Azure Sentinel
- Anthony Shevlin (Deactivated)
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.
Connect Azure Sentinel with Devo SOAR
Navigate to Automations > Integrations.
Search for Azure Sentinel.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Tenant ID: Tenant/directory ID for Azure Sentinel.
Client ID: Client id for Azure Sentinel.
Client Secret: Client secret for Azure Sentinel.
After you've entered all the details, click Connect.
Actions for Azure Sentinel
Execute Query
Executes an analytics query for data.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Workspace Id | Column name from the parent table that contains the ID of the workspace. | Required |
Query | Column name from the parent table that contains the query to execute. Example: Usage | take 10. | Required |
Start Date | Column name from the parent table that contains start date. Example: YYYY-MM-DD (default is last 30 Days). | Optional |
End Date | Column name from the parent table that contains end date. Example: YYYY-MM-DD (default is the last 30 days). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Query Result
List Alert Rules
List alert rules.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
{
"value": [
{
"id": "/subscriptions/44a1188f-486a-40f3-b7b6-5basdfsadf/resourceGroups/integon/providers/Microsoft.OperationalInsights/workspaces/teseg/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion",
"name": "BuiltInFusion",
"etag": "\"25001913-0000-0100-0000-62asdfasdf00\"",
"type": "Microsoft.SecurityInsights/alertRules",
"kind": "MicrosoftSecurityIncidentCreation",
"properties": {
"productFilter": "Microsoft Cloud App Security",
"severitiesFilter": null,
"displayNamesFilter": null,
"displayNamesExcludeFilter": null,
"displayName": "testing displayname",
"enabled": true,
"description": null,
"alertRuleTemplateName": null,
"lastModifiedUtc": "2022-07-07T10:26:30.0222996Z"
}
}
],
"error": null,
"has_error": false
}Get Alert Rule
Get alert rule by its ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Alert Rule ID | Jinja-templated text containing the alert rule ID for azure sentinel | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
{
"id": "/subscriptions/44a1188f-486a-40f3-b7b6-5asdfasd1d5b/resourceGroups/iation/providers/Microsoft.OperationalInsights/workspaces/tenteg/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion",
"name": "BuiltInFusion",
"etag": "\"25001913-0000-0100-0000-6asdfsad0000\"",
"type": "Microsoft.SecurityInsights/alertRules",
"kind": "MicrosoftSecurityIncidentCreation",
"properties": {
"productFilter": "Microsoft Cloud App Security",
"severitiesFilter": null,
"displayNamesFilter": null,
"displayNamesExcludeFilter": null,
"displayName": "testing displayname",
"enabled": true,
"description": null,
"alertRuleTemplateName": null,
"lastModifiedUtc": "2022-07-07T10:26:30.0222996Z"
},
"error": null,
"has_error": false
}Delete Alert Rule
Delete alert rule by its ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Alert Rule ID | Jinja-templated text containing the alert rule ID for azure sentinel | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
{
"msg": "Successfully deleted.",
"error": null,
"has_error": false
}Create or Update Alert Rule
Create or update alert rule by its ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Alert Rule ID | Jinja-templated text containing the alert rule ID for azure sentinel | Required |
Alert Rule Object | Jinja-templated text containing the alert rule object for azure sentinel. Example '{"kind": "Fusion","properties.alertRuleTemplateName": "f7asdfd-2ffb-45tb-b102-4asdf015c8","properties.enabled": true}' | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
List Actions
List actions by alert rule ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Alert Rule ID | Jinja-templated text containing the alert rule ID for azure sentinel | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Get Action
Get action by its ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Alert Rule ID | Jinja-templated text containing the alert rule ID for azure sentinel | Required |
Action ID | Jinja-templated text containing the action ID for azure sentinel | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Delete Action
Delete action by its ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Alert Rule ID | Jinja-templated text containing the alert rule ID for azure sentinel | Required |
Action ID | Jinja-templated text containing the action ID for azure sentinel | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Create or Update Action
Create or update action.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Alert Rule ID | Jinja-templated text containing the alert rule ID for azure sentinel | Required |
Action ID | Jinja-templated text containing the action ID for azure sentinel | Required |
Action Object | Jinja-templated text containing the action object for azure sentinel. Example '{"kind": "Fusion","properties.alertRuleTemplateName": "f7asdfd-2ffb-45tb-b102-4asdf015c8","properties.enabled": true}' | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
List Alert Rule Templates
List alert rule templates.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Get Alert Rule Template
Get alert rule template.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Alert Rule Template ID | Jinja-templated text containing the alert rule template ID for azure sentinel | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
List Automation Rules
List automation rules.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Get Automation Rule
Get automation rule by its ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Automation Rule ID | Jinja-templated text containing the automation rule ID for azure sentinel | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Delete Automation Rule
Delete automation rule by its ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Automation Rule ID | Jinja-templated text containing the automation rule ID for azure sentinel | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Create or Update Automation Rule
Create or update automation rule.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Automation Rule ID | Jinja-templated text containing the automation rule ID for azure sentinel | Required |
