Skip to main content

Azure Sentinel

This Integration is part of the Azure Sentinel Pack.#

Use the Azure Sentinel integration to get and manage incidents and get related entity information for incidents. This integration was integrated and tested with version 2021-04-01 of Azure Sentinel.

Authorize Cortex XSOAR for Azure Sentinel#

Follow these steps for a self-deployed configuration.

  1. To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal. To add the registration, refer to the Register an application section of the following Microsoft article. (Note: There is no need to create a redirect URI or complete subsequent steps of the article).
  2. In your registered app - create a new Client secret.
    1. Navigate in the Azure Portal to App registrations > your registered application > Certificates & secrets and click + New client secret.
    2. Copy and save the new secret value to use in the add credentials step.
  3. Assign a role to the registered app.
    1. In Azure portal, go to the Subscriptions and select the subscription you are using -> Access control (IAM).
    2. Click Add -> Add role assignment.
    3. Select the Azure Sentinel Contributor role -> Select your registered app, and click Save.
  4. In Cortex XSOAR, go to Settings > Integrations > Credentials and create a new credentials set.
  5. In the Username parameter, enter your registered app Application (client) ID.
  6. In the Password parameter, enter the secret value you created.
  7. Copy your tenant ID for the integration configuration usage.

Configure the server URL#

If you have a dedicated server URL, enter it in the Server Url parameter.

Get the additional instance parameters#

To get the Subscription ID, Workspace Name and Resource Group parameters, in the Azure Portal navigate to Azure Sentinel > your workspace > Settings and click the Workspace Settings tab.

Configure Azure Sentinel on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Azure Sentinel.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server URLFalse
    Tenant IDTrue
    Client IDTrue
    Subscription IDTrue
    Resource Group NameTrue
    Workspace NameTrue
    Fetch incidentsFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    The minimum severity of incidents to fetchFalse
    Incident typeFalse
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-sentinel-get-incident-by-id#


Gets a single incident from Azure Sentinel.

Base Command#

azure-sentinel-get-incident-by-id

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required

Context Output#

PathTypeDescription
AzureSentinel.Incident.IDStringThe incident ID.
AzureSentinel.Incident.TitleStringThe incident title.
AzureSentinel.Incident.DescriptionStringDescription of the incident.
AzureSentinel.Incident.SeverityStringThe incident severity.
AzureSentinel.Incident.StatusStringThe incident status.
AzureSentinel.Incident.AssigneeNameStringThe name of the incident assignee.
AzureSentinel.Incident.AssigneeEmailStringThe email address of the incident assignee.
AzureSentinel.Incident.Label.NameStringThe name of the incident label.
AzureSentinel.Incident.Label.TypeStringThe incident label type.
AzureSentinel.Incident.FirstActivityTimeUTCDateThe date and time of the incident's first activity.
AzureSentinel.Incident.LastActivityTimeUTCDateThe date and time of the incident's last activity.
AzureSentinel.Incident.LastModifiedTimeUTCDateThe date and time the incident was last modified.
AzureSentinel.Incident.CreatedTimeUTCDateThe date and time the incident was created.
AzureSentinel.Incident.IncidentNumberNumberThe incident number.
AzureSentinel.Incident.AlertsCountNumberThe number of the alerts in the incident.
AzureSentinel.Incident.BookmarkCountNumberThe number of bookmarks in the incident.
AzureSentinel.Incident.CommentCountNumberThe number of comments in the incident.
AzureSentinel.Incident.AlertProductNamesStringThe alert product names of the incident.
AzureSentinel.Incident.TacticsStringThe incident's tactics.
AzureSentinel.Incident.FirstActivityTimeGeneratedDateThe incident's generated first activity time.
AzureSentinel.Incident.LastActivityTimeGeneratedDateThe incident's generated last activity time.
AzureSentinel.Incident.EtagStringThe Etag of the incident.

