Azure Sentinel (Preview)

Cloud-native SIEM with a built-in AI so you can focus on what matters most

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure China regions
Contact
Name Microsoft
URL Microsoft LogicApps Support
Connector Metadata
Publisher Microsoft
Website https://azure.microsoft.com/services/azure-sentinel/

Azure Sentinel Connector

Authentication

Triggers and actions in the Azure Sentinel connector can operate on behalf of any identity that has the necessary permissions (read and/or write) on the relevant workspace. The connector supports multiple identity types:

  • Azure AD user
  • Service principal (Azure AD application)

Permissions required

Connector components/roles Azure Sentinel Responder/Contributor Azure Sentinel Reader
Triggers
"Get" actions
Update incident, add a comment

Learn more about permissions in Azure Sentinel.

Authenticate as an Azure AD user

To make a connection, select Sign in. You will be prompted to provide your account information. Once you have done so, follow the remaining instructions on the screen to create a connection.

Authenticate as a service principal (Azure AD application)

Service principals can be created by registering an Azure AD application. It is preferable to use a registered application as the connector's identity, instead of using a user account, as you will be better able to control permissions, manage credentials, and enable certain limitations on the use of the connector.

To use your own application with the Azure Sentinel connector, perform the following steps:

  1. Register the application with Azure AD and create a service principal. Learn how.

  2. Get credentials (for future authentication).

    In the registered application blade, get the application credentials for later signing in:

    • Client ID: under Overview
    • Client secret: under Certificates & secrets.
  3. Grant permissions to the Azure Sentinel workspace.

    In this step, the app will get permission to work with Azure Sentinel workspace.

    • In the Azure Sentinel workspace, go to Settings -> Workspace Settings -> Access control (IAM)

    • Select Add role assignment.

    • Select the role you wish to assign to the application. For example, to allow the application to perform actions that will make changes in the Sentinel workspace, like updating an incident, select the Azure Sentinel Contributor role. For actions which only read data, the Azure Sentinel Reader role is sufficient. Read more about the available roles in Azure Sentinel.

    • Find the required application and save. By default, Azure AD applications aren't displayed in the available options. To find your application, search for the name and select it.

  4. Authenticate

    In this step we use the app credentials to authenticate to the Sentinel connector in Logic Apps.

    • Select Connect with Service Principal.
    • Fill in the required parameters (can be found in the registered application blade)
      • Tenant Id: under Overview
      • Client Id: under Overview
      • Client Secret: under Certificates & secrets

Manage your API connections

Every time an authentication is created for the first time, a new Azure resource of type API Connection is created. The same API connection can be used in all the Azure Sentinel actions and triggers in the same Resource Group.

All the API connections can be found in the API connections blade (search for API connections in the Azure portal).

You can also find them by going to the Resources blade and filtering the display by type API Connection. This way allows you to select multiple connections for bulk operations.

In order to change the authorization of an existing connection, enter the connection resource, and select Edit API connection.

Azure Sentinel actions summary

Component When to use it
Alert - Get Incident In playbooks that start with Alert trigger. Useful for getting the incident properties, or retrieving the Incident ARM ID to use with the Update incident or Add comment to incident actions.
Get Incident When triggering a playbook from an external source or with a non-Sentinel trigger. Identify with an Incident ARM ID. Retrieves the incident properties and comments.
Update Incident To change an incident's Status (for example, when closing the incident), assign an Owner, add or remove a tag, or to change its Severity, Title, or Description.
Add comments to incident To enrich the incident with information collected from external sources; to audit the actions taken by the playbook on the entities; to supply additional information valuable for incident investigation.
Entities - Get <entity type> In playbooks that work on a specific entity type (IP, Account, Host, URL or FileHash) which is known at playbook creation time, and you need to be able to parse it and work on its unique fields.

Actions on Incidents - Usage Examples

[!TIP] The actions Update Incident and Add a Comment to Incident require the Incident ARM ID.
Use the Alert - Get Incident action beforehand to get the Incident ARM ID.

