Azure Sentinel (Preview)
Cloud-native SIEM with a built-in AI so you can focus on what matters most
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Logic Apps | Standard | All Logic Apps regions except the following: - Azure China regions |
| Contact | |
|---|---|
| Name | Microsoft |
| URL | Microsoft LogicApps Support |
| Connector Metadata | |
|---|---|
| Publisher | Microsoft |
| Website | https://azure.microsoft.com/services/azure-sentinel/ |
Azure Sentinel Connector
Authentication
Triggers and actions in the Azure Sentinel connector can operate on behalf of any identity that has the necessary permissions (read and/or write) on the relevant workspace. The connector supports multiple identity types:
- Azure AD user
- Service principal (Azure AD application)
Permissions required
| Connector components/roles | Azure Sentinel Responder/Contributor | Azure Sentinel Reader |
|---|---|---|
| Triggers | ✓ | ✓ |
| "Get" actions | ✓ | ✓ |
| Update incident, add a comment | ✓ | ✗ |
Learn more about permissions in Azure Sentinel.
Authenticate as an Azure AD user
To make a connection, select Sign in. You will be prompted to provide your account information. Once you have done so, follow the remaining instructions on the screen to create a connection.
Authenticate as a service principal (Azure AD application)
Service principals can be created by registering an Azure AD application. It is preferable to use a registered application as the connector's identity, instead of using a user account, as you will be better able to control permissions, manage credentials, and enable certain limitations on the use of the connector.
To use your own application with the Azure Sentinel connector, perform the following steps:
Register the application with Azure AD and create a service principal. Learn how.
Get credentials (for future authentication).
In the registered application blade, get the application credentials for later signing in:
- Client ID: under Overview
- Client secret: under Certificates & secrets.
Grant permissions to the Azure Sentinel workspace.
In this step, the app will get permission to work with Azure Sentinel workspace.
In the Azure Sentinel workspace, go to Settings -> Workspace Settings -> Access control (IAM)
Select Add role assignment.
Select the role you wish to assign to the application. For example, to allow the application to perform actions that will make changes in the Sentinel workspace, like updating an incident, select the Azure Sentinel Contributor role. For actions which only read data, the Azure Sentinel Reader role is sufficient. Read more about the available roles in Azure Sentinel.
Find the required application and save. By default, Azure AD applications aren't displayed in the available options. To find your application, search for the name and select it.
Authenticate
In this step we use the app credentials to authenticate to the Sentinel connector in Logic Apps.
- Select Connect with Service Principal.
- Fill in the required parameters (can be found in the registered application blade)
- Tenant Id: under Overview
- Client Id: under Overview
- Client Secret: under Certificates & secrets
Manage your API connections
Every time an authentication is created for the first time, a new Azure resource of type API Connection is created. The same API connection can be used in all the Azure Sentinel actions and triggers in the same Resource Group.
All the API connections can be found in the API connections blade (search for API connections in the Azure portal).
You can also find them by going to the Resources blade and filtering the display by type API Connection. This way allows you to select multiple connections for bulk operations.
In order to change the authorization of an existing connection, enter the connection resource, and select Edit API connection.
Azure Sentinel actions summary
| Component | When to use it |
|---|---|
| Alert - Get Incident | In playbooks that start with Alert trigger. Useful for getting the incident properties, or retrieving the Incident ARM ID to use with the Update incident or Add comment to incident actions. |
| Get Incident | When triggering a playbook from an external source or with a non-Sentinel trigger. Identify with an Incident ARM ID. Retrieves the incident properties and comments. |
| Update Incident | To change an incident's Status (for example, when closing the incident), assign an Owner, add or remove a tag, or to change its Severity, Title, or Description. |
| Add comments to incident | To enrich the incident with information collected from external sources; to audit the actions taken by the playbook on the entities; to supply additional information valuable for incident investigation. |
| Entities - Get <entity type> | In playbooks that work on a specific entity type (IP, Account, Host, URL or FileHash) which is known at playbook creation time, and you need to be able to parse it and work on its unique fields. |
Actions on Incidents - Usage Examples
[!TIP] The actions Update Incident and Add a Comment to Incident require the Incident ARM ID.
Use the Alert - Get Incident action beforehand to get the Incident ARM ID.
