Microsoft Sentinel (Preview)

Cloud-native SIEM with a built-in AI so you can focus on what matters most

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions
Contact
Name Microsoft
URL Microsoft LogicApps Support
Connector Metadata
Publisher Microsoft
Website https://azure.microsoft.com/services/azure-sentinel/

Microsoft Sentinel Connector

Connector in depth

Learn more about how to use this connector:

Authentication

Triggers and actions in the Mcirosoft Sentinel connector can operate on behalf of any identity that has the necessary permissions (read and/or write) on the relevant workspace. The connector supports multiple identity types:

Permissions required

Roles / Connector components Triggers "Get" actions Update incident,
add a comment
Microsoft Sentinel Reader
Microsoft Sentinel Responder/Contributor

Learn more about permissions in Microsoft Sentinel.

Learn how to use the different authentication options.

Known issues and limitations

Cannot trigger a Logic App called by an Microsoft Sentinel trigger using the "Run Trigger" button

A user cannot use the Run trigger button on the Overview blade of the Logic Apps service to trigger an Microsoft Sentinel playbook.

Azure Logic Apps are triggered by a POST REST call, whose body is the input for the trigger. Logic Apps that start with Microsoft Sentinel triggers expect to see the content of an Microsoft Sentinel alert or incident in the body of the call. When the call comes from the Logic Apps Overview blade, the body of the call is empty, and therefore an error is generated.

These are the only proper ways to trigger Microsoft Sentinel playbooks:

  • Manual trigger in Microsoft Sentinel
  • Automated response of an analytics rule (directly or through an automation rule) in Microsoft Sentinel
  • Use "Resubmit" button in an existing Logic Apps run blade
  • Call the Logic Apps endpoint directly (attaching an alert/incident as the body)

Updating the same incident in parallel For each loops

For each loops are set by default to run in parallel, but can be easily set to run sequentially. If a for each loop might update the same Microsoft Sentinel incident in separate iterations, it should be configured to run sequentially.

Restoring alert's original query is currently not supported via Logic Apps

Usage of the Azure Monitor Logs connector to retrieve the events captured by the scheduled alert analytics rule is not consistently reliable.

  • Azure Monitor Logs do not support the definition of a custom time range. Restoring the exact same query results requires defining the exact same time range as in the original query.
  • Alerts may be delayed in appearing in the Log Analytics workspace after the rule triggers the playbook.

Available resources

Microsoft Sentinel docs

Microsoft Sentinel References

Azure Logic Apps

Creating a connection

The connector supports the following authentication types:

Default Parameters for creating connection. All regions Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Throttling Limits

Name Calls Renewal Period
API calls per connection 600 60 seconds

Actions

Add alert to incident

Add an alert to an existing incident. The alert joins the incident as any other alert and will be shown in portal.

Add comment to incident (V2)

Adds comment to selected incident

Add comment to incident (V3)

Adds comment to selected incident

Add comment to incident [DEPRECATED]

This action has been deprecated. Please use Add comment to incident (V3) instead.

Adds comment to selected incident

Add labels to incident (deprecated) [DEPRECATED]

Adds labels to selected incident

Add task to incident

Adds a task to an existing incident

Alert - Get incident

Returns the incident associated with selected alert

Alert - Get incident

Returns the incident associated with selected alert

ASI trigger unsubscribe [DEPRECATED]

Unsubscribe

Bookmarks - Creates or updates a bookmark

Bookmarks - Creates or updates a bookmark

Bookmarks - Delete a bookmark

Bookmarks - Delete a bookmark

Bookmarks - Get a bookmark

Bookmarks - Get a bookmarks by Id

Bookmarks - Get all bookmarks

Bookmarks - Get all bookmarks for a given workspace

Change incident description (V2) (deprecated) [DEPRECATED]

changes description to selected incident

Change incident description [DEPRECATED]

changes description to selected incident

Change incident severity (deprecated) [DEPRECATED]

changes severity to selected incident

Change incident status (deprecated) [DEPRECATED]

changes status to selected incident

Change incident title (V2) (deprecated) [DEPRECATED]

changes title to selected incident

Change incident title [DEPRECATED]

changes title to selected incident

Create incident

Create incident with provided fields

Entities - Get Accounts

Returns list of accounts associated with the alert

Entities - Get DNS

Returns list of DNS records associated with the alert

Entities - Get FileHashes

Returns list of File Hashes associated with the alert

Entities - Get Hosts

Returns list of hosts associated with the alert

Entities - Get IPs

Returns list of IPs associated with the alert

Entities - Get URLs

Returns list of URLs associated with the alert

Get incident

Get an incident by ARM ID

Mark a task as completed

Mark a task as completed

Remove alert from incident

Remove an alert from an existing incident.