Command Example#

!azure-sentinel-get-incident-by-id incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742

Context Example#

{
"AzureSentinel": {
"Incident": {
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": "test@test.com",
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 3,
"CreatedTimeUTC": "2020-01-15T09:29:14Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"2700a244-0000-0100-0000-6123a2930000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": null,
"ID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"IncidentNumber": 2,
"Label": [
{
"Name": "label_a",
"Type": "User"
},
{
"Name": "label_b",
"Type": "User"
}
],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": null,
"LastModifiedTimeUTC": "2021-08-23T13:28:51Z",
"Severity": "Informational",
"Status": "New",
"Tactics": null,
"Title": "SharePointFileOperation via previously unseen IPs"
}
}
}

Human Readable Output#

Incident 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 details#

IDIncident NumberTitleDescriptionSeverityStatusAssignee EmailLabelLast Modified Time UTCCreated Time UTCAlerts CountBookmarks CountComments CountAlert Product NamesEtag
8a44b7bb-c8ae-4941-9fa0-3aecc8ef17422SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
InformationalNewtest@test.com{'Name': 'label_a', 'Type': 'User'},
{'Name': 'label_b', 'Type': 'User'}
2021-08-23T13:28:51Z2020-01-15T09:29:14Z103Azure Sentinel"2700a244-0000-0100-0000-6123a2930000"

azure-sentinel-list-incidents#


Gets a list of incidents from Azure Sentinel.

Base Command#

azure-sentinel-list-incidents

Input#

Argument NameDescriptionRequired
limitThe maximum number of incidents to return. The default and maximum value is 50.Optional
filterFilter results using OData syntax. For example: properties/createdTimeUtc gt 2020-02-02T14:00:00Z`). For more information see the Azure documentation: https://docs.microsoft.com/bs-latn-ba/azure/search/search-query-odata-filter.Optional
next_linkA link that specifies a starting point to use for subsequent calls. This argument overrides all of the other command arguments.Optional

Context Output#

PathTypeDescription
AzureSentinel.Incident.IDStringThe incident ID.
AzureSentinel.Incident.TitleStringThe incident title.
AzureSentinel.Incident.DescriptionStringDescription of the incident.
AzureSentinel.Incident.SeverityStringThe incident severity.
AzureSentinel.Incident.StatusStringThe incident status.
AzureSentinel.Incident.AssigneeNameStringThe name of the incident assignee.
AzureSentinel.Incident.AssigneeEmailStringThe email address of the incident assignee.
AzureSentinel.Incident.Label.NameStringThe name of the incident label.
AzureSentinel.Incident.Label.TypeStringThe incident label type.
AzureSentinel.Incident.FirstActivityTimeUTCDateThe date and time of the incident's first activity.
AzureSentinel.Incident.LastActivityTimeUTCDateThe date and time of the incident's last activity.
AzureSentinel.Incident.LastModifiedTimeUTCDateThe date and time the incident was last modified.
AzureSentinel.Incident.CreatedTimeUTCDateThe date and time the incident was created.
AzureSentinel.Incident.IncidentNumberNumberThe incident number.
AzureSentinel.Incident.AlertsCountNumberThe number of the alerts in the incident.
AzureSentinel.Incident.BookmarkCountNumberThe number of bookmarks in the incident.
AzureSentinel.Incident.CommentCountNumberThe number of comments in the incident.
AzureSentinel.Incident.AlertProductNamesStringThe alert product names of the incident.
AzureSentinel.Incident.TacticsStringThe incident's tactics.
AzureSentinel.Incident.FirstActivityTimeGeneratedDateThe incident's generated first activity time.
AzureSentinel.Incident.LastActivityTimeGeneratedDateThe incident's generated last activity time.
AzureSentinel.NextLink.DescriptionStringDescription of nextLink.
AzureSentinel.NextLink.URLStringUsed if an operation returns partial results. If a response contains a nextLink element, its value specifies a starting point to use for subsequent calls.
AzureSentinel.Incident.EtagStringThe Etag of the incident.

