Time UTC
|
endTimeUtc | date-time |
The impact end time of the alert (the time of the last event contributing to the alert). |
Provider ID
|
providerAlertId | string |
The identifier of the alert inside the product which generated the alert. |
Product Name
|
productName | string |
The name of the product which published this alert. |
Remeditation Steps
|
remediationSteps | array of string |
List of manual action items to take to remediate the alert. |
Severity
|
severity | AlertSeverity |
The severity of the alert |
Start Time
|
startTimeUtc | date-time |
The impact start time of the alert (the time of the first event contributing to the alert). |
Status
|
status | string |
The lifecycle status of the alert. |
System ID
|
systemAlertId | string |
Holds the product identifier of the alert for the product. |
Tactics
|
tactics | array of AttackTactic |
List of the alert tactics. |
Time Generated
|
timeGenerated | date-time |
The time the alert was generated. |
Query
|
additionalData.Query | string |
The query used to decide if the alert should be triggered (Schedule Alert Only). |
Query Start Time
|
additionalData.Query Start Time UTC | string |
The start time of the query used to decide if the alert should be triggered (Schedule Alert Only). |
Query End Time
|
additionalData.Query End Time UTC | string |
The start time of the query used to decide if the alert should be triggered (Schedule Alert Only). |
Query Operator
|
additionalData.Trigger Operator | string |
The operator used to decide if the alert should be triggered (Schedule Alert Only). |
Query Threshold
|
additionalData.Trigger Threshold | string |
The threshold used to decide if the alert should be triggered (Schedule Alert Only). |
Custom Details
|
additionalData.Custom Details | string |
Custom event details added to the alert by the analytics rules (scheduled alerts only). To use this field, follow with "Parse JSON" action, and use a sample payload from existing alert to simulate the schema. |
Resource Identifiers
|
resourceIdentifiers | array of object |
The resource identifiers of the alert |
items
|
resourceIdentifiers | object |
Represents an alert resource identifier. |
Incident
Represents an incident in Azure Security Insights.
Name | Path | Type | Description |
---|---|---|---|
Incident ARM ID
|
id | string |
The full qualified ARM ID of the incident. |
Incident ARM Name
|
name | string |
The ARM name of the incident (GUID) |
properties
|
properties | IncidentProperties |
Represents the Incident Properties JSON. |
FullIncident
Get an incident by ARM ID
Name | Path | Type | Description |
---|---|---|---|
Incident ARM ID
|
id | string |
The full qualified ARM ID of the incident. |
Incident ARM Name
|
name | string |
The ARM name of the incident (GUID) |
properties
|
properties | FullIncidentProperties |
Represents the Incident Properties JSON. |
IncidentProperties
Represents the Incident Properties JSON.
Name | Path | Type | Description |
---|---|---|---|
additionalData
|
additionalData | IncidentAdditionalData |
Incident additional data property bag. |
Incident Classification
|
classification | string |
The reason the incident was closed |
Incident Classification Comment
|
classificationComment | string |
Describes the reason the incident was closed |
Incident Classification Reason
|
classificationReason | string |
The classification reason the incident was closed with |
Incident Created Time Utc
|
createdTimeUtc | date-time |
The time the incident was created |
Incident Description
|
description | string |
The description of the incident |
Incident First Activity Time UTC
|
firstActivityTimeUtc | date-time |
The time of the first activity in the incident |
Incident URL
|
incidentUrl | string |
The deep-link url to the incident in Azure portal |
Incident Sentinel ID
|
incidentNumber | integer |
A sequential number used to identify the incident in Microsoft Sentinel. |
Incident Last Activity Time UTC
|
lastActivityTimeUtc | date-time |
The time of the last activity in the incident |
Incident Severity
|
severity | string |
The severity of the incident |
Incident Status
|
status | string |
The status of the incident |
Incident Title
|
title | string |
The title of the incident |
Incident Tags
|
labels | array of IncidentLabel |
List of tags associated with this incident |
Incident Last Modified Time UTC
|
lastModifiedTimeUtc | date-time |
The last time the incident was updated |
Incident Owner
|
owner | IncidentOwnerInfo |
Information on the user an incident is assigned to |
Incident Related Analytic Rule Ids
|
relatedAnalyticRuleIds | array of string |
List of resource ids of Analytic rules related to the incident |
Comments
|
Comments | array of IncidentComment |
List of comments on this incident. |
FullIncidentProperties
Represents the Incident Properties JSON.
