Azure Sentinel (Preview)

Cloud-native SIEM with a built-in AI so you can focus on what matters most

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure China regions
     -   US Department of Defense (DoD)
Contact
Name Microsoft
URL Microsoft LogicApps Support
Connector Metadata
Publisher Microsoft
Website https://azure.microsoft.com/services/azure-sentinel/

Azure Sentinel Connector

Connector in depth

Learn more about how to use this connector:

Authentication

Triggers and actions in the Azure Sentinel connector can operate on behalf of any identity that has the necessary permissions (read and/or write) on the relevant workspace. The connector supports multiple identity types:

Permissions required

Roles / Connector components Triggers "Get" actions Update incident,
add a comment
Azure Sentinel Reader
Azure Sentinel Responder/Contributor

Learn more about permissions in Azure Sentinel.

Learn how to use the different authentication options.

Known issues and limitations

Cannot trigger a Logic App called by an Azure Sentinel trigger using the "Run Trigger" button

A user cannot use the Run trigger button on the Overview blade of the Logic Apps service to trigger an Azure Sentinel playbook.

Azure Logic Apps are triggered by a POST REST call, whose body is the input for the trigger. Logic Apps that start with Azure Sentinel triggers expect to see the content of an Azure Sentinel alert or incident in the body of the call. When the call comes from the Logic Apps Overview blade, the body of the call is empty, and therefore an error is generated.

These are the only proper ways to trigger Azure Sentinel playbooks:

  • Manual trigger in Azure Sentinel
  • Automated response of an analytics rule (directly or through an automation rule) in Azure Sentinel
  • Use "Resubmit" button in an existing Logic Apps run blade
  • Call the Logic Apps endpoint directly (attaching an alert/incident as the body)

Updating the same incident in parallel For each loops

For each loops are set by default to run in parallel, but can be easily set to run sequentially. If a for each loop might update the same Azure Sentinel incident in separate iterations, it should be configured to run sequentially.

Restoring alert's original query is currently not supported via Logic Apps

Usage of the Azure Monitor Logs connector to retrieve the events captured by the scheduled alert analytics rule is not consistently reliable.

  • Azure Monitor Logs do not support the definition of a custom time range. Restoring the exact same query results requires defining the exact same time range as in the original query.
  • Alerts may be delayed in appearing in the Log Analytics workspace after the rule triggers the playbook.

Available resources

Azure Sentinel docs

Azure Sentinel References

Azure Logic Apps

Creating a connection

The connector supports the following authentication types:

Default Parameters for creating connection. All regions Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Throttling Limits

Name Calls Renewal Period
API calls per connection60060 seconds

Actions

Add comment to incident (V2)

Adds comment to selected incident

Add comment to incident (V3)

Adds comment to selected incident

Add comment to incident [DEPRECATED]

This action has been deprecated. Please use Add comment to incident (V3) instead.

Adds comment to selected incident

Add labels to incident (deprecated) [DEPRECATED]

Adds labels to selected incident

Alert - Get incident

Returns the incident associated with selected alert

Alert - Get incident

Returns the incident associated with selected alert

ASI trigger unsubscribe [DEPRECATED]

Unsubscribe

Change incident description (V2) (deprecated) [DEPRECATED]

changes description to selected incident

Change incident description [DEPRECATED]

changes description to selected incident

Change incident severity (deprecated) [DEPRECATED]

changes severity to selected incident

Change incident status (deprecated) [DEPRECATED]

changes status to selected incident

Change incident title (V2) (deprecated) [DEPRECATED]

changes title to selected incident

Change incident title [DEPRECATED]

changes title to selected incident

Entities - Get Accounts

Returns list of accounts associated with the alert

Entities - Get FileHashes

Returns list of File Hashes associated with the alert

Entities - Get Hosts

Returns list of hosts associated with the alert

Entities - Get IPs

Returns list of IPs associated with the alert

Entities - Get URLs

Returns list of URLs associated with the alert

Get incident

Get an incident by ARM ID

Remove labels from incident (deprecated) [DEPRECATED]