  • Update an incident

    Basic playbook to show how to use the action in a playbook that starts with an alert:

    Alert trigger simple Update Incident flow example

  • Use Incident Information

    Basic playbook to send incident details over mail:

    Alert trigger simple Get Incident flow example

  • Add a comment to the incident

    Basic playbook to show how to use the action in a playbook that starts with an alert:

    "Alert trigger simple add comment example"

Work with specific Entity type

The Entities dynamic field is an array of JSON objects, each of which represents an entity. Each entity type has its own schema, depending on its unique properties.

The "Entities - Get <entity name>" action allows you to do the following:

  • Filter the array of entities by the requested type.
  • Parse the specific fields of this type, so they can be used as dynamic fields in further actions.

The input is the Entities dynamic field.

The response is an array of entities, where the special properties are parsed and can be directly used in a For each loop.

Currently supported entity types are:

For other entity types, same functionality can be achieved using Logic Apps built in actions:

  • Filter the array of entities by the requested type using Filter Array.
  • Parse the specific fields of this type, so they can be used as dynamic fields in further actions using Parse Json.

Known issues and limitations

Cannot trigger Logic App called by Azure Sentinel trigger using "Run Trigger" button

This item refers to the button on the overview blade of the Logic Apps resource.

Triggering an Azure Logic Apps is made by a POST REST call, which its body is the input for the trigger. Logic Apps that start with Azure Sentinel triggers expect to get an alert or an incident in the body of the call. When trying to do so from Logic Apps overview blade, the call is empty, and there for an error is expected. Proper ways to trigger:

Proper ways to trigger:

  • Manual trigger in Azure Sentinel
  • Automated response of an analytic rule in Azure Sentinel
  • Use "Resubmit" button in an existing Logic Apps run blade
  • Call directly the Logic Apps endpoint (attaching an alert/incident as the body)

Updating the same incident in parallel For each loops

For each loops are set by default to run in parallel, but can be easily set to run sequentially. If a for each loop might update the same Azure Sentinel incident in separate iterations, it should be configured to run sequentially.

Restoring alert's original query is currently not supported via Logic Apps

Usage of the Azure Monitor Logs connector to retrieve the events captured by the scheduled alert analytics rule is not consistently reliable.

  • Azure Monitor Logs do not support the definition of a custom time range. Restoring the exact same query results requires defining the exact same time range as in the original query.
  • Alerts may be delayed in appearing in the Log Analytics workspace after the rule triggers the playbook.

Available resources

Azure Sentinel

Azure Logic Apps

Creating a connection

The connector supports the following authentication types:

Default Required parameters for creating connection. All regions

Default

Applicable: All regions

Required parameters for creating connection.

Throttling Limits

Name Calls Renewal Period
API calls per connection60060 seconds

Actions

Add comment to incident (V2)

Adds comment to selected incident

Add comment to incident (V3)

Adds comment to selected incident

Add comment to incident [DEPRECATED]

This action has been deprecated. Please use Add comment to incident (V3) instead.

Adds comment to selected incident

Add labels to incident (to be deprecated)

Adds labels to selected incident

Alert - Get incident

Returns the incident associated with selected alert

Alert - Get incident

Returns the incident associated with selected alert

ASI trigger unsubscribe [DEPRECATED]

Unsubscribe

Change incident description

changes description to selected incident

Change incident description (V2) (to be deprecated)

changes description to selected incident

Change incident severity (to be deprecated)

changes severity to selected incident

Change incident status (to be deprecated)

changes status to selected incident

Change incident title

changes title to selected incident

Change incident title (V2) (to be deprecated)

changes title to selected incident

Entities - Get Accounts

Returns list of accounts associated with the alert

Entities - Get FileHashes

Returns list of File Hashes associated with the alert

Entities - Get Hosts

Returns list of hosts associated with the alert

Entities - Get IPs

Returns list of IPs associated with the alert

Entities - Get URLs

Returns list of URLs associated with the alert

Get incident

Get an incident by ARM ID

Remove labels from incident (to be deprecated)