Update an incident
Basic playbook to show how to use the action in a playbook that starts with an alert:
Use Incident Information
Basic playbook to send incident details over mail:
Add a comment to the incident
Basic playbook to show how to use the action in a playbook that starts with an alert:
Work with specific Entity type
The Entities dynamic field is an array of JSON objects, each of which represents an entity. Each entity type has its own schema, depending on its unique properties.
The "Entities - Get <entity name>" action allows you to do the following:
- Filter the array of entities by the requested type.
- Parse the specific fields of this type, so they can be used as dynamic fields in further actions.
The input is the Entities dynamic field.
The response is an array of entities, where the special properties are parsed and can be directly used in a For each loop.
Currently supported entity types are:
For other entity types, same functionality can be achieved using Logic Apps built in actions:
- Filter the array of entities by the requested type using Filter Array.
- Parse the specific fields of this type, so they can be used as dynamic fields in further actions using Parse Json.
Known issues and limitations
Cannot trigger Logic App called by Azure Sentinel trigger using "Run Trigger" button
This item refers to the button on the overview blade of the Logic Apps resource.
Triggering an Azure Logic Apps is made by a POST REST call, which its body is the input for the trigger. Logic Apps that start with Azure Sentinel triggers expect to get an alert or an incident in the body of the call. When trying to do so from Logic Apps overview blade, the call is empty, and there for an error is expected. Proper ways to trigger:
Proper ways to trigger:
- Manual trigger in Azure Sentinel
- Automated response of an analytic rule in Azure Sentinel
- Use "Resubmit" button in an existing Logic Apps run blade
- Call directly the Logic Apps endpoint (attaching an alert/incident as the body)
Updating the same incident in parallel For each loops
For each loops are set by default to run in parallel, but can be easily set to run sequentially. If a for each loop might update the same Azure Sentinel incident in separate iterations, it should be configured to run sequentially.
Restoring alert's original query is currently not supported via Logic Apps
Usage of the Azure Monitor Logs connector to retrieve the events captured by the scheduled alert analytics rule is not consistently reliable.
- Azure Monitor Logs do not support the definition of a custom time range. Restoring the exact same query results requires defining the exact same time range as in the original query.
- Alerts may be delayed in appearing in the Log Analytics workspace after the rule triggers the playbook.
Available resources
Azure Sentinel
- Azure Sentinel Github templates gallery
- Azure Sentinel playbooks documentation
- Azure Sentinel API reference
Azure Logic Apps
Creating a connection
The connector supports the following authentication types:
| Default | Required parameters for creating connection. | All regions |
Default
Applicable: All regions
Required parameters for creating connection.
Throttling Limits
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 600 | 60 seconds |
Actions
| Add comment to incident (V2) |
Adds comment to selected incident |
| Add comment to incident (V3) |
Adds comment to selected incident |
| Add comment to incident [DEPRECATED] |
This action has been deprecated. Please use Add comment to incident (V3) instead.
|
| Add labels to incident (to be deprecated) |
Adds labels to selected incident |
| Alert - Get incident |
Returns the incident associated with selected alert |
| Alert - Get incident |
Returns the incident associated with selected alert |
| ASI trigger unsubscribe [DEPRECATED] |
Unsubscribe |
| Change incident description |
changes description to selected incident |
| Change incident description (V2) (to be deprecated) |
changes description to selected incident |
| Change incident severity (to be deprecated) |
changes severity to selected incident |
| Change incident status (to be deprecated) |
changes status to selected incident |
| Change incident title |
changes title to selected incident |
| Change incident title (V2) (to be deprecated) |
changes title to selected incident |
| Entities - Get Accounts |
Returns list of accounts associated with the alert |
|
Entities - Get File |
Returns list of File Hashes associated with the alert |
| Entities - Get Hosts |
Returns list of hosts associated with the alert |
| Entities - Get IPs |
Returns list of IPs associated with the alert |
| Entities - Get URLs |
Returns list of URLs associated with the alert |
| Get incident |
Get an incident by ARM ID |
| Remove labels from incident (to be deprecated) |
Removes labels to selected incident |
| Update incident |
Update incident with provided fields |
Add comment to incident (V2)
Adds comment to selected incident
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Specify subscription id
|
subscriptionId | True | string |
Alert subscription id |
|
Specify resource group
|
resourceGroup | True | string |
Alert resource group |
|
Specify workspace id
|
workspaceId | True | string |
Alert workspace id |
|
Identifier
|
identifier | True | string |
Incident / alert |
|
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
|
Specify comment
|
Value | True | string |
Comment value |
Returns
- response
- string
Add comment to incident (V3)
Adds comment to selected incident
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Incident ARM id
|
incidentArmId | True | string |
Incident ARM id |
|
Incident comment message
|
message | True | html |
Incident comment message |
Returns
Represents an incident comment item
- Incident Comment
- IncidentComment
Add comment to incident [DEPRECATED]
This action has been deprecated. Please use Add comment to incident (V3) instead.