Removes labels to selected incident

Update incident

Update incident with provided fields

Watchlists - Add a new watchlist item

Watchlists - Add a new watchlist item

Watchlists - Update an existing watchlist item

Watchlists - Update an existing watchlist item

Add comment to incident (V2)

Adds comment to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify comment
Value True string

Comment value

Returns

response
string

Add comment to incident (V3)

Adds comment to selected incident

Parameters

Name Key Required Type Description
Incident ARM id
incidentArmId True string

Incident ARM id

Incident comment message
message True html

Incident comment message

Returns

Represents an incident comment item

Incident Comment
IncidentComment

Add comment to incident [DEPRECATED]

This action has been deprecated. Please use Add comment to incident (V3) instead.

Adds comment to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify incident comment
comment True string

Incident comment

Returns

response
string

Add labels to incident (deprecated) [DEPRECATED]

Adds labels to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

label
Label True string

label

Returns

response
string

Alert - Get incident

Returns the incident associated with selected alert

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify alert id
alertId True string

System alert id

Returns

Alert - Get incident

Returns the incident associated with selected alert

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Specify alert id
alertId True string

System Alert Id

Returns

Represents an incident in Azure Security Insights.

Body
Incident

ASI trigger unsubscribe [DEPRECATED]

Unsubscribe

Returns

response
string

Change incident description (V2) (deprecated) [DEPRECATED]

changes description to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify description
Value True string

Description value

Returns

response
string

Change incident description [DEPRECATED]

changes description to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify description
fieldValue True string

Description value

Returns

response
string

Change incident severity (deprecated) [DEPRECATED]

changes severity to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify severity
severity True string

Severity value

Returns

response
string

Change incident status (deprecated) [DEPRECATED]

changes status to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify status
status True string

Status value

dynamicStatusChangerSchema
dynamicStatusChangerSchema dynamic

Dynamic Schema of incident status changer

Returns

response
string

Change incident title (V2) (deprecated) [DEPRECATED]

changes title to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify title
Value True string

Title value

Returns

response
string

Change incident title [DEPRECATED]

changes title to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

Specify title
fieldValue True string

Title value

Returns

response
string

Entities - Get Accounts

Returns list of accounts associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of accounts associated with the alert

Entities - Get FileHashes

Returns list of File Hashes associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of File Hashes associated with the alert

Entities - Get Hosts

Returns list of hosts associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of hosts associated with the alert

Entities - Get IPs

Returns list of IPs associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of IPs associated with the alert

Entities - Get URLs

Returns list of URLs associated with the alert

Parameters

Name Key Required Type Description
Entities list
body True string

Entities list

Returns

A list of URLs associated with the alert

Get incident

Get an incident by ARM ID

Parameters

Name Key Required Type Description
Incident ARM id
incidentArmId True string

Incident ARM id

Returns

Represents an incident in Azure Security Insights.

Body
Incident

Remove labels from incident (deprecated) [DEPRECATED]

Removes labels to selected incident

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace Id
workspaceId True string

Workspace id

Identifier
identifier True string

Incident / alert

Specify alert / incident
id True string

Please provide the incident number / alert id

label
Label True string

label

Returns

response
string

Update incident

Update incident with provided fields

Parameters

Name Key Required Type Description
Specify incident fields to update
body True dynamic

Incident fields to update

Returns

Represents an incident in Azure Security Insights.

Body
Incident

Watchlists - Add a new watchlist item

Watchlists - Add a new watchlist item

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace name
workspaceName True string

Workspace name

Specify watchlist alias
watchlistAlias True string

Watchlist alias

Returns

Represents an WatchlistItem in Azure Security Insights.

Watchlists - Update an existing watchlist item

Watchlists - Update an existing watchlist item

Parameters

Name Key Required Type Description
Specify subscription id
subscriptionId True string

Subscription id

Specify resource group
resourceGroup True string

Resource group

Specify workspace name
workspaceName True string

Workspace name

Specify watchlist alias
watchlistAlias True string

Watchlist alias

Specify Watchlist Item ID
watchlistItemId True string

Unique identifier for a watchlist item (GUID)

Returns

Represents an WatchlistItem in Azure Security Insights.