Command Example#

!azure-sentinel-list-incidents limit=5

Context Example#

{
"AzureSentinel": {
"Incident": [
{
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": "test@test.com",
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 3,
"CreatedTimeUTC": "2020-01-15T09:29:14Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"2700a244-0000-0100-0000-6123a2930000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": null,
"ID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"IncidentNumber": 2,
"Label": [
{
"Name": "label_a",
"Type": "User"
},
{
"Name": "label_b",
"Type": "User"
}
],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": null,
"LastModifiedTimeUTC": "2021-08-23T13:28:51Z",
"Severity": "Informational",
"Status": "New",
"Tactics": null,
"Title": "SharePointFileOperation via previously unseen IPs"
},
{
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": "test@test.com",
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 0,
"CreatedTimeUTC": "2020-01-15T09:34:12Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"dc00cb1c-0000-0100-0000-60992bf20000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": null,
"ID": "e0b06d71-b5a3-43a9-997f-f25b45085cb7",
"IncidentNumber": 4,
"Label": [
{
"Name": "f",
"Type": "User"
},
{
"Name": "o",
"Type": "User"
},
{
"Name": "o",
"Type": "User"
},
{
"Name": "1",
"Type": "User"
}
],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": null,
"LastModifiedTimeUTC": "2021-05-10T12:49:54Z",
"Severity": "Low",
"Status": "New",
"Tactics": null,
"Title": "SharePointFileOperation via previously unseen IPs"
},
{
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": null,
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 0,
"CreatedTimeUTC": "2020-01-15T09:40:09Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"0100c30e-0000-0100-0000-5fb883be0000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": "2020-01-15T08:04:05Z",
"ID": "a7977be7-1008-419b-877b-6793b7402a80",
"IncidentNumber": 6,
"Label": [],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": "2020-01-15T09:04:05Z",
"LastModifiedTimeUTC": "2020-01-15T09:40:09Z",
"Severity": "Medium",
"Status": "New",
"Tactics": null,
"Title": "SharePointFileOperation via previously unseen IPs"
},
{
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": null,
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 1,
"CreatedTimeUTC": "2020-01-15T09:44:12Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"0600a81f-0000-0100-0000-5fdb4e890000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": null,
"ID": "6440c129-c313-418c-a262-5df608aa9cd2",
"IncidentNumber": 7,
"Label": [],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": null,
"LastModifiedTimeUTC": "2020-12-17T12:26:49Z",
"Severity": "Medium",
"Status": "Active",
"Tactics": null,
"Title": "test_title"
},
{
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": null,
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 0,
"CreatedTimeUTC": "2020-01-15T09:49:12Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"0100b70e-0000-0100-0000-5fb883bd0000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": "2020-01-15T08:44:06Z",
"ID": "413e9d64-c7b4-4e33-ae26-bb39710d2187",
"IncidentNumber": 9,
"Label": [],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": "2020-01-15T09:44:06Z",
"LastModifiedTimeUTC": "2020-01-15T09:49:12Z",
"Severity": "Medium",
"Status": "New",
"Tactics": null,
"Title": "SharePointFileOperation via previously unseen IPs"
}
],
"NextLink": {
"Description": "NextLink for listing commands",
"URL": "https://test.com"
}
}
}

Human Readable Output#

Incidents List (5 results)#

IDIncident NumberTitleDescriptionSeverityStatusAssignee EmailLabelFirst Activity Time UTCLast Activity Time UTCLast Modified Time UTCCreated Time UTCAlerts CountBookmarks CountComments CountAlert Product NamesEtag
8a44b7bb-c8ae-4941-9fa0-3aecc8ef17422SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
InformationalNewtest@test.com{'Name': 'label_a', 'Type': 'User'},
{'Name': 'label_b', 'Type': 'User'}
2021-08-23T13:28:51Z2020-01-15T09:29:14Z103Azure Sentinel"2700a244-0000-0100-0000-6123a2930000"
e0b06d71-b5a3-43a9-997f-f25b45085cb74SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
LowNewtest@test.com{'Name': 'f', 'Type': 'User'},
{'Name': 'o', 'Type': 'User'},
{'Name': 'o', 'Type': 'User'},
{'Name': '1', 'Type': 'User'}
2021-05-10T12:49:54Z2020-01-15T09:34:12Z100Azure Sentinel"dc00cb1c-0000-0100-0000-60992bf20000"
a7977be7-1008-419b-877b-6793b7402a806SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
MediumNew2020-01-15T08:04:05Z2020-01-15T09:04:05Z2020-01-15T09:40:09Z2020-01-15T09:40:09Z100Azure Sentinel"0100c30e-0000-0100-0000-5fb883be0000"
6440c129-c313-418c-a262-5df608aa9cd27test_titleIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
MediumActive2020-12-17T12:26:49Z2020-01-15T09:44:12Z101Azure Sentinel"0600a81f-0000-0100-0000-5fdb4e890000"
413e9d64-c7b4-4e33-ae26-bb39710d21879SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
MediumNew2020-01-15T08:44:06Z2020-01-15T09:44:06Z2020-01-15T09:49:12Z2020-01-15T09:49:12Z100Azure Sentinel"0100b70e-0000-0100-0000-5fb883bd0000"