Adds comment to selected incident
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Specify subscription id
|
subscriptionId | True | string |
Alert subscription id |
|
Specify resource group
|
resourceGroup | True | string |
Alert resource group |
|
Specify workspace id
|
workspaceId | True | string |
Alert workspace id |
|
Identifier
|
identifier | True | string |
Incident / alert |
|
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
|
Specify incident comment
|
comment | True | string |
Incident comment |
Returns
- response
- string
Add labels to incident (to be deprecated)
Adds labels to selected incident
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Specify subscription id
|
subscriptionId | True | string |
Alert subscription id |
|
Specify resource group
|
resourceGroup | True | string |
Alert resource group |
|
Specify workspace id
|
workspaceId | True | string |
Alert workspace id |
|
Identifier
|
identifier | True | string |
Incident / alert |
|
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
|
label
|
Label | True | string |
label |
Returns
- response
- string
Alert - Get incident
Returns the incident associated with selected alert
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Specify subscription id
|
subscriptionId | True | string |
Alert subscription id |
|
Specify resource group
|
resourceGroup | True | string |
Alert resource group |
|
Specify workspace id
|
workspaceId | True | string |
Alert workspace id |
|
Specify alert id
|
alertId | True | string |
System alert id |
Returns
- Body
- OldIncident
Alert - Get incident
Returns the incident associated with selected alert
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Specify subscription id
|
subscriptionId | True | string |
Alert subscription id |
|
Specify resource group
|
resourceGroup | True | string |
Alert resource group |
|
Specify workspace id
|
workspaceId | True | string |
Alert workspace id |
|
Specify alert id
|
alertId | True | string |
System Alert Id |
Returns
Represents an incident in Azure Security Insights.
- Body
- Incident
ASI trigger unsubscribe [DEPRECATED]
Change incident description
changes description to selected incident
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Specify subscription id
|
subscriptionId | True | string |
Alert subscription id |
|
Specify resource group
|
resourceGroup | True | string |
Alert resource group |
|
Specify workspace id
|
workspaceId | True | string |
Alert workspace id |
|
Identifier
|
identifier | True | string |
Incident / alert |
|
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
|
Specify description
|
fieldValue | True | string |
Description value |
Returns
- response
- string
Change incident description (V2) (to be deprecated)
changes description to selected incident
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Specify subscription id
|
subscriptionId | True | string |
Alert subscription id |
|
Specify resource group
|
resourceGroup | True | string |
Alert resource group |
|
Specify workspace id
|
workspaceId | True | string |
Alert workspace id |
|
Identifier
|
identifier | True | string |
Incident / alert |
|
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
|
Specify description
|
Value | True | string |
Description value |
Returns
- response
- string
Change incident severity (to be deprecated)
changes severity to selected incident
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Specify subscription id
|
subscriptionId | True | string |
Alert subscription id |
|
Specify resource group
|
resourceGroup | True | string |
Alert resource group |
|
Specify workspace id
|
workspaceId | True | string |
Alert workspace id |
|
Identifier
|
identifier | True | string |
Incident / alert |
|
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
|
Specify severity
|
severity | True | string |
Severity value |
Returns
- response
- string
Change incident status (to be deprecated)
changes status to selected incident
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Specify subscription id
|
subscriptionId | True | string |
Alert subscription id |
|
Specify resource group
|
resourceGroup | True | string |
Alert resource group |
|
Specify workspace id
|
workspaceId | True | string |
Alert workspace id |
|
Identifier
|
identifier | True | string |
Incident / alert |
|
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
|
Specify status
|
status | True | string |
Status value |
|
dynamicStatusChangerSchema
|
dynamicStatusChangerSchema | dynamic |
Dynamic Schema of incident status changer |
Returns
- response
- string
Change incident title
changes title to selected incident
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Specify subscription id
|
subscriptionId | True | string |
Alert subscription id |
|
Specify resource group
|
resourceGroup | True | string |
Alert resource group |