Name | Path | Type | Description |
---|---|---|---|
additionalData
|
additionalData | IncidentAdditionalData |
Incident additional data property bag. |
Incident Classification
|
classification | string |
The reason the incident was closed |
Incident Classification Comment
|
classificationComment | string |
Describes the reason the incident was closed |
Incident Classification Reason
|
classificationReason | string |
The classification reason the incident was closed with |
Incident Created Time Utc
|
createdTimeUtc | date-time |
The time the incident was created |
Incident Description
|
description | string |
The description of the incident |
Incident First Activity Time UTC
|
firstActivityTimeUtc | date-time |
The time of the first activity in the incident |
Incident URL
|
incidentUrl | string |
The deep-link url to the incident in Azure portal |
Incident Sentinel ID
|
incidentNumber | integer |
A sequential number used to identify the incident in Microsoft Sentinel. |
Incident Last Activity Time UTC
|
lastActivityTimeUtc | date-time |
The time of the last activity in the incident |
Incident Severity
|
severity | string |
The severity of the incident |
Incident Status
|
status | string |
The status of the incident |
Incident Title
|
title | string |
The title of the incident |
Incident Tags
|
labels | array of IncidentLabel |
List of tags associated with this incident |
Incident Last Modified Time UTC
|
lastModifiedTimeUtc | date-time |
The last time the incident was updated |
Incident Owner
|
owner | IncidentOwnerInfo |
Information on the user an incident is assigned to |
Incident Related Analytic Rule Ids
|
relatedAnalyticRuleIds | array of string |
List of resource ids of Analytic rules related to the incident |
Comments
|
Comments | array of IncidentComment |
List of comments on this incident. |
Alerts
|
Alerts | array of SecurityAlert |
List of alerts related to this incident. |
Bookmarks
|
Bookmarks | array of HuntingBookmark |
List of bookmarks related to this incident. |
Entities
|
relatedEntities | string |
List of entities related to the incident, can contain entities of different types |
IncidentEventNotification
Name | Path | Type | Description |
---|---|---|---|
Updated Field Names
|
incidentUpdates.updatedFields | array of string |
The names of the fields updated in the incident |
Update Time
|
incidentUpdates.updatedTime | date-time |
The time of the incident update event |
Source
|
incidentUpdates.updatedBy.source | string |
The actor which updated the incident: User, External application, Playbook, Automation rule, Microsoft 365 Defender or Alert Grouping |
Name
|
incidentUpdates.updatedBy.name | string |
The name of the user, application, automation rule or playbook which updated the incident |
Incident Alerts
|
incidentUpdates.alerts | array of SecurityAlert |
List of alerts added to this incident. |
Incident Tags
|
incidentUpdates.labels | array of IncidentLabel |
List of tags added to this incident |
Incident Comments
|
incidentUpdates.comments | array of IncidentComment |
List of comments added to this incident. |
Incident Tactics
|
incidentUpdates.tactics | array of AttackTactic |
The tactics associated with incident |
Subscription ID
|
workspaceInfo.SubscriptionId | string |
The subscription ID of the Microsoft Sentinel workspace |
Resource Group Name
|
workspaceInfo.ResourceGroupName | string |
The resource group of the Microsoft Sentinel workspace |
Workspace Name
|
workspaceInfo.WorkspaceName | string |
The Microsoft Sentinel workspace name |
Workspace ID
|
workspaceId | string |
The workspace ID of the incident. |
object
|
object | FullIncident |
Get an incident by ARM ID |
CreatedByUserInfo
UpdatedByUserInfo
Alert
Name | Path | Type | Description |
---|---|---|---|
Product name
|
ProductName | string |
Name of the product which published this alert |
Alert type
|
AlertType | string |
Type name of the alert |
Start time (UTC)
|
StartTimeUtc | date-time |
Start time of the alert, when the first contributing event was detected |
End time (UTC)
|
EndTimeUtc | date-time |
End time of the alert, when the last contributing event was detected |
Time generated (UTC)
|
TimeGenerated | date-time |
The time the alert was generated |
Severity
|
Severity | string |
The severity of the alert as it is reported by the provider |
Provider alert ID
|
ProviderAlertId | string |
Unique id for the specific alert instance set by the provider |
System alert ID
|
SystemAlertId | string |
Unique ID for the specific alert instance |
Alert display name
|
AlertDisplayName | string |
Display name of the alert |
Description
|
Description | string |
Alert description |
Entities
|
Entities | string |
A list of entities related to the alert, can include multiple entities types |
Extended properties
|
ExtendedProperties | string |
A list of fields which will be presented to the user |
Workspace ID
|
WorkspaceId | string |
The ID of the workspace of the alert |
Resource group
|
WorkspaceResourceGroup | string |
alert resource group of the alert |
Subscription ID
|
WorkspaceSubscriptionId | string |
The ID of the subscription of the alert |
Extended links
|
ExtendedLinks | array of object |
A list of links related to the alert, can include multiple types |
IncidentComment
Represents an incident comment item
Name | Path | Type | Description |
---|---|---|---|
ID
|
id | string |
The full qualified ARM ID of the comment. |
Name
|
name | string |
The ARM name of the comment (GUID) |
properties
|
properties | IncidentCommentProperties |
Represents Incident Comment Properties JSON. |
IncidentCommentProperties
IncidentTask
Represents an incident task item
Name | Path | Type | Description |
---|---|---|---|
ID
|
id | string |
The full qualified ARM ID of the task. |
Name
|
name | string |
The ARM name of the task |
properties
|
properties | IncidentTaskProperties |
Represents incident task properties. |
IncidentTaskProperties
IncidentRelation
Represents an incident relation
Name | Path | Type | Description |
---|---|---|---|
ID
|
id | string |
The full qualified ARM ID of the incident relation. |
Name
|
name | string |
The ARM name of the incident relation |
properties
|
properties | IncidentRelationProperties |
Represents an incident relation properties JSON. |
IncidentRelationProperties
Watchlist
Represents a Watchlist in Azure Security Insights.