azure-sentinel-list-watchlists#


Gets a list of watchlists from Azure Sentinel.

Base Command#

azure-sentinel-list-watchlists

Input#

Argument NameDescriptionRequired
watchlist_aliasAlias of specific watchlist to get.Optional

Context Output#

PathTypeDescription
AzureSentinel.Watchlist.IDStringThe watchlist ID.
AzureSentinel.Watchlist.DescriptionStringA description of the watchlist.
AzureSentinel.Watchlist.DisplayNameStringThe display name of the watchlist.
AzureSentinel.Watchlist.ProviderStringThe provider of the watchlist.
AzureSentinel.Watchlist.SourceStringThe source of the watchlist.
AzureSentinel.Watchlist.CreatedDateThe time the watchlist was created.
AzureSentinel.Watchlist.UpdatedDateThe last time the watchlist was updated.
AzureSentinel.Watchlist.CreatedByStringThe name of the user who created the watchlist.
AzureSentinel.Watchlist.UpdatedByStringThe name of the user who updated the Watchlist.
AzureSentinel.Watchlist.AliasStringThe alias of the watchlist.
AzureSentinel.Watchlist.LabelunknownLabel that will be used to tag and filter on.
AzureSentinel.Watchlist.ItemsSearchKeyStringThe search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address.
AzureSentinel.NextLink.DescriptionStringDescription of nextLink.
AzureSentinel.NextLink.URLStringUsed if an operation returns partial results. If a response contains a nextLink element, its value specifies a starting point to use for subsequent calls.

Command Example#

!azure-sentinel-list-watchlists

Context Example#

{
"AzureSentinel": {
"Watchlist": [
{
"Alias": "booboo",
"Created": "2021-07-11T08:20:35Z",
"CreatedBy": "test@test.com",
"Description": "just for fun",
"ID": "35bffe30-19f2-40a6-8855-4a858e161fad",
"ItemsSearchKey": "IP",
"Label": [
"IP"
],
"Name": "booboo",
"Provider": "xsoar",
"Source": "Local file",
"Updated": "2021-07-11T08:20:35Z",
"UpdatedBy": "test@test.com"
},
{
"Alias": "test_2",
"Created": "2021-08-16T10:26:56Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"Description": "test watchlist",
"ID": "ceae6089-10dd-4f02-89d5-ab32285688dc",
"ItemsSearchKey": "IP",
"Label": [],
"Name": "test_2",
"Provider": "XSOAR",
"Source": "Local file",
"Updated": "2021-08-16T10:26:56Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd"
},
{
"Alias": "test_1",
"Created": "2021-08-15T14:14:28Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"Description": "",
"ID": "92863c74-fee7-4ffe-8288-bc1529d12597",
"ItemsSearchKey": "IP",
"Label": [],
"Name": "test_1",
"Provider": "XSOAR",
"Source": "Local file",
"Updated": "2021-08-15T14:14:28Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd"
},
{
"Alias": "test_4",
"Created": "2021-08-23T13:30:53Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"Description": "test watchlist",
"ID": "84d1fedd-5945-4670-ae34-5e8c94af2660",
"ItemsSearchKey": "IP",
"Label": [],
"Name": "test_4",
"Provider": "XSOAR",
"Source": "Local file",
"Updated": "2021-08-23T13:30:53Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd"
}
]
}
}

Human Readable Output#

Watchlists results#

NameIDDescription
booboo35bffe30-19f2-40a6-8855-4a858e161fadjust for fun
test_2ceae6089-10dd-4f02-89d5-ab32285688dctest watchlist
test_192863c74-fee7-4ffe-8288-bc1529d12597
test_484d1fedd-5945-4670-ae34-5e8c94af2660test watchlist

azure-sentinel-delete-watchlist#


Delete a watchlists from Azure Sentinel.