Remove labels from incident (deprecated) [DEPRECATED]

Removes labels to selected incident

Threat Intelligence - Upload Indicators of Compromise (Deprecated)

Threat Intelligence - Upload Indicators of Compromise

Threat Intelligence - Upload Indicators of Compromise (V2) (Preview)

Threat Intelligence - Upload Indicators of Compromise

Update incident

Update incident with provided fields

Watchlists - Add a new Watchlist Item

Watchlists - Add a new Watchlist Item

Watchlists - Create a large Watchlist using a SAS Uri

Watchlists - Create a large Watchlist using a SAS Uri

Watchlists - Create a new Watchlist with data (Raw Content)

Watchlists - Create a new Watchlist with data (Raw Content)

Watchlists - Delete a Watchlist

Watchlists - Delete a Watchlist

Watchlists - Delete a Watchlist Item

Watchlists - Delete a Watchlist Item

Watchlists - Get a Watchlist by alias

Watchlists - Get a Watchlist by alias

Watchlists - Get a Watchlist Item by ID (guid)

Watchlists - Get a Watchlist Item

Watchlists - Get all Watchlist Items for a given watchlist

Watchlists - Get all Watchlist Items for a given watchlist

Watchlists - Get all Watchlist Items for a given Watchlist (V2)

Watchlists - Get all Watchlist Items for a given Watchlist (V2)

Watchlists - Update an existing Watchlist Item

Watchlists - Update an existing Watchlist Item

Add alert to incident

Add an alert to an existing incident. The alert joins the incident as any other alert and will be shown in portal.

Parameters

Name Key Required Type Description
Incident ARM Id
incidentArmId True string

Incident ARM ID. Retrieve from Incident trigger, Alert - Get incident action or Azure Monitor Logs query.

System Alert Id
relatedResourceId True string

System alert ID which will be added / removed to / from the incident. Retrieve from Azure Monitor Logs query or Alert Trigger. For example: dfc09ba0-c218-038d-2ad8-b198a0033bdb.

Returns

Represents an incident relation

Add comment to incident (V2)

Adds comment to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify comment
Value True string

Comment value

Returns

response
string

Add comment to incident (V3)

Adds comment to selected incident

Parameters

Name Key Required Type Description
Incident ARM id
incidentArmId True string

Incident ARM id

Incident comment message
message True html

Incident comment message

Returns

Represents an incident comment item

Incident Comment
IncidentComment

Add comment to incident [DEPRECATED]

This action has been deprecated. Please use Add comment to incident (V3) instead.

Adds comment to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify incident comment
comment True string

Incident comment

Returns

response
string

Add labels to incident (deprecated) [DEPRECATED]

Adds labels to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

label
Label True string

label

Returns

response
string

Add task to incident

Adds a task to an existing incident

Parameters

Name Key Required Type Description
Incident ARM id
incidentArmId True string

Incident ARM id

Title
taskTitle True string

Task title

Description
taskDescription html

Task description

Returns

Represents an incident task item

Incident task
IncidentTask

Alert - Get incident

Returns the incident associated with selected alert

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify alert id
alertId True string

System Alert Id

Returns

Represents an incident in Azure Security Insights.

Body
Incident

Alert - Get incident

Returns the incident associated with selected alert

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify alert id
alertId True string

System alert id

Returns

ASI trigger unsubscribe [DEPRECATED]

Unsubscribe

Returns

response
string

Bookmarks - Creates or updates a bookmark

Bookmarks - Creates or updates a bookmark

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify Bookmark Id
bookmarkId True string

Id of Bookmark

created
created date-time

The time the bookmark was created

email
email string

The email of the user.

name
name string

The name of the user.

objectId
objectId uuid

The object id of the user.

displayName
displayName True string

The display name of the bookmark

labels
labels string

Label that will be used to tag and filter on.

notes
notes string

The notes of the bookmark

query
query True string

The query of the bookmark.

queryResult
queryResult string

The query result of the bookmark.

updated
updated date-time

The last time the bookmark was updated

eventTime
eventTime date-time

The bookmark event time

queryStartTime
queryStartTime date-time

The start time for the query

queryEndTime
queryEndTime date-time

The end time for the query

Incident ARM ID
id string

The full qualified ARM ID of the incident.

Incident ARM Name
name string

The ARM name of the incident (GUID)

Incident Alerts Count
alertsCount integer

The number of alerts in the incident

Incident Bookmarks Count
bookmarksCount integer

The number of bookmarks in the incident

Incident Comments Count
commentsCount integer

The number of comments in the incident

Incident Alert product names
alertProductNames array of string

List of product names of alerts in the incident

Provider Incident Url
providerIncidentUrl string

The provider incident url to the incident in Microsoft 365 Defender portal

Incident Tactics
Incident Tactics string

Represents a tactic item which is associated with the incident

Incident Techniques
techniques array of string

The techniques associated with incident's tactics'

Incident Classification
classification string

The reason the incident was closed

Incident Classification Comment
classificationComment string

Describes the reason the incident was closed

Incident Classification Reason
classificationReason string

The classification reason the incident was closed with

Incident Created Time Utc
createdTimeUtc date-time

The time the incident was created

Incident Description
description string

The description of the incident

Incident First Activity Time UTC
firstActivityTimeUtc date-time

The time of the first activity in the incident

Incident URL
incidentUrl string

The deep-link url to the incident in Azure portal

Incident Sentinel ID
incidentNumber integer

A sequential number used to identify the incident in Microsoft Sentinel.