Removes labels to selected incident

Update incident

Update incident with provided fields

Add comment to incident (V2)

Adds comment to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Alert subscription id

Specify resource group
resourceGroup True string

Alert resource group

Specify workspace id
workspaceId True string

Alert workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify comment
Value True string

Comment value

Returns

response
string

Add comment to incident (V3)

Adds comment to selected incident

Parameters

Name Key Required Type Description
Incident ARM id
incidentArmId True string

Incident ARM id

Incident comment message
message True html

Incident comment message

Returns

Represents an incident comment item

Incident Comment
IncidentComment

Add comment to incident [DEPRECATED]

This action has been deprecated. Please use Add comment to incident (V3) instead.

Adds comment to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Alert subscription id

Specify resource group
resourceGroup True string

Alert resource group

Specify workspace id
workspaceId True string

Alert workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify incident comment
comment True string

Incident comment

Returns

response
string

Add labels to incident (to be deprecated)

Adds labels to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Alert subscription id

Specify resource group
resourceGroup True string

Alert resource group

Specify workspace id
workspaceId True string

Alert workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

label
Label True string

label

Returns

response
string

Alert - Get incident

Returns the incident associated with selected alert

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Alert subscription id

Specify resource group
resourceGroup True string

Alert resource group

Specify workspace id
workspaceId True string

Alert workspace id

Specify alert id
alertId True string

System alert id

Returns

Alert - Get incident

Returns the incident associated with selected alert

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Alert subscription id

Specify resource group
resourceGroup True string

Alert resource group

Specify workspace id
workspaceId True string

Alert workspace id

Specify alert id
alertId True string

System Alert Id

Returns

Represents an incident in Azure Security Insights.

Body
Incident

ASI trigger unsubscribe [DEPRECATED]

Unsubscribe

Returns

response
string

Change incident description

changes description to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Alert subscription id

Specify resource group
resourceGroup True string

Alert resource group

Specify workspace id
workspaceId True string

Alert workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify description
fieldValue True string

Description value

Returns

response
string

Change incident description (V2) (to be deprecated)

changes description to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Alert subscription id

Specify resource group
resourceGroup True string

Alert resource group

Specify workspace id
workspaceId True string

Alert workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify description
Value True string

Description value

Returns

response
string

Change incident severity (to be deprecated)

changes severity to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Alert subscription id

Specify resource group
resourceGroup True string

Alert resource group

Specify workspace id
workspaceId True string

Alert workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify severity
severity True string

Severity value

Returns

response
string

Change incident status (to be deprecated)

changes status to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Alert subscription id

Specify resource group
resourceGroup True string

Alert resource group

Specify workspace id
workspaceId True string

Alert workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify status
status True string

Status value

dynamicStatusChangerSchema
dynamicStatusChangerSchema dynamic

Dynamic Schema of incident status changer

Returns

response
string

Change incident title

changes title to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Alert subscription id

Specify resource group
resourceGroup True string

Alert resource group

Specify workspace id
workspaceId True string

Alert workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify title
fieldValue True string

Title value

Returns

response
string

Change incident title (V2) (to be deprecated)

changes title to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Alert subscription id

Specify resource group
resourceGroup True string

Alert resource group

Specify workspace id
workspaceId True string

Alert workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify title
Value True string

Title value

Returns

response
string

Entities - Get Accounts

Returns list of accounts associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of accounts associated with the alert

Entities - Get FileHashes

Returns list of File Hashes associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of File Hashes associated with the alert

Entities - Get Hosts

Returns list of hosts associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of hosts associated with the alert

Entities - Get IPs

Returns list of IPs associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of IPs associated with the alert

Entities - Get URLs

Returns list of URLs associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of URLs associated with the alert

Get incident

Get an incident by ARM ID

Parameters

Name Key Required Type Description
Incident ARM id
incidentArmId True string

Incident ARM id

Returns

Represents an incident in Azure Security Insights.