|
Specify workspace id
|
workspaceId | True | string |
Alert workspace id |
|
Identifier
|
identifier | True | string |
Incident / alert |
|
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
|
Specify title
|
fieldValue | True | string |
Title value |
Returns
- response
- string
Change incident title (V2) (to be deprecated)
changes title to selected incident
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Specify subscription id
|
subscriptionId | True | string |
Alert subscription id |
|
Specify resource group
|
resourceGroup | True | string |
Alert resource group |
|
Specify workspace id
|
workspaceId | True | string |
Alert workspace id |
|
Identifier
|
identifier | True | string |
Incident / alert |
|
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
|
Specify title
|
Value | True | string |
Title value |
Returns
- response
- string
Entities - Get Accounts
Returns list of accounts associated with the alert
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Entities list
|
body | True | string |
Entities list |
Returns
A list of accounts associated with the alert
- Body
- BatchResponseAccount
Entities - Get FileHashes
Returns list of File Hashes associated with the alert
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Entities list
|
body | True | string |
Entities list |
Returns
A list of File Hashes associated with the alert
Entities - Get Hosts
Returns list of hosts associated with the alert
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Entities list
|
body | True | string |
Entities list |
Returns
A list of hosts associated with the alert
- Body
- BatchResponseHost
Entities - Get IPs
Returns list of IPs associated with the alert
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Entities list
|
body | True | string |
Entities list |
Returns
A list of IPs associated with the alert
- Body
- BatchResponseIP
Entities - Get URLs
Returns list of URLs associated with the alert
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Entities list
|
body | True | string |
Entities list |
Returns
A list of URLs associated with the alert
- Body
- BatchResponseUrl
Get incident
Get an incident by ARM ID
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Incident ARM id
|
incidentArmId | True | string |
Incident ARM id |
Returns
Represents an incident in Azure Security Insights.
- Body
- Incident
Remove labels from incident (to be deprecated)
Removes labels to selected incident
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Specify subscription id
|
subscriptionId | True | string |
Alert subscription id |
|
Specify resource group
|
resourceGroup | True | string |
Alert resource group |
|
Specify workspace id
|
workspaceId | True | string |
Alert workspace id |
|
Identifier
|
identifier | True | string |
Incident / alert |
|
Specify alert / incident
|
id | True | string |
Please provide the incident number / alert id |
|
label
|
Label | True | string |
label |
Returns
- response
- string
Update incident
Update incident with provided fields
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Specify incident fields to update
|
body | True | dynamic |
Incident fields to update |
Returns
Represents an incident in Azure Security Insights.
- Body
- Incident
Triggers
| When a response to an Azure Sentinel alert is triggered |
When a response to an Azure Sentinel alert is triggered. This playbook is triggered by an analytics rule when a new alert is created or by manual triggering. Playbook receives the alert as its input. |
| When a response to an Azure Sentinel alert is triggered [DEPRECATED] |
When a response to an Azure Sentinel alert is triggered. This playbook must be triggered using Azure Sentinel Real Time or from Azure |
| When Azure Sentinel incident creation rule was triggered (Private Preview only) |
When a response to an Azure Sentinel incident is triggered. This playbook is triggered by an automation rule when a new incident is created. Playbook receives the Azure Sentinel incident as its input, including alerts and entities. |
When a response to an Azure Sentinel alert is triggered
When a response to an Azure Sentinel alert is triggered. This playbook is triggered by an analytics rule when a new alert is created or by manual triggering. Playbook receives the alert as its input.
Returns
- Body
- Alert
When a response to an Azure Sentinel alert is triggered [DEPRECATED]
When a response to an Azure Sentinel alert is triggered. This playbook must be triggered using Azure Sentinel Real Time or from Azure
Returns
- Body
- Alert
When Azure Sentinel incident creation rule was triggered (Private Preview only)
When a response to an Azure Sentinel incident is triggered. This playbook is triggered by an automation rule when a new incident is created. Playbook receives the Azure Sentinel incident as its input, including alerts and entities.