Incident Last Activity Time UTC
lastActivityTimeUtc date-time

The time of the last activity in the incident

Incident Severity
severity string

The severity of the incident

Incident Status
status string

The status of the incident

Incident Title
title string

The title of the incident

Name
labelName True string

The name of the tag

Type
labelType string

The type of the tag

Incident Last Modified Time UTC
lastModifiedTimeUtc date-time

The last time the incident was updated

Email
email string

The email of the user the incident is assigned to.

Assigned To
assignedTo string

The name of the user the incident is assigned to. (assignedTo field)

ObjectId
objectId uuid

The object id of the user the incident is assigned to.

User Principal Name
userPrincipalName string

The user principal name of the user the incident is assigned to.

Incident Related Analytic Rule Ids
relatedAnalyticRuleIds array of string

List of resource ids of Analytic rules related to the incident

ID
id string

The full qualified ARM ID of the comment.

Name
name string

The ARM name of the comment (GUID)

properties
properties

Represents Incident Comment Properties JSON.

Returns

Represents a bookmark in Azure Security Insights.

Body
Bookmark

Bookmarks - Delete a bookmark

Bookmarks - Delete a bookmark

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify Bookmark Id
bookmarkId True string

Id of Bookmark

Returns

response
string

Bookmarks - Get a bookmark

Bookmarks - Get a bookmarks by Id

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify Bookmark Id
bookmarkId True string

Id of Bookmark

Returns

Represents a bookmark in Azure Security Insights.

Body
Bookmark

Bookmarks - Get all bookmarks

Bookmarks - Get all bookmarks for a given workspace

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify number of bookmarks
numberOfBookmarks True integer

Number of Bookmarks to return. 0 or negative to return all bookmarks

Returns

List all the bookmarks.

Change incident description (V2) (deprecated) [DEPRECATED]

changes description to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify description
Value True string

Description value

Returns

response
string

Change incident description [DEPRECATED]

changes description to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify description
fieldValue True string

Description value

Returns

response
string

Change incident severity (deprecated) [DEPRECATED]

changes severity to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify severity
severity True string

Severity value

Returns

response
string

Change incident status (deprecated) [DEPRECATED]

changes status to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify status
status True string

Status value

dynamicStatusChangerSchema
dynamicStatusChangerSchema dynamic

Dynamic Schema of incident status changer

Returns

response
string

Change incident title (V2) (deprecated) [DEPRECATED]

changes title to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify title
Value True string

Title value

Returns

response
string

Change incident title [DEPRECATED]

changes title to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify title
fieldValue True string

Title value

Returns

response
string

Create incident

Create incident with provided fields

Parameters

Name Key Required Type Description
Subscription
subscriptionId True string

Select subscription

Resource Group
resourceGroup True string

Select resource group

Workspace Name
workspaceName True string

Select Workspace

Specify incident fields
body True dynamic

Incident fields

Returns

Represents an incident in Azure Security Insights.

Body
Incident

Entities - Get Accounts

Returns list of accounts associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of accounts associated with the alert

Entities - Get DNS

Returns list of DNS records associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of DNS domains associated with the alert

Entities - Get FileHashes

Returns list of File Hashes associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of File Hashes associated with the alert

Entities - Get Hosts

Returns list of hosts associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of hosts associated with the alert

Entities - Get IPs

Returns list of IPs associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of IPs associated with the alert

Entities - Get URLs

Returns list of URLs associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of URLs associated with the alert

Get incident

Get an incident by ARM ID

Parameters

Name Key Required Type Description
Incident ARM id
incidentArmId True string

Incident ARM id

Returns

Represents an incident in Azure Security Insights.

Body
Incident

Mark a task as completed

Mark a task as completed

Parameters

Name Key Required Type Description
Task ARM id
taskArmId True string

Task ARM id

Returns

Represents an incident task item

Incident task
IncidentTask

Remove alert from incident

Remove an alert from an existing incident.

Parameters

Name Key Required Type Description
Incident ARM Id
incidentArmId True string

Incident ARM ID. Retrieve from Incident trigger, Alert - Get incident action or Azure Monitor Logs query.

System Alert Id
relatedResourceId True string

System alert ID which will be added / removed to / from the incident. Retrieve from Azure Monitor Logs query or Alert Trigger. For example: dfc09ba0-c218-038d-2ad8-b198a0033bdb.