Body
Incident

Remove labels from incident (to be deprecated)

Removes labels to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Alert subscription id

Specify resource group
resourceGroup True string

Alert resource group

Specify workspace id
workspaceId True string

Alert workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

label
Label True string

label

Returns

response
string

Update incident

Update incident with provided fields

Parameters

Name Key Required Type Description
Specify incident fields to update
body True dynamic

Incident fields to update

Returns

Represents an incident in Azure Security Insights.

Body
Incident

Triggers

When a response to an Azure Sentinel alert is triggered

When a response to an Azure Sentinel alert is triggered. This playbook is triggered by an analytics rule when a new alert is created or by manual triggering. Playbook receives the alert as its input.

When a response to an Azure Sentinel alert is triggered [DEPRECATED]

When a response to an Azure Sentinel alert is triggered. This playbook must be triggered using Azure Sentinel Real Time or from Azure

When Azure Sentinel incident creation rule was triggered (Private Preview only)

When a response to an Azure Sentinel incident is triggered. This playbook is triggered by an automation rule when a new incident is created. Playbook receives the Azure Sentinel incident as its input, including alerts and entities.

When a response to an Azure Sentinel alert is triggered

When a response to an Azure Sentinel alert is triggered. This playbook is triggered by an analytics rule when a new alert is created or by manual triggering. Playbook receives the alert as its input.

Returns

Body
Alert

When a response to an Azure Sentinel alert is triggered [DEPRECATED]

When a response to an Azure Sentinel alert is triggered. This playbook must be triggered using Azure Sentinel Real Time or from Azure

Returns

Body
Alert

When Azure Sentinel incident creation rule was triggered (Private Preview only)

When a response to an Azure Sentinel incident is triggered. This playbook is triggered by an automation rule when a new incident is created. Playbook receives the Azure Sentinel incident as its input, including alerts and entities.

Returns

Definitions

BatchResponseAccount

A list of accounts associated with the alert

Name Path Type Description
Accounts
Accounts array of Account

A list of accounts associated with the alert

Account

Name Path Type Description
Name
Name string

Account name

NT domain
NTDomain string

NETBIOS domain name as it appears in the alert format

DnsDomain
DnsDomain string

The fully qualified domain DNS name

UPN suffix
UPNSuffix string

User principal name suffix

SID
Sid string

Account security identifier, e.g. S-1-5-18

AAD tenant ID
AadTenantId string

AAD tenant id, if known

AAD user ID
AadUserId string

AAD user id, if known

PUID
PUID string

The AAD Passport User ID, if known

Is domain joined
IsDomainJoined boolean

Determines whether this is a domain account

ObjectGuid
ObjectGuid string

The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory

BatchResponseUrl

A list of URLs associated with the alert

Name Path Type Description
URLs
URLs array of UrlEntity

A list of URLs associated with the alert

UrlEntity

Name Path Type Description
Url
Url string

BatchResponseHost

A list of hosts associated with the alert

Name Path Type Description
Hosts
Hosts array of Host

A list of hosts associated with the alert

Host

Name Path Type Description
DNS domain
DnsDomain string

DNS domain that this host belongs to

NT domain
NTDomain string

NT domain that this host belongs to

Hostname
HostName string

Hostname without the domain suffix

NetBiosName
NetBiosName string

The host name (pre-windows2000)