Automation Rule Object | Jinja-templated text containing the automation object for azure sentinel. Example '{"kind": "Fusion","properties.alertRuleTemplateName": "f7asdfd-2ffb-45tb-b102-4asdf015c8","properties.enabled": true}' | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
List Bookmarks
List bookmarks.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Get Bookmark
Get Bookmark by its ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Bookmark ID | Jinja-template text containing the bookmark ID for azure sentinel | Required |
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Delete Bookmark
Delete bookmark by its ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Bookmark ID | Jinja-template text containing the bookmark ID for azure sentinel | Required |
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Create or Update Bookmark
Create or update bookmark.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Bookmark ID | Jinja-template text containing the bookmark ID for azure sentinel | Required |
Bookmark Object | Jinja-template text containing the bookmark object for azure sentinel. Example '{"kind": "Fusion","properties.alertRuleTemplateName": "f7asdfd-2ffb-45tb-b102-4asdf015c8","properties.enabled": true}' | Required |
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
List Data Connectors
List data connectors.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Get Data Connector
Get Data Connector by its ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Data Connector ID | Jinja-template text containing the data connector ID for azure sentinel | Required |
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Delete Data Connector
Delete data connector by its ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Data Connector ID | Jinja-template text containing the data connector ID for azure sentinel | Required |
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Create or Update Data Connector
Create or update data connector.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Data Connector ID | Jinja-template text containing the data connector ID for azure sentinel | Required |
Data Connector Object | Jinja-template text containing the bookmark object for azure sentinel. Example '{"kind": "Fusion","properties.alertRuleTemplateName": "f7asdfd-2ffb-45tb-b102-4asdf015c8","properties.enabled": true}' | Required |
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
List Incidents
List incidents.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Filter | Jinja-template JSON containing the filter for azure sentinel. Example '{"filter":"{{filter}}","$orderby":"{{orderby}}","$top":"{{top}}"}' | Optional |
Limit | Jinja-template JSON containing the limit for azure sentinel. (Default is 10000) | Optional |
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
List Incident Alerts
List incident alerts.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Incident ID | Jinja-template text containing the incident ID for azure sentinel. | Required |
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
List Incident Bookmarks
List incident bookmarks.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Incident ID | Jinja-template text containing the incident ID for azure sentinel. | Required |
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
List Incident Entities
List incident entities.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Incident ID | Jinja-template text containing the incident ID for azure sentinel. | Required |
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Get Incident
Get incident by its ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Incident ID | Jinja-template text containing the incident ID for azure sentinel. | Required |
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Delete Incident
Delete incident by its ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Incident ID | Jinja-template text containing the incident ID for azure sentinel. | Required |
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Create or Update Incident
Create or update incident.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Incident ID | Jinja-template text containing the incident ID for azure sentinel | Required |
Incident Object | Jinja-template text containing the incident object for azure sentinel. Example '{"kind": "Fusion","properties.alertRuleTemplateName": "f7asdfd-2ffb-45tb-b102-4asdf015c8","properties.enabled": true}' | Required |
Subscription ID | Jinja-template text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-template text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-template text containing the workspace for azure sentinel | Optional |
API Version | Jinja-template text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Get Incident Comments
Gets a comment for a given incident.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Incident Comment Id | Jinja-templated text containing the incident comment Id. | Required |
Incident Id | Jinja-templated text containing the incident Id. | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
Api Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
List Incident Comments
Gets all comments for a given incident.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Incident Id | Jinja-templated text containing the incident Id. | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
Api Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Delete Incident Comments
Deletes a comment for a given incident.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Incident Comment Id | Jinja-templated text containing the incident comment Id. | Required |
Incident Id | Jinja-templated text containing the incident Id. | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
Api Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Create Or Update Incident Comments
Creates or updates a comment for a given incident.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Incident Comment Id | Jinja-templated text containing the incident comment Id. | Required |
Incident Id | Jinja-templated text containing the incident Id. | Required |
Incident Comment Object | Jinja-templated JSON containing the incident comment object for azure sentinel. Example '{"properties": {"message": "Some message"}}' | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
Api Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Get Incident Relations
Gets a relation for a given incident.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Relation Name | Jinja-templated text containing the relation name. | Required |