Base Command#

azure-sentinel-delete-watchlist

Input#

Argument NameDescriptionRequired
watchlist_aliasAlias of the watchlist to be deleted.Required

Context Output#

There is no context output for this command.

Command Example#

!azure-sentinel-delete-watchlist watchlist_alias=test_4

Human Readable Output#

Watchlist test_4 was deleted successfully.

azure-sentinel-watchlist-create-update#


Create or update a watchlist in Azure Sentinel.

Base Command#

azure-sentinel-watchlist-create-update

Input#

Argument NameDescriptionRequired
watchlist_aliasThe alias of the new watchlist or the watchlist to update.Required
watchlist_display_nameThe display name of the watchlist.Required
descriptionThe description of the watchlist.Optional
providerThe provider of the watchlist. Default is XSOAR.Optional
sourceThe source of the watchlist. Possible values are: Local file, Remote storage.Required
labelsThe labels of the watchlist.Optional
lines_to_skipThe number of lines in a CSV content to skip before the header. Default is 0.Optional
raw_contentA file entry with raw content that represents the watchlist items to create.Required
items_search_keyThe search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address.Required
content_typeThe content type of the raw content. For now, only text/CSV is valid. Default is Text/Csv.Optional

Context Output#

PathTypeDescription
AzureSentinel.Watchlist.NameStringThe name of the watchlist.
AzureSentinel.Watchlist.IDStringThe ID (GUID) of the watchlist.
AzureSentinel.Watchlist.DescriptionStringA description of the watchlist.
AzureSentinel.Watchlist.ProviderStringThe provider of the watchlist.
AzureSentinel.Watchlist.SourceStringThe source of the watchlist.
AzureSentinel.Watchlist.CreatedDateThe time the watchlist was created.
AzureSentinel.Watchlist.UpdatedDateThe time the watchlist was updated.
AzureSentinel.Watchlist.CreatedByStringThe user was created the watchlist.
AzureSentinel.Watchlist.UpdatedByStringThe user was updated the watchlist.
AzureSentinel.Watchlist.AliasStringThe alias of the watchlist.
AzureSentinel.Watchlist.LabelUnknownList of labels relevant to this watchlist.
AzureSentinel.Watchlist.ItemsSearchKeyStringThe search key is used to optimize query performance when using watchlists for joins with other data.

Command Example#

!azure-sentinel-watchlist-create-update items_search_key=IP raw_content=1711@3c9bd2a0-9eac-465b-8799-459df4997b2d source="Local file" watchlist_alias=test_4 watchlist_display_name=test_4 description="test watchlist"

Context Example#

{
"AzureSentinel": {
"Watchlist": {
"Alias": "test_4",
"Created": "2021-08-23T13:30:53Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"Description": "test watchlist",
"ID": "84d1fedd-5945-4670-ae34-5e8c94af2660",
"ItemsSearchKey": "IP",
"Label": [],
"Name": "test_4",
"Provider": "XSOAR",
"Source": "Local file",
"Updated": "2021-08-23T13:30:53Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd"
}
}
}

Human Readable Output#

Create watchlist results#

NameIDDescription
test_484d1fedd-5945-4670-ae34-5e8c94af2660test watchlist

azure-sentinel-update-incident#


Updates a single incident in Azure Sentinel.