OMSAgentID
OMSAgentID string

The OMS agent id, if the host has OMS agent installed

OSFamily
OSFamily string

One of the following values: Linux, Windows, Android, IOS

OSVersion
OSVersion string

A free text representation of the operating system

Is domain joined
IsDomainJoined boolean

Determines whether this host belongs to a domain

AzureID
AzureID string

The azure resource id of the VM, if known

BatchResponseIP

A list of IPs associated with the alert

Name Path Type Description
IPs
IPs array of IP

A list of IPs associated with the alert

IP

Name Path Type Description
Address
Address string

IP address

BatchResponseFileHash

A list of File Hashes associated with the alert

Name Path Type Description
FileHashes
Filehashes array of FileHash

A list of File Hashes associated with the alert

FileHash

Name Path Type Description
Value
Value string

File Hash value

Algorithm
Algorithm string

The file hash algorithm types

OldIncident

Name Path Type Description
properties
properties OldIncidentProperties

OldIncidentProperties

Name Path Type Description
Status
Status string

The status of the incident

Labels
Labels array of

The labels of the incident

Title
Title string

The title of the incident

Description
Description string

The description of the incident

End Time Utc
EndTimeUtc string

The time the incident ended

Start Time Utc
StartTimeUtc string

The start time of the incident

Last Updated Time Utc
LastUpdatedTimeUtc string

The update time of the incident

Number
CaseNumber string

The number of the incident

Created Time Utc
CreatedTimeUtc string

The time the incident created

Severity
Severity string

The severity of the incident

Related Alert Ids
RelatedAlertIds array of

The related alert ids of the incident

IncidentAdditionalData

Incident additional data property bag.

Name Path Type Description
Incident Alerts Count
alertsCount integer

The number of alerts in the incident

Incident Bookmarks Count
bookmarksCount integer

The number of bookmarks in the incident

Incident Comments Count
commentsCount integer

The number of comments in the incident

Incident Alert product names
alertProductNames array of string

List of product names of alerts in the incident

Incident Tactics
tactics array of AttackTactic

The tactics associated with incident

IncidentLabel

Represents an incident tag

Name Path Type Description
Name
labelName string

The name of the tag

Type
labelType string

The type of the tag

IncidentOwnerInfo

Information on the user an incident is assigned to

Name Path Type Description
Email
email string

The email of the user the incident is assigned to.

Assigned To
assignedTo string

The name of the user the incident is assigned to. (assignedTo field)

ObjectId
objectId uuid

The object id of the user the incident is assigned to.

User Principal Name
userPrincipalName string

The user principal name of the user the incident is assigned to.

AttackTactic

Represents a tactic item which is associated with the incident

Represents a tactic item which is associated with the incident

AlertSeverity

The severity of the alert

The severity of the alert

Severity
string

HuntingBookmark

Represents a hunting bookmark item

Name Path Type Description
ARM ID
id string

The full qualified ARM ID of the bookmark.

ARM Name
name string

The ARM name of the bookmark (GUID)

properties
properties HuntingBookmarkProperties

Represents HuntingBookmark Properties JSON.

SecurityAlert

Represents a security alert item

Name Path Type Description
ARM ID
id string

The full qualified ARM ID of the alert.

ARM Name
name string

The ARM name of the alert (GUID)

properties
properties SecurityAlertProperties

Represents Alert Properties JSON.

HuntingBookmarkProperties

Represents HuntingBookmark Properties JSON.

Name Path Type Description
Display Name
displayName string

The display name of the bookmark

Created
created date-time

The created time of the bookmark

Updated
updated date-time

The updated time of the bookmark

Created By User Info
createdBy CreatedByUserInfo

Represents UserInfo Properties JSON.

Updated By User Info
updatedBy UpdatedByUserInfo

Represents UserInfo Properties JSON.

Event Time
eventTime date-time

The event time of the bookmark

Notes
notes string

The notes of the bookmark

Labels
labels array of string

The labels of the bookmark

Query
query string

The query of the bookmark

Query Result
queryResult string

The query result of the bookmark

SecurityAlertProperties

Represents Alert Properties JSON.

Name Path Type Description
Friendly Name
friendlyName string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

Display Name
alertDisplayName string

The display name of the alert

Type
alertType string

In schedule alert, this is the analytics rule id.