Returns
Definitions
BatchResponseAccount
A list of accounts associated with the alert
| Name | Path | Type | Description |
|---|---|---|---|
|
Accounts
|
Accounts | array of Account |
A list of accounts associated with the alert |
Account
| Name | Path | Type | Description |
|---|---|---|---|
|
Name
|
Name | string |
Account name |
|
NT domain
|
NTDomain | string |
NETBIOS domain name as it appears in the alert format |
|
DnsDomain
|
DnsDomain | string |
The fully qualified domain DNS name |
|
UPN suffix
|
UPNSuffix | string |
User principal name suffix |
|
SID
|
Sid | string |
Account security identifier, e.g. S-1-5-18 |
|
AAD tenant ID
|
AadTenantId | string |
AAD tenant id, if known |
|
AAD user ID
|
AadUserId | string |
AAD user id, if known |
|
PUID
|
PUID | string |
The AAD Passport User ID, if known |
|
Is domain joined
|
IsDomainJoined | boolean |
Determines whether this is a domain account |
|
ObjectGuid
|
ObjectGuid | string |
The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory |
BatchResponseUrl
A list of URLs associated with the alert
| Name | Path | Type | Description |
|---|---|---|---|
|
URLs
|
URLs | array of UrlEntity |
A list of URLs associated with the alert |
UrlEntity
| Name | Path | Type | Description |
|---|---|---|---|
|
Url
|
Url | string |
BatchResponseHost
A list of hosts associated with the alert
| Name | Path | Type | Description |
|---|---|---|---|
|
Hosts
|
Hosts | array of Host |
A list of hosts associated with the alert |
Host
| Name | Path | Type | Description |
|---|---|---|---|
|
DNS domain
|
DnsDomain | string |
DNS domain that this host belongs to |
|
NT domain
|
NTDomain | string |
NT domain that this host belongs to |
|
Hostname
|
HostName | string |
Hostname without the domain suffix |
|
NetBiosName
|
NetBiosName | string |
The host name (pre-windows2000) |
|
OMSAgentID
|
OMSAgentID | string |
The OMS agent id, if the host has OMS agent installed |
|
OSFamily
|
OSFamily | string |
One of the following values: Linux, Windows, Android, IOS |
|
OSVersion
|
OSVersion | string |
A free text representation of the operating system |
|
Is domain joined
|
IsDomainJoined | boolean |
Determines whether this host belongs to a domain |
|
AzureID
|
AzureID | string |
The azure resource id of the VM, if known |
BatchResponseIP
A list of IPs associated with the alert
| Name | Path | Type | Description |
|---|---|---|---|
|
IPs
|
IPs | array of IP |
A list of IPs associated with the alert |
IP
| Name | Path | Type | Description |
|---|---|---|---|
|
Address
|
Address | string |
IP address |
BatchResponseFileHash
A list of File Hashes associated with the alert
| Name | Path | Type | Description |
|---|---|---|---|
|
FileHashes
|
Filehashes | array of FileHash |
A list of File Hashes associated with the alert |
FileHash
| Name | Path | Type | Description |
|---|---|---|---|
|
Value
|
Value | string |
File Hash value |
|
Algorithm
|
Algorithm | string |
The file hash algorithm types |
OldIncident
| Name | Path | Type | Description |
|---|---|---|---|
|
properties
|
properties | OldIncidentProperties |
OldIncidentProperties
| Name | Path | Type | Description |
|---|---|---|---|
|
Status
|
Status | string |
The status of the incident |
|
Labels
|
Labels | array of |
The labels of the incident |
|
Title
|
Title | string |
The title of the incident |
|
Description
|
Description | string |
The description of the incident |
|
End Time Utc
|
EndTimeUtc | string |
The time the incident ended |
|
Start Time Utc
|
StartTimeUtc | string |
The start time of the incident |
|
Last Updated Time Utc
|
LastUpdatedTimeUtc | string |
The update time of the incident |
|
Number
|
CaseNumber | string |
The number of the incident |
|
Created Time Utc
|
CreatedTimeUtc | string |
The time the incident created |
|
Severity
|
Severity | string |
The severity of the incident |
|
Related Alert Ids
|
RelatedAlertIds | array of |
The related alert ids of the incident |
IncidentAdditionalData
Incident additional data property bag.