Incident Id | Jinja-templated text containing the incident Id. | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
Api Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
List Incident Relations
Gets all relations for a given incident.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Incident Id | Jinja-templated text containing the incident Id. | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
Api Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Delete Incident Relations
Deletes a relation for a given incident.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Relation Name | Jinja-templated text containing the relation name. | Required |
Incident Id | Jinja-templated text containing the incident Id. | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
Api Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
Create Or Update Incident Relations
Creates or updates a relation for a given incident.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Relation Name | Jinja-templated text containing the relation name. | Required |
Incident Id | Jinja-templated text containing the incident Id. | Required |
Incident Relation Object | Jinja-templated JSON containing the incident comment object for azure sentinel. Example '{"properties": {"relatedResourceId": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/bookmarks/2216d0e1-91e3-4902-89fd-d2df8c535096"}}' | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
Api Version | Jinja-templated text containing the API version for azure sentinel (Default is '2021-10-01') | Optional |
Output
JSON containing the following items:
JSON
List Watchlist Items
Get all watchlist items by watchlist alias.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Watchlist Alias | Jinja-templated text containing the watchlist alias for azure sentinel | Required |
Subscription Id | Jinja-templated text containing the subscription Id for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2022-11-01') | Optional |
Output
JSON containing the following items:
JSON
Get Watchlist Item
Get watchlist item by its Id.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Watchlist Alias | Jinja-templated text containing the watchlist alias for azure sentinel | Required |
Watchlist Item Id | Jinja-templated text containing the watchlist item Id for azure sentinel | Required |
Subscription Id | Jinja-templated text containing the subscription Id for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2022-11-01') | Optional |
Output
JSON containing the following items:
JSON
Delete Watchlist Item
Delete watchlist item by its Id.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Watchlist Alias | Jinja-templated text containing the watchlist alias for azure sentinel | Required |
Watchlist Item Id | Jinja-templated text containing the watchlist item Id for azure sentinel | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2022-11-01') | Optional |
Output
JSON containing the following items:
JSON
Create or Update Watchlist Item
Create or update watchlist_item.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Watchlist Alias | Jinja-templated text containing the watchlist alias for azure sentinel | Required |
Watchlist Item Id | Jinja-templated text containing the watchlist item Id for azure sentinel | Required |
Action Object | Jinja-templated text containing the action object for azure sentinel. Example '{"etag": "0300bf09-0000-0000-0000-5c37296e0000", "properties": { "itemsKeyValue": { "Gateway subnet": "10.0.255.224/27", "Web Tier": "10.0.1.0/24", "Business tier": "10.0.2.0/24", "Data tier": "10.0.2.0/24", "Private DMZ in": "10.0.0.0/27", "Public DMZ out": "10.0.0.96/27"}}}' | Required |
Subscription ID | Jinja-templated text containing the subscription ID for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2022-11-01') | Optional |
Output
JSON containing the following items:
JSON
List Watchlist
Get all watchlist.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Subscription Id | Jinja-templated text containing the subscription Id for azure sentinel | Optional |
Resource Group Name | Jinja-templated text containing the resource group name for azure sentinel | Optional |
Workspace | Jinja-templated text containing the workspace for azure sentinel | Optional |
API Version | Jinja-templated text containing the API version for azure sentinel (Default is '2022-11-01') | Optional |
Output
JSON containing the following items:
JSON
Batch Query
Executes a batch of Analytics queries for data.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Body | Jinja-templated JSON containing the batch query data for azure sentinel. Example '{"requests": [{"id": "1","body": {"query": "AppRequests | take 2"},"path": "/query","method": "POST","workspace": "d2d0e126-fa1e-4b0a-b647-250cdd471e68"},{"id": "2","body": {"query": "AppRequests |
Output
JSON containing the following items:
JSON
Release Notes
v2.2.11- Added limit result optional field inList Incidentsaction.v2.2.1- Added debug logs inExecute Queryaction.v2.2.0- AddedBatch Queryaction.v2.1.1- UpdatedQueryaction: Theapi.loganalytics.ioendpoint is being replaced byapi.loganalytics.azure.com.v2.1.0- Added 5 new actions:List Watchlist Items,Get Watchlist Item,Delete Watchlist Item,Create or Update Watchlist ItemandList Watchlist.v2.0.0- Updated architecture to support IO via filesystemv1.3.3- Added 8 new actions:Create Or Update Incident Relations,Delete Incident Relations,List Incident Relations,Get Incident Relations,Create Or Update Incident Comments,Delete Incident Comments,List Incident CommentsandGet Incident Comments.v1.2.1- Added 15 new actions:Create or Update Bookmark,Create or Update Data Connector,Create or Update Incident,DELETE Bookmark,DELETE Data Connector,Delete Incident,Get Bookmark,Get Data Connector,Get Incident,List Bookmarks,List Data Connector,List Incident Alerts,List Bookmarks,List Incident EntitiesandList Incidents.v1.1.9- Bug fix forExecute queryaction throwing error when there are double quotes in the query.v1.1.4- Added 14 new actions -List Alert Rules,Get Alert Rule,Delete Alert Rule,Create Or Update Alert Rule,List Actions,Get Action,Delete Action,Create Or Update Action,List Alert Rule Templates,Get Alert Rule Template,List Automation Rules,Get Automation Rules,Delete Automation RuleandCreate Or Update Automation Rule