Name | Path | Type | Description |
---|---|---|---|
properties
|
properties | WatchlistProperties |
Describes watchlist properties |
WatchlistProperties
Describes watchlist properties
Name | Path | Type | Description |
---|---|---|---|
watchlistId
|
watchlistId | string |
The id (a Guid) of the watchlist |
displayName
|
displayName | string |
The display name of the watchlist |
provider
|
provider | string |
The provider of the watchlist |
source
|
source | string |
The source of the watchlist |
created
|
created | date-time |
The time the watchlist was created |
updated
|
updated | date-time |
The last time the watchlist was updated |
createdBy
|
createdBy | UserInfo |
User information that made some action |
updatedBy
|
updatedBy | UserInfo |
User information that made some action |
description
|
description | string |
A description of the watchlist |
watchlistType
|
watchlistType | string |
The type of the watchlist |
watchlistAlias
|
watchlistAlias | string |
The alias of the watchlist |
isDeleted
|
isDeleted | boolean |
A flag that indicates if the watchlist is deleted or not |
labels
|
labels | array of Label |
List of labels relevant to this watchlist |
defaultDuration
|
defaultDuration | duration |
The default duration of a watchlist (in ISO 8601 duration format) |
tenantId
|
tenantId | string |
The tenantId where the watchlist belongs to |
numberOfLinesToSkip
|
numberOfLinesToSkip | integer |
The number of lines in a csv/tsv content to skip before the header |
rawContent
|
rawContent | string |
The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint |
itemsSearchKey
|
itemsSearchKey | string |
The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. |
contentType
|
contentType | string |
The content type of the raw content. Example : text/csv or text/tsv |
uploadStatus
|
uploadStatus | string |
The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted |
watchlistItemsCount
|
watchlistItemsCount | integer |
The number of Watchlist Items in the Watchlist |
WatchlistItemList
WatchlistItem
Represents an WatchlistItem in Azure Security Insights.
Name | Path | Type | Description |
---|---|---|---|
WatchlistItem Full ARM ID
|
id | string |
The fully qualified ID of the watchlist item. |
WatchlistItem Unique ID
|
name | string |
Corresponds to WatchlistItem ID (GUID) |
WatchlistItem etag
|
etag | string |
Corresponds to etag (GUID) |
WatchlistItem type
|
type | string |
Corresponds to WatchlistItem type |
value
|
value | object |
Watchlist item entity details. |
Bookmark
Represents a bookmark in Azure Security Insights.
Name | Path | Type | Description |
---|---|---|---|
properties
|
properties | BookmarkProperties |
Describes bookmark properties |
BookmarkList
List all the bookmarks.
Name | Path | Type | Description |
---|---|---|---|
nextLink
|
nextLink | string |
URL to fetch the next set of cases. |
value
|
value | array of Bookmark |
Array of bookmarks. |
BookmarkProperties
Describes bookmark properties
Name | Path | Type | Description |
---|---|---|---|
created
|
created | date-time |
The time the bookmark was created |
createdBy
|
createdBy | UserInfo |
User information that made some action |
displayName
|
displayName | string |
The display name of the bookmark |
labels
|
labels | array of Label |
List of labels relevant to this bookmark |
notes
|
notes | string |
The notes of the bookmark |
query
|
query | string |
The query of the bookmark. |
queryResult
|
queryResult | string |
The query result of the bookmark. |
updated
|
updated | date-time |
The last time the bookmark was updated |
updatedBy
|
updatedBy | UserInfo |
User information that made some action |
eventTime
|
eventTime | date-time |
The bookmark event time |
queryStartTime
|
queryStartTime | date-time |
The start time for the query |
queryEndTime
|
queryEndTime | date-time |
The end time for the query |
incidentInfo
|
incidentInfo | Incident |
Represents an incident in Azure Security Insights. |
UserInfo
User information that made some action
Name | Path | Type | Description |
---|---|---|---|
email
|
string |
The email of the user. |
|
name
|
name | string |
The name of the user. |
objectId
|
objectId | uuid |
The object id of the user. |
Label
string
This is the basic data type 'string'.