Returns

response
string

Remove labels from incident (deprecated) [DEPRECATED]

Removes labels to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

label
Label True string

label

Returns

response
string

Threat Intelligence - Upload Indicators of Compromise (Deprecated)

Threat Intelligence - Upload Indicators of Compromise

Parameters

Name Key Required Type Description
Specify workspace Id
workspaceId True string

Workspace id

Returns

Response from Threat Intelligence Uplaod Indicators.

Threat Intelligence - Upload Indicators of Compromise (V2) (Preview)

Threat Intelligence - Upload Indicators of Compromise

Parameters

Name Key Required Type Description
Specify workspace Id
workspaceId True string

Workspace id

Returns

Response from Threat Intelligence Uplaod Indicators.

Update incident

Update incident with provided fields

Parameters

Name Key Required Type Description
Specify incident fields to update
body True dynamic

Incident fields to update

Returns

Represents an incident in Azure Security Insights.

Body
Incident

Watchlists - Add a new Watchlist Item

Watchlists - Add a new Watchlist Item

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify watchlist alias
watchlistAlias True string

Watchlist alias

Returns

Represents an WatchlistItem in Azure Security Insights.

Watchlists - Create a large Watchlist using a SAS Uri

Watchlists - Create a large Watchlist using a SAS Uri

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify watchlist alias
watchlistAlias True string

Watchlist alias

Returns

Represents a Watchlist in Azure Security Insights.

Body
Watchlist

Watchlists - Create a new Watchlist with data (Raw Content)

Watchlists - Create a new Watchlist with data (Raw Content)

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify watchlist alias
watchlistAlias True string

Watchlist alias

Returns

Represents a Watchlist in Azure Security Insights.

Body
Watchlist

Watchlists - Delete a Watchlist

Watchlists - Delete a Watchlist

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify watchlist alias
watchlistAlias True string

Watchlist alias

Returns

response
string

Watchlists - Delete a Watchlist Item

Watchlists - Delete a Watchlist Item

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify watchlist alias
watchlistAlias True string

Watchlist alias

Specify Watchlist Item Id
watchlistItemId True string

Unique identifier for a watchlist item (GUID)

Returns

response
string

Watchlists - Get a Watchlist by alias

Watchlists - Get a Watchlist by alias

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify watchlist alias
watchlistAlias True string

Watchlist alias

Returns

Represents a Watchlist in Azure Security Insights.

Body
Watchlist

Watchlists - Get a Watchlist Item by ID (guid)

Watchlists - Get a Watchlist Item

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify watchlist alias
watchlistAlias True string

Watchlist alias

Specify Watchlist Item Id
watchlistItemId True string

Unique identifier for a watchlist item (GUID)

Returns

Represents an WatchlistItem in Azure Security Insights.

Watchlists - Get all Watchlist Items for a given watchlist

Watchlists - Get all Watchlist Items for a given watchlist

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify watchlist alias
watchlistAlias True string

Watchlist alias

Returns

List all the watchlist items.

Watchlists - Get all Watchlist Items for a given Watchlist (V2)

Watchlists - Get all Watchlist Items for a given Watchlist (V2)

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify watchlist alias
watchlistAlias True string

Watchlist alias

Skip Token
skipToken string

Skip token for the next set of 100 items to return

Returns

List all the watchlist items.

Watchlists - Update an existing Watchlist Item

Watchlists - Update an existing Watchlist Item

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify watchlist alias
watchlistAlias True string

Watchlist alias

Specify Watchlist Item Id
watchlistItemId True string

Unique identifier for a watchlist item (GUID)

Returns

Represents an WatchlistItem in Azure Security Insights.

Triggers

Microsoft Sentinel alert

When a response to an Microsoft Sentinel alert is triggered. This playbook is triggered by an analytics rule when a new alert is created or by manual triggering. Playbook receives the alert as its input.

Microsoft Sentinel entity

Run playbook on Microsoft Sentinel entity

Microsoft Sentinel incident

When a response to an Microsoft Sentinel incident is triggered. This playbook is triggered by an automation rule when a new incident is created or updated. Playbook receives the Microsoft Sentinel incident as its input, including alerts and entities.

When a response to an Microsoft Sentinel alert is triggered [DEPRECATED]

When a response to an Microsoft Sentinel alert is triggered. This playbook must be triggered using Microsoft Sentinel Real Time or from Azure

Microsoft Sentinel alert

When a response to an Microsoft Sentinel alert is triggered. This playbook is triggered by an analytics rule when a new alert is created or by manual triggering. Playbook receives the alert as its input.

Returns

Body
Alert

Microsoft Sentinel entity

Run playbook on Microsoft Sentinel entity

Parameters

Name Key Required Type Description
Entity type
entityType True string

Entity type

Returns

The outputs of this operation are dynamic.

Microsoft Sentinel incident

When a response to an Microsoft Sentinel incident is triggered. This playbook is triggered by an automation rule when a new incident is created or updated. Playbook receives the Microsoft Sentinel incident as its input, including alerts and entities.