Triggers

When a response to an Azure Sentinel alert is triggered

When a response to an Azure Sentinel alert is triggered. This playbook is triggered by an analytics rule when a new alert is created or by manual triggering. Playbook receives the alert as its input.

When a response to an Azure Sentinel alert is triggered [DEPRECATED]

When a response to an Azure Sentinel alert is triggered. This playbook must be triggered using Azure Sentinel Real Time or from Azure

When Azure Sentinel incident creation rule was triggered

When a response to an Azure Sentinel incident is triggered. This playbook is triggered by an automation rule when a new incident is created. Playbook receives the Azure Sentinel incident as its input, including alerts and entities.

When a response to an Azure Sentinel alert is triggered

When a response to an Azure Sentinel alert is triggered. This playbook is triggered by an analytics rule when a new alert is created or by manual triggering. Playbook receives the alert as its input.

Returns

Body
Alert

When a response to an Azure Sentinel alert is triggered [DEPRECATED]

When a response to an Azure Sentinel alert is triggered. This playbook must be triggered using Azure Sentinel Real Time or from Azure

Returns

Body
Alert

When Azure Sentinel incident creation rule was triggered

When a response to an Azure Sentinel incident is triggered. This playbook is triggered by an automation rule when a new incident is created. Playbook receives the Azure Sentinel incident as its input, including alerts and entities.

Returns

Definitions

BatchResponseAccount

A list of accounts associated with the alert

Name Path Type Description
Accounts
Accounts array of Account

A list of accounts associated with the alert

WatchlistItem

Represents an WatchlistItem in Azure Security Insights.

Name Path Type Description
Watchlist Item ID
id string

The fully qualified ID of the incident.

WatchlistItem Name
name string

Corresponds to WatchlistItem ID (GUID)

WatchlistItem etag
etag string

Corresponds to etag (GUID)

WatchlistItem type
type string

Corresponds to WatchlistItem type

properties
properties WatchlistItemProperties

WatchlistItemProperties

Name Path Type Description
WatchlistItemType
watchlistItemType string

type of watchlist item equals to watchlist-item

WatchlistItemId
watchlistItemId string

ID of WatchlistItem

TenantId
tenantId string

Tenant

IsDeleted
isDeleted boolean

Is Deleted

Created
created date-time

The created time of the watchlistItem

Updated
updated date-time

The updated time of the watchlistItem

Created By User Info
createdBy CreatedByUserInfo

Represents UserInfo Properties JSON.

Updated By User Info
updatedBy UpdatedByUserInfo

Represents UserInfo Properties JSON.

ItemsKeyValue
itemsKeyValue array of

The columns of watchlistItem with corresponding values

Account

Name Path Type Description
Name
Name string

Account name

NT domain
NTDomain string

NETBIOS domain name as it appears in the alert format

DnsDomain
DnsDomain string

The fully qualified domain DNS name

UPN suffix
UPNSuffix string

User principal name suffix

SID
Sid string

Account security identifier, e.g. S-1-5-18

AAD tenant ID
AadTenantId string

AAD tenant id, if known

AAD user ID
AadUserId string

AAD user id, if known

PUID
PUID string

The AAD Passport User ID, if known

Is domain joined
IsDomainJoined boolean

Determines whether this is a domain account

ObjectGuid
ObjectGuid string

The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory

BatchResponseUrl

A list of URLs associated with the alert

Name Path Type Description
URLs
URLs array of UrlEntity

A list of URLs associated with the alert

UrlEntity

Name Path Type Description
Url
Url string

BatchResponseHost

A list of hosts associated with the alert

Name Path Type Description
Hosts
Hosts array of Host

A list of hosts associated with the alert

Host

Name Path Type Description
DNS domain
DnsDomain string

DNS domain that this host belongs to

NT domain
NTDomain string

NT domain that this host belongs to

Hostname
HostName string

Hostname without the domain suffix

NetBiosName
NetBiosName string

The host name (pre-windows2000)