Base Command#

azure-sentinel-update-incident

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required
titleThe incident's title.Optional
descriptionDescription of the incident.Optional
severityThe incident severity. Possible values are: High, Medium, Low, Informational.Optional
statusThe incident status. Possible values are: New, Active, Closed.Optional
classificationThe reason the incident was closed. Required when updating the status to Closed. Possible values are: BenignPositive, FalsePositive, TruePositive, Undetermined.Optional
classification_commentDescribes the reason the incident was closed.Optional
classification_reasonThe classification reason the incident was closed with. Required when updating the status to Closed and the classification is determined. Possible values are: InaccurateData, IncorrectAlertLogic, SuspiciousActivity, SuspiciousButExpected.Optional
assignee_emailThe email address of the incident assignee. Note that the updated API field is owner.email.Optional
labelsIncident labels. Note that all labels will be set as labelType='User'.Optional

Context Output#

PathTypeDescription
AzureSentinel.Incident.IDStringThe incident ID.
AzureSentinel.Incident.TitleStringThe incident's title.
AzureSentinel.Incident.DescriptionStringDescription of the incident.
AzureSentinel.Incident.SeverityStringThe incident severity.
AzureSentinel.Incident.StatusStringThe incident status.
AzureSentinel.Incident.AssigneeNameStringThe name of the incident assignee.
AzureSentinel.Incident.AssigneeEmailStringThe email address of the incident assignee.
AzureSentinel.Incident.Label.NameStringThe name of the incident label.
AzureSentinel.Incident.Label.TypeStringThe incident label type.
AzureSentinel.Incident.FirstActivityTimeUTCDateThe date and time of the incident's first activity.
AzureSentinel.Incident.LastActivityTimeUTCDateThe date and time of the incident's last activity.
AzureSentinel.Incident.LastModifiedTimeUTCDateThe date and time the incident was last modified.
AzureSentinel.Incident.CreatedTimeUTCDateThe date and time the incident was created.
AzureSentinel.Incident.IncidentNumberNumberThe incident number.
AzureSentinel.Incident.AlertsCountNumberThe number of the alerts in the incident.
AzureSentinel.Incident.BookmarkCountNumberThe number of bookmarks in the incident.
AzureSentinel.Incident.CommentCountNumberThe number of comments in the incident.
AzureSentinel.Incident.AlertProductNamesStringThe alert product names of the incident.
AzureSentinel.Incident.TacticsStringThe incident's tactics.
AzureSentinel.Incident.FirstActivityTimeGeneratedDateThe incident's generated first activity time.
AzureSentinel.Incident.LastActivityTimeGeneratedDateThe incident's generated last activity time.
AzureSentinel.Incident.EtagStringThe Etag of the incident.

Command Example#

!azure-sentinel-update-incident incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 labels=label_a,label_b

Context Example#

{
"AzureSentinel": {
"Incident": {
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": "test@test.com",
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 4,
"CreatedTimeUTC": "2020-01-15T09:29:14Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"27002845-0000-0100-0000-6123a3090000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": null,
"ID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"IncidentNumber": 2,
"Label": [
{
"Name": "label_a",
"Type": "User"
},
{
"Name": "label_b",
"Type": "User"
}
],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": null,
"LastModifiedTimeUTC": "2021-08-23T13:30:49Z",
"Severity": "Informational",
"Status": "New",
"Tactics": null,
"Title": "SharePointFileOperation via previously unseen IPs"
}
}
}

Human Readable Output#

Updated incidents 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 details#

IDIncident NumberTitleDescriptionSeverityStatusAssignee EmailLabelLast Modified Time UTCCreated Time UTCAlerts CountBookmarks CountComments CountAlert Product NamesEtag
8a44b7bb-c8ae-4941-9fa0-3aecc8ef17422SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
InformationalNewtest@test.com{'Name': 'label_a', 'Type': 'User'},
{'Name': 'label_b', 'Type': 'User'}
2021-08-23T13:30:49Z2020-01-15T09:29:14Z104Azure Sentinel"27002845-0000-0100-0000-6123a3090000"

azure-sentinel-delete-incident#


Deletes a single incident in Azure Sentinel.

Base Command#

azure-sentinel-delete-incident

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required

Context Output#

There is no context output for this command.

Command Example#

!azure-sentinel-delete-incident incident_id=c90cc84d-a95e-47a0-9478-89ebc9ee22fd

Context Example#

{
"AzureSentinel": {
"Incident": {
"Deleted": true,
"ID": "c90cc84d-a95e-47a0-9478-89ebc9ee22fd"
}
}
}

Human Readable Output#

Incident c90cc84d-a95e-47a0-9478-89ebc9ee22fd was deleted successfully.

azure-sentinel-list-incident-comments#


Gets the comments of an incident from Azure Sentinel.

