Get-AzSentinelIncident
Gets an incident.
Syntax
Get-AzSentinelIncident
-ResourceGroupName <String>
-WorkspaceName <String>
[-SubscriptionId <String[]>]
[-Filter <String>]
[-Orderby <String>]
[-SkipToken <String>]
[-Top <Int32>]
[-DefaultProfile <PSObject>]
[<CommonParameters>]
Get-AzSentinelIncident
-Id <String>
-ResourceGroupName <String>
-WorkspaceName <String>
[-SubscriptionId <String[]>]
[-DefaultProfile <PSObject>]
[<CommonParameters>]
Get-AzSentinelIncident
-InputObject <ISecurityInsightsIdentity>
[-DefaultProfile <PSObject>]
[<CommonParameters>]
Description
Gets an incident.
Examples
Example 1: List all Incidents
Get-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName"
Title : (Preview) TI map IP entity to AzureActivity
Description : Identifies a match in AzureActivity from any IP IOC from TI
Severity : Medium
Number : 754
Label : {}
ProviderName : Azure Sentinel
Name : f5409f55-7dd8-4c73-9981-4627520b2db
This command lists all Incidents under a Microsoft Sentinel workspace.
Example 2: Get an Incident
Get-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "f5409f55-7dd8-4c73-9981-4627520b2db"
Title : (Preview) TI map IP entity to AzureActivity
Description : Identifies a match in AzureActivity from any IP IOC from TI
Severity : Medium
Number : 754
Label : {}
ProviderName : Azure Sentinel
Name : f5409f55-7dd8-4c73-9981-4627520b2db
This command gets an Incident.
Parameters
-DefaultProfile
The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription.
Type: | PSObject |
Aliases: | AzureRMContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Filter
Filters the results, based on a Boolean condition. Optional.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Id
Incident ID
Type: | String |
Aliases: | IncidentId |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InputObject
Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
Type: | ISecurityInsightsIdentity |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Orderby
Sorts the results. Optional.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResourceGroupName
The name of the resource group. The name is case insensitive.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SkipToken
Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SubscriptionId
The ID of the target subscription.
Type: | String[] |
Position: | Named |
Default value: | (Get-AzContext).Subscription.Id |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Top
Returns only the first n results. Optional.
Type: | Int32 |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WorkspaceName
The name of the workspace.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
Outputs
Notes
ALIASES
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
INPUTOBJECT <ISecurityInsightsIdentity>
: Identity Parameter
[ActionId <String>]
: Action ID[AlertRuleTemplateId <String>]
: Alert rule template ID[AutomationRuleId <String>]
: Automation rule ID[BookmarkId <String>]
: Bookmark ID[ConsentId <String>]
: consent ID[DataConnectorId <String>]
: Connector ID[EntityId <String>]
: entity ID[EntityQueryId <String>]
: entity query ID[EntityQueryTemplateId <String>]
: entity query template ID[Id <String>]
: Resource identity path[IncidentCommentId <String>]
: Incident comment ID[IncidentId <String>]
: Incident ID[MetadataName <String>]
: The Metadata name.[Name <String>]
: Threat intelligence indicator name field.[RelationName <String>]
: Relation Name[ResourceGroupName <String>]
: The name of the resource group. The name is case insensitive.[RuleId <String>]
: Alert rule ID[SentinelOnboardingStateName <String>]
: The Sentinel onboarding state name. Supports - default[SettingsName <String>]
: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba[SourceControlId <String>]
: Source control Id[SubscriptionId <String>]
: The ID of the target subscription.[WorkspaceName <String>]
: The name of the workspace.
Azure PowerShell
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for