OMSAgentID
OMSAgentID string

The OMS agent id, if the host has OMS agent installed

OSFamily
OSFamily string

One of the following values: Linux, Windows, Android, IOS

OSVersion
OSVersion string

A free text representation of the operating system

Is domain joined
IsDomainJoined boolean

Determines whether this host belongs to a domain

AzureID
AzureID string

The azure resource id of the VM, if known

BatchResponseIP

A list of IPs associated with the alert

Name Path Type Description
IPs
IPs array of IP

A list of IPs associated with the alert

IP

Name Path Type Description
Address
Address string

IP address

BatchResponseFileHash

A list of File Hashes associated with the alert

Name Path Type Description
FileHashes
Filehashes array of FileHash

A list of File Hashes associated with the alert

FileHash

Name Path Type Description
Value
Value string

File Hash value

Algorithm
Algorithm string

The file hash algorithm types

OldIncident

Name Path Type Description
properties
properties OldIncidentProperties

OldIncidentProperties

Name Path Type Description
Status
Status string

The status of the incident

Labels
Labels array of

The labels of the incident

Title
Title string

The title of the incident

Description
Description string

The description of the incident

End Time Utc
EndTimeUtc string

The time the incident ended

Start Time Utc
StartTimeUtc string

The start time of the incident

Last Updated Time Utc
LastUpdatedTimeUtc string

The update time of the incident

Number
CaseNumber string

The number of the incident

Created Time Utc
CreatedTimeUtc string

The time the incident created

Severity
Severity string

The severity of the incident

Related Alert Ids
RelatedAlertIds array of

The related alert ids of the incident

IncidentAdditionalData

Incident additional data property bag.

Name Path Type Description
Incident Alerts Count
alertsCount integer

The number of alerts in the incident

Incident Bookmarks Count
bookmarksCount integer

The number of bookmarks in the incident

Incident Comments Count
commentsCount integer

The number of comments in the incident

Incident Alert product names
alertProductNames array of string

List of product names of alerts in the incident

Incident Tactics
tactics array of AttackTactic

The tactics associated with incident

IncidentLabel

Represents an incident tag

Name Path Type Description
Name
labelName string

The name of the tag

Type
labelType string

The type of the tag

IncidentOwnerInfo

Information on the user an incident is assigned to

Name Path Type Description
Email
email string

The email of the user the incident is assigned to.

Assigned To
assignedTo string

The name of the user the incident is assigned to. (assignedTo field)

ObjectId
objectId uuid

The object id of the user the incident is assigned to.

User Principal Name
userPrincipalName string

The user principal name of the user the incident is assigned to.

AttackTactic

Represents a tactic item which is associated with the incident

Represents a tactic item which is associated with the incident

AlertSeverity

The severity of the alert

The severity of the alert

Severity
string

HuntingBookmark

Represents a hunting bookmark item

Name Path Type Description
ARM ID
id string

The full qualified ARM ID of the bookmark.

ARM Name
name string

The ARM name of the bookmark (GUID)

properties
properties HuntingBookmarkProperties

Represents HuntingBookmark Properties JSON.

SecurityAlert

Represents a security alert item

Name Path Type Description
ARM ID
id string

The full qualified ARM ID of the alert.

ARM Name
name string

The ARM name of the alert (GUID)

properties
properties SecurityAlertProperties

Represents Alert Properties JSON.

HuntingBookmarkProperties

Represents HuntingBookmark Properties JSON.

Name Path Type Description
Display Name
displayName string

The display name of the bookmark

Created
created date-time

The created time of the bookmark

Updated
updated date-time

The updated time of the bookmark

Created By User Info
createdBy CreatedByUserInfo

Represents UserInfo Properties JSON.

Updated By User Info
updatedBy UpdatedByUserInfo

Represents UserInfo Properties JSON.

Event Time
eventTime date-time

The event time of the bookmark

Notes
notes string

The notes of the bookmark

Labels
labels array of string

The labels of the bookmark

Query
query string

The query of the bookmark

Query Result
queryResult string

The query result of the bookmark

SecurityAlertProperties

Represents Alert Properties JSON.