Returns

When a response to an Microsoft Sentinel alert is triggered [DEPRECATED]

When a response to an Microsoft Sentinel alert is triggered. This playbook must be triggered using Microsoft Sentinel Real Time or from Azure

Returns

Body
Alert

Definitions

IndicatorValidationErrorsV2

Response from Threat Intelligence Uplaod Indicators.

Name Path Type Description
recordIndex
recordIndex integer
validationErrorMessages
validationErrorMessages array of string

IndicatorValidationErrors

Response from Threat Intelligence Uplaod Indicators.

Name Path Type Description
recordIndex
recordIndex integer
errorMessages
errorMessages array of string

BatchResponseAccount

A list of accounts associated with the alert

Name Path Type Description
Accounts
Accounts array of Account

A list of accounts associated with the alert

Account

Name Path Type Description
Name
Name string

Account name

NT domain
NTDomain string

NETBIOS domain name as it appears in the alert format

DnsDomain
DnsDomain string

The fully qualified domain DNS name

UPN suffix
UPNSuffix string

User principal name suffix

SID
Sid string

Account security identifier, e.g. S-1-5-18

AAD tenant ID
AadTenantId string

AAD tenant id, if known

AAD user ID
AadUserId string

AAD user id, if known

PUID
PUID string

The AAD Passport User ID, if known

Is domain joined
IsDomainJoined boolean

Determines whether this is a domain account

ObjectGuid
ObjectGuid string

The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory

BatchResponseUrl

A list of URLs associated with the alert

Name Path Type Description
URLs
URLs array of UrlEntity

A list of URLs associated with the alert

UrlEntity

Name Path Type Description
Url
Url string

BatchResponseHost

A list of hosts associated with the alert

Name Path Type Description
Hosts
Hosts array of Host

A list of hosts associated with the alert

Host

Name Path Type Description
DNS domain
DnsDomain string

DNS domain that this host belongs to

NT domain
NTDomain string

NT domain that this host belongs to

Hostname
HostName string

Hostname without the domain suffix

NetBiosName
NetBiosName string

The host name (pre-windows2000)

OMSAgentID
OMSAgentID string

The OMS agent id, if the host has OMS agent installed

OSFamily
OSFamily string

One of the following values: Linux, Windows, Android, IOS

OSVersion
OSVersion string

A free text representation of the operating system

Is domain joined
IsDomainJoined boolean

Determines whether this host belongs to a domain

AzureID
AzureID string

The azure resource id of the VM, if known

BatchResponseIP

A list of IPs associated with the alert

Name Path Type Description
IPs
IPs array of IP

A list of IPs associated with the alert

IP

Name Path Type Description
Address
Address string

IP address

BatchResponseDNS

A list of DNS domains associated with the alert

Name Path Type Description
DNS domains
Dnsresolutions array of DNS

A list of DNS domains associated with the alert

DNS

Name Path Type Description
Domain Name
DomainName string

The name of the DNS record associated with the alert

BatchResponseFileHash

A list of File Hashes associated with the alert

Name Path Type Description
FileHashes
Filehashes array of FileHash

A list of File Hashes associated with the alert

FileHash

Name Path Type Description
Value
Value string

File Hash value

Algorithm
Algorithm string

The file hash algorithm types

OldIncident

Name Path Type Description
properties
properties OldIncidentProperties

OldIncidentProperties

Name Path Type Description
Status
Status string

The status of the incident

Labels
Labels array of

The labels of the incident

Title
Title string

The title of the incident

Description
Description string

The description of the incident

End Time Utc
EndTimeUtc string

The time the incident ended

Start Time Utc
StartTimeUtc string

The start time of the incident

Last Updated Time Utc
LastUpdatedTimeUtc string

The update time of the incident

Number
CaseNumber string

The number of the incident

Created Time Utc
CreatedTimeUtc string

The time the incident created

Severity
Severity string

The severity of the incident

Related Alert Ids
RelatedAlertIds array of

The related alert ids of the incident

IncidentAdditionalData

Incident additional data property bag.

Name Path Type Description
Incident Alerts Count
alertsCount integer

The number of alerts in the incident

Incident Bookmarks Count
bookmarksCount integer

The number of bookmarks in the incident

Incident Comments Count
commentsCount integer

The number of comments in the incident

Incident Alert product names
alertProductNames array of string

List of product names of alerts in the incident

Provider Incident Url
providerIncidentUrl string

The provider incident url to the incident in Microsoft 365 Defender portal

Incident Tactics
tactics array of AttackTactic

The tactics associated with incident

Incident Techniques
techniques array of string

The techniques associated with incident's tactics'

IncidentLabel

Represents an incident tag

Name Path Type Description
Name
labelName string

The name of the tag

Type
labelType string

The type of the tag

IncidentOwnerInfo

Information on the user an incident is assigned to

Name Path Type Description
Email
email string

The email of the user the incident is assigned to.

Assigned To
assignedTo string

The name of the user the incident is assigned to. (assignedTo field)

ObjectId
objectId uuid

The object id of the user the incident is assigned to.