URI
alertLink string

This is the link to the alert in the orignal vendor.

Compromised Entity
compromisedEntity string

Display name of the main entity being reported on.

Confidence Level
confidenceLevel string

The confidence level of this alert.

Description
description string

The description of the alert.

End Time UTC
endTimeUtc date-time

The impact end time of the alert (the time of the last event contributing to the alert).

Provider ID
providerAlertId string

The identifier of the alert inside the product which generated the alert.

Product Name
productName string

The name of the product which published this alert.

Remeditation Steps
remediationSteps array of string

List of manual action items to take to remediate the alert.

Severity
severity AlertSeverity

The severity of the alert

Start Time
startTimeUtc date-time

The impact start time of the alert (the time of the first event contributing to the alert).

Status
status string

The lifecycle status of the alert.

System ID
systemAlertId string

Holds the product identifier of the alert for the product.

Tactics
tactics array of AttackTactic

List of the alert tactics.

Time Generated
timeGenerated date-time

The time the alert was generated.

Query
additionalData.Query string

The query used to decide if the alert should be triggered (Schedule Alert Only).

Query Start Time
additionalData.Query Start Time UTC string

The start time of the query used to decide if the alert should be triggered (Schedule Alert Only).

Query End Time
additionalData.Query End Time UTC string

The start time of the query used to decide if the alert should be triggered (Schedule Alert Only).

Query Operator
additionalData.Trigger Operator string

The operator used to decide if the alert should be triggered (Schedule Alert Only).

Query Threshold
additionalData.Trigger Threshold string

The threshold used to decide if the alert should be triggered (Schedule Alert Only).

Resource Identifiers
resourceIdentifiers array of object

The resource identifiers of the alert

items
resourceIdentifiers object

Represents an alert resource identifier.

Incident

Represents an incident in Azure Security Insights.

Name Path Type Description
Incident ARM ID
id string

The full qualified ARM ID of the incident.

Incident ARM Name
name string

The ARM name of the incident (GUID)

properties
properties IncidentProperties

Represents the Incident Properties JSON.

FullIncident

Get an incident by ARM ID

Name Path Type Description
Incident ARM ID
id string

The full qualified ARM ID of the incident.

Incident ARM Name
name string

The ARM name of the incident (GUID)

properties
properties FullIncidentProperties

Represents the Incident Properties JSON.

IncidentProperties

Represents the Incident Properties JSON.

Name Path Type Description
additionalData
additionalData IncidentAdditionalData

Incident additional data property bag.

Incident Classification
classification string

The reason the incident was closed

Incident Classification Comment
classificationComment string

Describes the reason the incident was closed

Incident Classification Reason
classificationReason string

The classification reason the incident was closed with

Incident Created Time Utc
createdTimeUtc date-time

The time the incident was created

Incident Description
description string

The description of the incident

Incident First Activity Time UTC
firstActivityTimeUtc date-time

The time of the first activity in the incident

Incident URL
incidentUrl string

The deep-link url to the incident in Azure portal

Incident Sentinel ID
incidentNumber integer

A sequential number used to identify the incident in Azure Sentinel.

Incident Last Activity Time UTC
lastActivityTimeUtc date-time

The time of the last activity in the incident

Incident Severity
severity string

The severity of the incident

Incident Status
status string

The status of the incident

Incident Title
title string

The title of the incident

Incident Tags
labels array of IncidentLabel

List of tags associated with this incident

Incident Last Modified Time UTC
lastModifiedTimeUtc date-time

The last time the incident was updated

Incident Owner
owner IncidentOwnerInfo

Information on the user an incident is assigned to

Incident Related Analytic Rule Ids
relatedAnalyticRuleIds array of string

List of resource ids of Analytic rules related to the incident

Comments
Comments array of IncidentComment

List of comments on this incident.

FullIncidentProperties

Represents the Incident Properties JSON.

Name Path Type Description
additionalData
additionalData IncidentAdditionalData

Incident additional data property bag.