Name Path Type Description
Friendly Name
friendlyName string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

Display Name
alertDisplayName string

The display name of the alert

Type
alertType string

In schedule alert, this is the analytics rule id.

URI
alertLink string

This is the link to the alert in the orignal vendor.

Compromised Entity
compromisedEntity string

Display name of the main entity being reported on.

Confidence Level
confidenceLevel string

The confidence level of this alert.

Description
description string

The description of the alert.

End Time UTC
endTimeUtc date-time

The impact end time of the alert (the time of the last event contributing to the alert).

Provider ID
providerAlertId string

The identifier of the alert inside the product which generated the alert.

Product Name
productName string

The name of the product which published this alert.

Remeditation Steps
remediationSteps array of string

List of manual action items to take to remediate the alert.

Severity
severity AlertSeverity

The severity of the alert

Start Time
startTimeUtc date-time

The impact start time of the alert (the time of the first event contributing to the alert).

Status
status string

The lifecycle status of the alert.

System ID
systemAlertId string

Holds the product identifier of the alert for the product.

Tactics
tactics array of AttackTactic

List of the alert tactics.

Time Generated
timeGenerated date-time

The time the alert was generated.

Query
additionalData.Query string

The query used to decide if the alert should be triggered (Schedule Alert Only).

Query Start Time
additionalData.Query Start Time UTC string

The start time of the query used to decide if the alert should be triggered (Schedule Alert Only).

Query End Time
additionalData.Query End Time UTC string

The start time of the query used to decide if the alert should be triggered (Schedule Alert Only).

Query Operator
additionalData.Trigger Operator string

The operator used to decide if the alert should be triggered (Schedule Alert Only).

Query Threshold
additionalData.Trigger Threshold string

The threshold used to decide if the alert should be triggered (Schedule Alert Only).

Custom Details
additionalData.Custom Details string

Custom event details added to the alert by the analytics rules (scheduled alerts only). To use this field, follow with "Parse JSON" action, and use a sample payload from existing alert to simulate the schema.

Resource Identifiers
resourceIdentifiers array of object

The resource identifiers of the alert

items
resourceIdentifiers object

Represents an alert resource identifier.

Incident

Represents an incident in Azure Security Insights.

Name Path Type Description
Incident ARM ID
id string

The full qualified ARM ID of the incident.

Incident ARM Name
name string

The ARM name of the incident (GUID)

properties
properties IncidentProperties

Represents the Incident Properties JSON.

FullIncident

Get an incident by ARM ID

Name Path Type Description
Incident ARM ID
id string

The full qualified ARM ID of the incident.

Incident ARM Name
name string

The ARM name of the incident (GUID)

properties
properties FullIncidentProperties

Represents the Incident Properties JSON.

IncidentProperties

Represents the Incident Properties JSON.

Name Path Type Description
additionalData
additionalData IncidentAdditionalData

Incident additional data property bag.

Incident Classification
classification string

The reason the incident was closed

Incident Classification Comment
classificationComment string

Describes the reason the incident was closed

Incident Classification Reason
classificationReason string

The classification reason the incident was closed with

Incident Created Time Utc
createdTimeUtc date-time

The time the incident was created

Incident Description
description string

The description of the incident

Incident First Activity Time UTC
firstActivityTimeUtc date-time

The time of the first activity in the incident

Incident URL
incidentUrl string

The deep-link url to the incident in Azure portal

Incident Sentinel ID
incidentNumber integer

A sequential number used to identify the incident in Azure Sentinel.

Incident Last Activity Time UTC
lastActivityTimeUtc date-time

The time of the last activity in the incident

Incident Severity
severity string

The severity of the incident

Incident Status
status string

The status of the incident

Incident Title
title string

The title of the incident

Incident Tags
labels array of IncidentLabel

List of tags associated with this incident

Incident Last Modified Time UTC
lastModifiedTimeUtc date-time

The last time the incident was updated

Incident Owner
owner IncidentOwnerInfo

Information on the user an incident is assigned to

Incident Related Analytic Rule Ids
relatedAnalyticRuleIds array of string

List of resource ids of Analytic rules related to the incident

Comments
Comments array of IncidentComment

List of comments on this incident.