User Principal Name
userPrincipalName string

The user principal name of the user the incident is assigned to.

AttackTactic

Represents a tactic item which is associated with the incident

Represents a tactic item which is associated with the incident

AlertSeverity

The severity of the alert

The severity of the alert

Severity
string

HuntingBookmark

Represents a hunting bookmark item

Name Path Type Description
ARM ID
id string

The full qualified ARM ID of the bookmark.

ARM Name
name string

The ARM name of the bookmark (GUID)

properties
properties HuntingBookmarkProperties

Represents HuntingBookmark Properties JSON.

SecurityAlert

Represents a security alert item

Name Path Type Description
ARM ID
id string

The full qualified ARM ID of the alert.

ARM Name
name string

The ARM name of the alert (GUID)

properties
properties SecurityAlertProperties

Represents Alert Properties JSON.

HuntingBookmarkProperties

Represents HuntingBookmark Properties JSON.

Name Path Type Description
Display Name
displayName string

The display name of the bookmark

Created
created date-time

The created time of the bookmark

Updated
updated date-time

The updated time of the bookmark

Created By User Info
createdBy CreatedByUserInfo

Represents UserInfo Properties JSON.

Updated By User Info
updatedBy UpdatedByUserInfo

Represents UserInfo Properties JSON.

Event Time
eventTime date-time

The event time of the bookmark

Notes
notes string

The notes of the bookmark

Labels
labels array of string

The labels of the bookmark

Query
query string

The query of the bookmark

Query Result
queryResult string

The query result of the bookmark

SecurityAlertProperties

Represents Alert Properties JSON.

Name Path Type Description
Friendly Name
friendlyName string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

Display Name
alertDisplayName string

The display name of the alert

Type
alertType string

In schedule alert, this is the analytics rule id.

URI
alertLink string

This is the link to the alert in the orignal vendor.

Compromised Entity
compromisedEntity string

Display name of the main entity being reported on.

Confidence Level
confidenceLevel string

The confidence level of this alert.

Description
description string

The description of the alert.

End Time UTC
endTimeUtc date-time

The impact end time of the alert (the time of the last event contributing to the alert).

Provider ID
providerAlertId string

The identifier of the alert inside the product which generated the alert.

Product Name
productName string

The name of the product which published this alert.

Remeditation Steps
remediationSteps array of string

List of manual action items to take to remediate the alert.

Severity
severity AlertSeverity

The severity of the alert

Start Time
startTimeUtc date-time

The impact start time of the alert (the time of the first event contributing to the alert).

Status
status string

The lifecycle status of the alert.

System ID
systemAlertId string

Holds the product identifier of the alert for the product.

Tactics
tactics array of AttackTactic

List of the alert tactics.

Time Generated
timeGenerated date-time

The time the alert was generated.

Query
additionalData.Query string

The query used to decide if the alert should be triggered (Schedule Alert Only).

Query Start Time
additionalData.Query Start Time UTC string

The start time of the query used to decide if the alert should be triggered (Schedule Alert Only).

Query End Time
additionalData.Query End Time UTC string

The start time of the query used to decide if the alert should be triggered (Schedule Alert Only).

Query Operator
additionalData.Trigger Operator string

The operator used to decide if the alert should be triggered (Schedule Alert Only).

Query Threshold
additionalData.Trigger Threshold string

The threshold used to decide if the alert should be triggered (Schedule Alert Only).

Custom Details
additionalData.Custom Details string

Custom event details added to the alert by the analytics rules (scheduled alerts only). To use this field, follow with "Parse JSON" action, and use a sample payload from existing alert to simulate the schema.

Resource Identifiers
resourceIdentifiers array of object

The resource identifiers of the alert

items
resourceIdentifiers object

Represents an alert resource identifier.

Incident

Represents an incident in Azure Security Insights.

Name Path Type Description
Incident ARM ID
id string

The full qualified ARM ID of the incident.

Incident ARM Name
name string

The ARM name of the incident (GUID)

properties
properties IncidentProperties

Represents the Incident Properties JSON.

FullIncident

Get an incident by ARM ID

Name Path Type Description
Incident ARM ID
id string

The full qualified ARM ID of the incident.

Incident ARM Name
name string

The ARM name of the incident (GUID)

properties
properties FullIncidentProperties

Represents the Incident Properties JSON.

IncidentProperties

Represents the Incident Properties JSON.

Name Path Type Description
additionalData
additionalData IncidentAdditionalData

Incident additional data property bag.

Incident Classification
classification string

The reason the incident was closed

Incident Classification Comment
classificationComment string

Describes the reason the incident was closed

Incident Classification Reason
classificationReason string

The classification reason the incident was closed with

Incident Created Time Utc
createdTimeUtc date-time

The time the incident was created

Incident Description
description string

The description of the incident

Incident First Activity Time UTC
firstActivityTimeUtc date-time

The time of the first activity in the incident

Incident URL
incidentUrl string

The deep-link url to the incident in Azure portal

Incident Sentinel ID
incidentNumber integer

A sequential number used to identify the incident in Microsoft Sentinel.