| Name | Path | Type | Description |
|---|---|---|---|
|
Incident Alerts Count
|
alertsCount | integer |
The number of alerts in the incident |
|
Incident Bookmarks Count
|
bookmarksCount | integer |
The number of bookmarks in the incident |
|
Incident Comments Count
|
commentsCount | integer |
The number of comments in the incident |
|
Incident Alert product names
|
alertProductNames | array of string |
List of product names of alerts in the incident |
|
Incident Tactics
|
tactics | array of AttackTactic |
The tactics associated with incident |
IncidentLabel
Represents an incident tag
| Name | Path | Type | Description |
|---|---|---|---|
|
Name
|
labelName | string |
The name of the tag |
|
Type
|
labelType | string |
The type of the tag |
IncidentOwnerInfo
Information on the user an incident is assigned to
| Name | Path | Type | Description |
|---|---|---|---|
|
Email
|
string |
The email of the user the incident is assigned to. |
|
|
Assigned To
|
assignedTo | string |
The name of the user the incident is assigned to. (assignedTo field) |
|
ObjectId
|
objectId | uuid |
The object id of the user the incident is assigned to. |
|
User Principal Name
|
userPrincipalName | string |
The user principal name of the user the incident is assigned to. |
AttackTactic
Represents a tactic item which is associated with the incident
Represents a tactic item which is associated with the incident
AlertSeverity
HuntingBookmark
Represents a hunting bookmark item
| Name | Path | Type | Description |
|---|---|---|---|
|
ARM ID
|
id | string |
The full qualified ARM ID of the bookmark. |
|
ARM Name
|
name | string |
The ARM name of the bookmark (GUID) |
|
properties
|
properties | HuntingBookmarkProperties |
Represents HuntingBookmark Properties JSON. |
SecurityAlert
Represents a security alert item
| Name | Path | Type | Description |
|---|---|---|---|
|
ARM ID
|
id | string |
The full qualified ARM ID of the alert. |
|
ARM Name
|
name | string |
The ARM name of the alert (GUID) |
|
properties
|
properties | SecurityAlertProperties |
Represents Alert Properties JSON. |
HuntingBookmarkProperties
Represents HuntingBookmark Properties JSON.
| Name | Path | Type | Description |
|---|---|---|---|
|
Display Name
|
displayName | string |
The display name of the bookmark |
|
Created
|
created | date-time |
The created time of the bookmark |
|
Updated
|
updated | date-time |
The updated time of the bookmark |
|
Created By User Info
|
createdBy | CreatedByUserInfo |
Represents UserInfo Properties JSON. |
|
Updated By User Info
|
updatedBy | UpdatedByUserInfo |
Represents UserInfo Properties JSON. |
|
Event Time
|
eventTime | date-time |
The event time of the bookmark |
|
Notes
|
notes | string |
The notes of the bookmark |
|
Labels
|
labels | array of string |
The labels of the bookmark |
|
Query
|
query | string |
The query of the bookmark |
|
Query Result
|
queryResult | string |
The query result of the bookmark |
SecurityAlertProperties
Represents Alert Properties JSON.