FullIncidentProperties

Represents the Incident Properties JSON.

Name Path Type Description
additionalData
additionalData IncidentAdditionalData

Incident additional data property bag.

Incident Classification
classification string

The reason the incident was closed

Incident Classification Comment
classificationComment string

Describes the reason the incident was closed

Incident Classification Reason
classificationReason string

The classification reason the incident was closed with

Incident Created Time Utc
createdTimeUtc date-time

The time the incident was created

Incident Description
description string

The description of the incident

Incident First Activity Time UTC
firstActivityTimeUtc date-time

The time of the first activity in the incident

Incident URL
incidentUrl string

The deep-link url to the incident in Azure portal

Incident Sentinel ID
incidentNumber integer

A sequential number used to identify the incident in Azure Sentinel.

Incident Last Activity Time UTC
lastActivityTimeUtc date-time

The time of the last activity in the incident

Incident Severity
severity string

The severity of the incident

Incident Status
status string

The status of the incident

Incident Title
title string

The title of the incident

Incident Tags
labels array of IncidentLabel

List of tags associated with this incident

Incident Last Modified Time UTC
lastModifiedTimeUtc date-time

The last time the incident was updated

Incident Owner
owner IncidentOwnerInfo

Information on the user an incident is assigned to

Incident Related Analytic Rule Ids
relatedAnalyticRuleIds array of string

List of resource ids of Analytic rules related to the incident

Comments
Comments array of IncidentComment

List of comments on this incident.

Alerts
Alerts array of SecurityAlert

List of alerts related to this incident.

Bookmarks
Bookmarks array of HuntingBookmark

List of bookmarks related to this incident.

Entities
relatedEntities string

List of entities related to the incident, can contain entities of different types

IncidentEventNotification

Name Path Type Description
Subscription ID
workspaceInfo.SubscriptionId string

The subscription ID of the Azure Sentinel workspace

Resource Group Name
workspaceInfo.ResourceGroupName string

The resource group of the Azure Sentinel workspace

Workspace Name
workspaceInfo.WorkspaceName string

The Azure Sentinel workspace name

Workspace ID
workspaceId string

The workspace ID of the incident.

object
object FullIncident

Get an incident by ARM ID

CreatedByUserInfo

Represents UserInfo Properties JSON.

Represents UserInfo Properties JSON.

Created By User Info

UpdatedByUserInfo

Represents UserInfo Properties JSON.

Represents UserInfo Properties JSON.

Updated By User Info

Alert

Name Path Type Description
Product name
ProductName string

Name of the product which published this alert

Alert type
AlertType string

Type name of the alert

Start time (UTC)
StartTimeUtc date-time

Start time of the alert, when the first contributing event was detected

End time (UTC)
EndTimeUtc date-time

End time of the alert, when the last contributing event was detected

Time generated (UTC)
TimeGenerated date-time

The time the alert was generated

Severity
Severity string

The severity of the alert as it is reported by the provider

Provider alert ID
ProviderAlertId string

Unique id for the specific alert instance set by the provider

System alert ID
SystemAlertId string

Unique ID for the specific alert instance

Alert display name
AlertDisplayName string

Display name of the alert

Description
Description string

Alert description

Entities
Entities string

A list of entities related to the alert, can include multiple entities types

Extended properties
ExtendedProperties string

A list of fields which will be presented to the user

Workspace ID
WorkspaceId string

The ID of the workspace of the alert

Resource group
WorkspaceResourceGroup string

alert resource group of the alert

Subscription ID
WorkspaceSubscriptionId string

The ID of the subscription of the alert

Extended links
ExtendedLinks array of object

A list of links related to the alert, can include multiple types

IncidentComment

Represents an incident comment item

Name Path Type Description
ID
id string

The full qualified ARM ID of the comment.

Name
name string

The ARM name of the comment (GUID)

properties
properties IncidentCommentProperties

Represents Incident Comment Properties JSON.

IncidentCommentProperties

Represents Incident Comment Properties JSON.

Represents Incident Comment Properties JSON.

string

This is the basic data type 'string'.