Incident Last Activity Time UTC
lastActivityTimeUtc date-time

The time of the last activity in the incident

Incident Severity
severity string

The severity of the incident

Incident Status
status string

The status of the incident

Incident Title
title string

The title of the incident

Incident Tags
labels array of IncidentLabel

List of tags associated with this incident

Incident Last Modified Time UTC
lastModifiedTimeUtc date-time

The last time the incident was updated

Incident Owner
owner IncidentOwnerInfo

Information on the user an incident is assigned to

Incident Related Analytic Rule Ids
relatedAnalyticRuleIds array of string

List of resource ids of Analytic rules related to the incident

Comments
Comments array of IncidentComment

List of comments on this incident.

FullIncidentProperties

Represents the Incident Properties JSON.

Name Path Type Description
additionalData
additionalData IncidentAdditionalData

Incident additional data property bag.

Incident Classification
classification string

The reason the incident was closed

Incident Classification Comment
classificationComment string

Describes the reason the incident was closed

Incident Classification Reason
classificationReason string

The classification reason the incident was closed with

Incident Created Time Utc
createdTimeUtc date-time

The time the incident was created

Incident Description
description string

The description of the incident

Incident First Activity Time UTC
firstActivityTimeUtc date-time

The time of the first activity in the incident

Incident URL
incidentUrl string

The deep-link url to the incident in Azure portal

Incident Sentinel ID
incidentNumber integer

A sequential number used to identify the incident in Microsoft Sentinel.

Incident Last Activity Time UTC
lastActivityTimeUtc date-time

The time of the last activity in the incident

Incident Severity
severity string

The severity of the incident

Incident Status
status string

The status of the incident

Incident Title
title string

The title of the incident

Incident Tags
labels array of IncidentLabel

List of tags associated with this incident

Incident Last Modified Time UTC
lastModifiedTimeUtc date-time

The last time the incident was updated

Incident Owner
owner IncidentOwnerInfo

Information on the user an incident is assigned to

Incident Related Analytic Rule Ids
relatedAnalyticRuleIds array of string

List of resource ids of Analytic rules related to the incident

Comments
Comments array of IncidentComment

List of comments on this incident.

Alerts
Alerts array of SecurityAlert

List of alerts related to this incident.

Bookmarks
Bookmarks array of HuntingBookmark

List of bookmarks related to this incident.

Entities
relatedEntities string

List of entities related to the incident, can contain entities of different types

IncidentEventNotification

Name Path Type Description
Updated Field Names
incidentUpdates.updatedFields array of string

The names of the fields updated in the incident

Update Time
incidentUpdates.updatedTime date-time

The time of the incident update event

Source
incidentUpdates.updatedBy.source string

The actor which updated the incident: User, External application, Playbook, Automation rule, Microsoft 365 Defender or Alert Grouping

Name
incidentUpdates.updatedBy.name string

The name of the user, application, automation rule or playbook which updated the incident

Incident Alerts
incidentUpdates.alerts array of SecurityAlert

List of alerts added to this incident.

Incident Tags
incidentUpdates.labels array of IncidentLabel

List of tags added to this incident

Incident Comments
incidentUpdates.comments array of IncidentComment

List of comments added to this incident.

Incident Tactics
incidentUpdates.tactics array of AttackTactic

The tactics associated with incident

Subscription ID
workspaceInfo.SubscriptionId string

The subscription ID of the Microsoft Sentinel workspace

Resource Group Name
workspaceInfo.ResourceGroupName string

The resource group of the Microsoft Sentinel workspace

Workspace Name
workspaceInfo.WorkspaceName string

The Microsoft Sentinel workspace name

Workspace ID
workspaceId string

The workspace ID of the incident.

object
object FullIncident

Get an incident by ARM ID

CreatedByUserInfo

Represents UserInfo Properties JSON.

Represents UserInfo Properties JSON.

Created By User Info

UpdatedByUserInfo

Represents UserInfo Properties JSON.

Represents UserInfo Properties JSON.

Updated By User Info

Alert

Name Path Type Description
Product name
ProductName string

Name of the product which published this alert

Alert type
AlertType string

Type name of the alert

Start time (UTC)
StartTimeUtc date-time

Start time of the alert, when the first contributing event was detected

End time (UTC)
EndTimeUtc date-time

End time of the alert, when the last contributing event was detected

Time generated (UTC)
TimeGenerated date-time

The time the alert was generated

Severity
Severity string

The severity of the alert as it is reported by the provider

Provider alert ID
ProviderAlertId string

Unique id for the specific alert instance set by the provider

System alert ID
SystemAlertId string

Unique ID for the specific alert instance

Alert display name
AlertDisplayName string

Display name of the alert

Description
Description string

Alert description

Entities
Entities string

A list of entities related to the alert, can include multiple entities types

Extended properties
ExtendedProperties string

A list of fields which will be presented to the user

Workspace ID
WorkspaceId string

The ID of the workspace of the alert

Resource group
WorkspaceResourceGroup string

alert resource group of the alert

Subscription ID
WorkspaceSubscriptionId string

The ID of the subscription of the alert

Extended links
ExtendedLinks array of object

A list of links related to the alert, can include multiple types

IncidentComment

Represents an incident comment item

Name Path Type Description
ID
id string

The full qualified ARM ID of the comment.