| Name | Path | Type | Description |
|---|---|---|---|
|
Friendly Name
|
friendlyName | string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
|
Display Name
|
alertDisplayName | string |
The display name of the alert |
|
Type
|
alertType | string |
In schedule alert, this is the analytics rule id. |
|
URI
|
alertLink | string |
This is the link to the alert in the orignal vendor. |
|
Compromised Entity
|
compromisedEntity | string |
Display name of the main entity being reported on. |
|
Confidence Level
|
confidenceLevel | string |
The confidence level of this alert. |
|
Description
|
description | string |
The description of the alert. |
|
End Time UTC
|
endTimeUtc | date-time |
The impact end time of the alert (the time of the last event contributing to the alert). |
|
Provider ID
|
providerAlertId | string |
The identifier of the alert inside the product which generated the alert. |
|
Product Name
|
productName | string |
The name of the product which published this alert. |
|
Remeditation Steps
|
remediationSteps | array of string |
List of manual action items to take to remediate the alert. |
|
Severity
|
severity | AlertSeverity |
The severity of the alert |
|
Start Time
|
startTimeUtc | date-time |
The impact start time of the alert (the time of the first event contributing to the alert). |
|
Status
|
status | string |
The lifecycle status of the alert. |
|
System ID
|
systemAlertId | string |
Holds the product identifier of the alert for the product. |
|
Tactics
|
tactics | array of AttackTactic |
List of the alert tactics. |
|
Time Generated
|
timeGenerated | date-time |
The time the alert was generated. |
|
Query
|
additionalData.Query | string |
The query used to decide if the alert should be triggered (Schedule Alert Only). |
|
Query Start Time
|
additionalData.Query Start Time UTC | string |
The start time of the query used to decide if the alert should be triggered (Schedule Alert Only). |
|
Query End Time
|
additionalData.Query End Time UTC | string |
The start time of the query used to decide if the alert should be triggered (Schedule Alert Only). |
|
Query Operator
|
additionalData.Trigger Operator | string |
The operator used to decide if the alert should be triggered (Schedule Alert Only). |
|
Query Threshold
|
additionalData.Trigger Threshold | string |
The threshold used to decide if the alert should be triggered (Schedule Alert Only). |
|
Resource Identifiers
|
resourceIdentifiers | array of object |
The resource identifiers of the alert |
|
items
|
resourceIdentifiers | object |
Represents an alert resource identifier. |
Incident
Represents an incident in Azure Security Insights.
| Name | Path | Type | Description |
|---|---|---|---|
|
Incident ARM ID
|
id | string |
The full qualified ARM ID of the incident. |
|
Incident ARM Name
|
name | string |
The ARM name of the incident (GUID) |
|
properties
|
properties | IncidentProperties |
Represents the Incident Properties JSON. |
FullIncident
Get an incident by ARM ID
| Name | Path | Type | Description |
|---|---|---|---|
|
Incident ARM ID
|
id | string |
The full qualified ARM ID of the incident. |
|
Incident ARM Name
|
name | string |
The ARM name of the incident (GUID) |
|
properties
|
properties | FullIncidentProperties |
Represents the Incident Properties JSON. |
IncidentProperties
Represents the Incident Properties JSON.
| Name | Path | Type | Description |
|---|---|---|---|
|
additionalData
|
additionalData | IncidentAdditionalData |
Incident additional data property bag. |
|
Incident Classification
|
classification | string |
The reason the incident was closed |
|
Incident Classification Comment
|
classificationComment | string |
Describes the reason the incident was closed |
|
Incident Classification Reason
|
classificationReason | string |
The classification reason the incident was closed with |
|
Incident Created Time Utc
|
createdTimeUtc | date-time |
The time the incident was created |
|
Incident Description
|
description | string |
The description of the incident |
|
Incident First Activity Time UTC
|
firstActivityTimeUtc | date-time |
The time of the first activity in the incident |
|
Incident URL
|
incidentUrl | string |
The deep-link url to the incident in Azure portal |
|
Incident Sentinel ID
|
incidentNumber | integer |
A sequential number used to identify the incident in Azure Sentinel. |
|
Incident Last Activity Time UTC
|
lastActivityTimeUtc | date-time |
The time of the last activity in the incident |
|
Incident Severity
|
severity | string |
The severity of the incident |
|
Incident Status
|
status | string |
The status of the incident |
|
Incident Title
|
title | string |
The title of the incident |
|
Incident Tags
|
labels | array of IncidentLabel |
List of tags associated with this incident |
|
Incident Last Modified Time UTC
|
lastModifiedTimeUtc | date-time |
The last time the incident was updated |
|
Incident Owner
|
owner | IncidentOwnerInfo |
Information on the user an incident is assigned to |
|
Incident Related Analytic Rule Ids
|
relatedAnalyticRuleIds | array of string |
List of resource ids of Analytic rules related to the incident |
|
Comments
|
Comments | array of IncidentComment |
List of comments on this incident. |
FullIncidentProperties
Represents the Incident Properties JSON.