Incident Classification
classification string

The reason the incident was closed

Incident Classification Comment
classificationComment string

Describes the reason the incident was closed

Incident Classification Reason
classificationReason string

The classification reason the incident was closed with

Incident Created Time Utc
createdTimeUtc date-time

The time the incident was created

Incident Description
description string

The description of the incident

Incident First Activity Time UTC
firstActivityTimeUtc date-time

The time of the first activity in the incident

Incident URL
incidentUrl string

The deep-link url to the incident in Azure portal

Incident Sentinel ID
incidentNumber integer

A sequential number used to identify the incident in Azure Sentinel.

Incident Last Activity Time UTC
lastActivityTimeUtc date-time

The time of the last activity in the incident

Incident Severity
severity string

The severity of the incident

Incident Status
status string

The status of the incident

Incident Title
title string

The title of the incident

Incident Tags
labels array of IncidentLabel

List of tags associated with this incident

Incident Last Modified Time UTC
lastModifiedTimeUtc date-time

The last time the incident was updated

Incident Owner
owner IncidentOwnerInfo

Information on the user an incident is assigned to

Incident Related Analytic Rule Ids
relatedAnalyticRuleIds array of string

List of resource ids of Analytic rules related to the incident

Comments
Comments array of IncidentComment

List of comments on this incident.

Alerts
Alerts array of SecurityAlert

List of alerts related to this incident.

Bookmarks
Bookmarks array of HuntingBookmark

List of bookmarks related to this incident.

Entities
relatedEntities string

List of entities related to the incident, can contain entities of different types

IncidentEventNotification

Name Path Type Description
Subscription ID
workspaceInfo.SubscriptionId string

The subscription ID of the Azure Sentinel workspace

Resource Group Name
workspaceInfo.ResourceGroupName string

The resource group of the Azure Sentinel workspace

Workspace Name
workspaceInfo.WorkspaceName string

The Azure Sentinel workspace name

Workspace ID
workspaceId string

The workspace ID of the incident.

object
object FullIncident

Get an incident by ARM ID

CreatedByUserInfo

Represents UserInfo Properties JSON.

Represents UserInfo Properties JSON.

Created By User Info

UpdatedByUserInfo

Represents UserInfo Properties JSON.

Represents UserInfo Properties JSON.

Updated By User Info

Alert

Name Path Type Description
Product name
ProductName string

Name of the product which published this alert

Alert type
AlertType string

Type name of the alert

Start time (UTC)
StartTimeUtc date-time

Start time of the alert, when the first contributing event was detected

End time (UTC)
EndTimeUtc date-time

End time of the alert, when the last contributing event was detected

Time generated (UTC)
TimeGenerated date-time

The time the alert was generated

Severity
Severity string

The severity of the alert as it is reported by the provider

Provider alert ID
ProviderAlertId string

Unique id for the specific alert instance set by the provider

System alert ID
SystemAlertId string

Unique ID for the specific alert instance

Alert display name
AlertDisplayName string

Display name of the alert

Description
Description string

Alert description

Entities
Entities string

A list of entities related to the alert, can include multiple entities types

Extended properties
ExtendedProperties string

A list of fields which will be presented to the user

Workspace ID
WorkspaceId string

The ID of the workspace of the alert

Resource group
WorkspaceResourceGroup string

alert resource group of the alert

Subscription ID
WorkspaceSubscriptionId string

The ID of the subscription of the alert

Extended links
ExtendedLinks array of object

A list of links related to the alert, can include multiple types

IncidentComment

Represents an incident comment item

Name Path Type Description
ID
id string

The full qualified ARM ID of the comment.

Name
name string

The ARM name of the comment (GUID)

properties
properties IncidentCommentProperties

Represents Incident Comment Properties JSON.

IncidentCommentProperties

Represents Incident Comment Properties JSON.

Represents Incident Comment Properties JSON.

string

This is the basic data type 'string'.