Name
name string

The ARM name of the comment (GUID)

properties
properties IncidentCommentProperties

Represents Incident Comment Properties JSON.

IncidentCommentProperties

Represents Incident Comment Properties JSON.

Represents Incident Comment Properties JSON.

IncidentTask

Represents an incident task item

Name Path Type Description
ID
id string

The full qualified ARM ID of the task.

Name
name string

The ARM name of the task

properties
properties IncidentTaskProperties

Represents incident task properties.

IncidentTaskProperties

Represents incident task properties.

Represents incident task properties.

IncidentRelation

Represents an incident relation

Name Path Type Description
ID
id string

The full qualified ARM ID of the incident relation.

Name
name string

The ARM name of the incident relation

properties
properties IncidentRelationProperties

Represents an incident relation properties JSON.

IncidentRelationProperties

Represents an incident relation properties JSON.

Represents an incident relation properties JSON.

Watchlist

Represents a Watchlist in Azure Security Insights.

Name Path Type Description
properties
properties WatchlistProperties

Describes watchlist properties

WatchlistProperties

Describes watchlist properties

Name Path Type Description
watchlistId
watchlistId string

The id (a Guid) of the watchlist

displayName
displayName string

The display name of the watchlist

provider
provider string

The provider of the watchlist

source
source string

The source of the watchlist

created
created date-time

The time the watchlist was created

updated
updated date-time

The last time the watchlist was updated

createdBy
createdBy UserInfo

User information that made some action

updatedBy
updatedBy UserInfo

User information that made some action

description
description string

A description of the watchlist

watchlistType
watchlistType string

The type of the watchlist

watchlistAlias
watchlistAlias string

The alias of the watchlist

isDeleted
isDeleted boolean

A flag that indicates if the watchlist is deleted or not

labels
labels array of Label

List of labels relevant to this watchlist

defaultDuration
defaultDuration duration

The default duration of a watchlist (in ISO 8601 duration format)

tenantId
tenantId string

The tenantId where the watchlist belongs to

numberOfLinesToSkip
numberOfLinesToSkip integer

The number of lines in a csv/tsv content to skip before the header

rawContent
rawContent string

The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint

itemsSearchKey
itemsSearchKey string

The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address.

contentType
contentType string

The content type of the raw content. Example : text/csv or text/tsv

uploadStatus
uploadStatus string

The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted

watchlistItemsCount
watchlistItemsCount integer

The number of Watchlist Items in the Watchlist

WatchlistItemList

List all the watchlist items.

List all the watchlist items.

WatchlistItem

Represents an WatchlistItem in Azure Security Insights.

Name Path Type Description
WatchlistItem Full ARM ID
id string

The fully qualified ID of the watchlist item.

WatchlistItem Unique ID
name string

Corresponds to WatchlistItem ID (GUID)

WatchlistItem etag
etag string

Corresponds to etag (GUID)

WatchlistItem type
type string

Corresponds to WatchlistItem type

value
value object

Watchlist item entity details.

Bookmark

Represents a bookmark in Azure Security Insights.

Name Path Type Description
properties
properties BookmarkProperties

Describes bookmark properties

BookmarkList

List all the bookmarks.

Name Path Type Description
nextLink
nextLink string

URL to fetch the next set of cases.

value
value array of Bookmark

Array of bookmarks.

BookmarkProperties

Describes bookmark properties

Name Path Type Description
created
created date-time

The time the bookmark was created

createdBy
createdBy UserInfo

User information that made some action

displayName
displayName string

The display name of the bookmark

labels
labels array of Label

List of labels relevant to this bookmark

notes
notes string

The notes of the bookmark

query
query string

The query of the bookmark.

queryResult
queryResult string

The query result of the bookmark.

updated
updated date-time

The last time the bookmark was updated

updatedBy
updatedBy UserInfo

User information that made some action

eventTime
eventTime date-time

The bookmark event time

queryStartTime
queryStartTime date-time

The start time for the query

queryEndTime
queryEndTime date-time

The end time for the query

incidentInfo
incidentInfo Incident

Represents an incident in Azure Security Insights.

UserInfo

User information that made some action

Name Path Type Description
email
email string

The email of the user.

name
name string

The name of the user.

objectId
objectId uuid

The object id of the user.

Label

Label that will be used to tag and filter on.

Label that will be used to tag and filter on.

string

This is the basic data type 'string'.