| Name | Path | Type | Description |
|---|---|---|---|
|
additionalData
|
additionalData | IncidentAdditionalData |
Incident additional data property bag. |
|
Incident Classification
|
classification | string |
The reason the incident was closed |
|
Incident Classification Comment
|
classificationComment | string |
Describes the reason the incident was closed |
|
Incident Classification Reason
|
classificationReason | string |
The classification reason the incident was closed with |
|
Incident Created Time Utc
|
createdTimeUtc | date-time |
The time the incident was created |
|
Incident Description
|
description | string |
The description of the incident |
|
Incident First Activity Time UTC
|
firstActivityTimeUtc | date-time |
The time of the first activity in the incident |
|
Incident URL
|
incidentUrl | string |
The deep-link url to the incident in Azure portal |
|
Incident Sentinel ID
|
incidentNumber | integer |
A sequential number used to identify the incident in Azure Sentinel. |
|
Incident Last Activity Time UTC
|
lastActivityTimeUtc | date-time |
The time of the last activity in the incident |
|
Incident Severity
|
severity | string |
The severity of the incident |
|
Incident Status
|
status | string |
The status of the incident |
|
Incident Title
|
title | string |
The title of the incident |
|
Incident Tags
|
labels | array of IncidentLabel |
List of tags associated with this incident |
|
Incident Last Modified Time UTC
|
lastModifiedTimeUtc | date-time |
The last time the incident was updated |
|
Incident Owner
|
owner | IncidentOwnerInfo |
Information on the user an incident is assigned to |
|
Incident Related Analytic Rule Ids
|
relatedAnalyticRuleIds | array of string |
List of resource ids of Analytic rules related to the incident |
|
Comments
|
Comments | array of IncidentComment |
List of comments on this incident. |
|
Alerts
|
Alerts | array of SecurityAlert |
List of alerts related to this incident. |
|
Bookmarks
|
Bookmarks | array of HuntingBookmark |
List of bookmarks related to this incident. |
|
Entities
|
relatedEntities | string |
List of entities related to the incident, can contain entities of different types |
IncidentEventNotification
| Name | Path | Type | Description |
|---|---|---|---|
|
Subscription ID
|
workspaceInfo.SubscriptionId | string |
The subscription ID of the Azure Sentinel workspace |
|
Resource Group Name
|
workspaceInfo.ResourceGroupName | string |
The resource group of the Azure Sentinel workspace |
|
Workspace Name
|
workspaceInfo.WorkspaceName | string |
The Azure Sentinel workspace name |
|
Workspace ID
|
workspaceId | string |
The workspace ID of the incident. |
|
object
|
object | FullIncident |
Get an incident by ARM ID |
CreatedByUserInfo
UpdatedByUserInfo
Alert
| Name | Path | Type | Description |
|---|---|---|---|
|
Product name
|
ProductName | string |
Name of the product which published this alert |
|
Alert type
|
AlertType | string |
Type name of the alert |
|
Start time (UTC)
|
StartTimeUtc | date-time |
Start time of the alert, when the first contributing event was detected |
|
End time (UTC)
|
EndTimeUtc | date-time |
End time of the alert, when the last contributing event was detected |
|
Time generated (UTC)
|
TimeGenerated | date-time |
The time the alert was generated |
|
Severity
|
Severity | string |
The severity of the alert as it is reported by the provider |
|
Provider alert ID
|
ProviderAlertId | string |
Unique id for the specific alert instance set by the provider |
|
System alert ID
|
SystemAlertId | string |
Unique ID for the specific alert instance |
|
Alert display name
|
AlertDisplayName | string |
Display name of the alert |
|
Description
|
Description | string |
Alert description |
|
Entities
|
Entities | string |
A list of entities related to the alert, can include multiple entities types |
|
Extended properties
|
ExtendedProperties | string |
A list of fields which will be presented to the user |
|
Workspace ID
|
WorkspaceId | string |
The ID of the workspace of the alert |
|
Resource group
|
WorkspaceResourceGroup | string |
alert resource group of the alert |
|
Subscription ID
|
WorkspaceSubscriptionId | string |
The ID of the subscription of the alert |
|
Extended links
|
ExtendedLinks | array of object |
A list of links related to the alert, can include multiple types |
IncidentComment
Represents an incident comment item
| Name | Path | Type | Description |
|---|---|---|---|
|
ID
|
id | string |
The full qualified ARM ID of the comment. |
|
Name
|
name | string |
The ARM name of the comment (GUID) |
|
properties
|
properties | IncidentCommentProperties |
Represents Incident Comment Properties JSON. |
IncidentCommentProperties
string
This is the basic data type 'string'.