Base Command#

azure-sentinel-list-incident-comments

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required
limitThe maximum number of incident comments to return. The default and maximum value is 50.Optional
next_linkA link that specifies a starting point to use for subsequent calls. Using this argument overrides all of the other command arguments.Optional

Context Output#

PathTypeDescription
AzureSentinel.IncidentComment.IDStringThe ID of the incident comment.
AzureSentinel.IncidentComment.IncidentIDStringThe incident ID.
AzureSentinel.IncidentComment.MessageStringThe incident comment.
AzureSentinel.IncidentComment.AuthorNameStringThe name of the author of the incident comment.
AzureSentinel.IncidentComment.AuthorEmailStringThe email address of the author of the incident comment.
AzureSentinel.IncidentComment.CreatedTimeUTCDateThe date and time that the incident comment was created.
AzureSentinel.NextLink.DescriptionStringDescription of nextLink.
AzureSentinel.NextLink.URLStringUsed if an operation returns a partial result. If a response contains a nextLink element, its value specifies a starting point to use for subsequent calls.

Command Example#

!azure-sentinel-list-incident-comments incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742

Context Example#

{
"AzureSentinel": {
"IncidentComment": [
{
"AuthorEmail": null,
"AuthorName": null,
"CreatedTimeUTC": "2021-08-23T13:30:42Z",
"ID": "231020399272240422047777436922721687523",
"IncidentID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"Message": "test messages"
},
{
"AuthorEmail": null,
"AuthorName": null,
"CreatedTimeUTC": "2021-08-23T13:26:26Z",
"ID": "251456744761940512356246980948458722890",
"IncidentID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"Message": "test messages"
},
{
"AuthorEmail": null,
"AuthorName": null,
"CreatedTimeUTC": "2021-08-12T10:57:44Z",
"ID": "152909182848719872520422267385960967748",
"IncidentID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"Message": "test messages"
},
{
"AuthorEmail": "test@test.com",
"AuthorName": null,
"CreatedTimeUTC": "2020-04-05T12:14:13Z",
"ID": "307866023137611282164566423986768628663",
"IncidentID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"Message": "hello world"
}
]
}
}

Human Readable Output#

Incident 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 Comments (4 results)#

IDIncident IDMessageAuthor EmailCreated Time UTC
2310203992722404220477774369227216875238a44b7bb-c8ae-4941-9fa0-3aecc8ef1742test messages2021-08-23T13:30:42Z
2514567447619405123562469809484587228908a44b7bb-c8ae-4941-9fa0-3aecc8ef1742test messages2021-08-23T13:26:26Z
1529091828487198725204222673859609677488a44b7bb-c8ae-4941-9fa0-3aecc8ef1742test messages2021-08-12T10:57:44Z
3078660231376112821645664239867686286638a44b7bb-c8ae-4941-9fa0-3aecc8ef1742hello worldtest@test.com2020-04-05T12:14:13Z

azure-sentinel-incident-add-comment#


Adds a comment to an incident in Azure Sentinel.

Base Command#

azure-sentinel-incident-add-comment

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required
messageThe comment message.Required

Context Output#

PathTypeDescription
AzureSentinel.IncidentComment.IDStringThe ID of the incident comment.
AzureSentinel.IncidentComment.IncidentIDStringThe incident ID.
AzureSentinel.IncidentComment.MessageStringThe incident comment.
AzureSentinel.IncidentComment.AuthorNameStringThe name of the author of the incident comment.
AzureSentinel.IncidentComment.AuthorEmailStringThe email address of the author of the incident comment.
AzureSentinel.IncidentComment.CreatedTimeUTCDateThe date and time that the incident comment was created.

Command Example#

!azure-sentinel-incident-add-comment incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 message="test messages"

Context Example#

{
"AzureSentinel": {
"IncidentComment": {
"AuthorEmail": null,
"AuthorName": null,
"CreatedTimeUTC": "2021-08-23T13:30:42Z",
"ID": "231020399272240422047777436922721687523",
"IncidentID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"Message": "test messages"
}
}
}

Human Readable Output#

Incident 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 new comment details#

IDIncident IDMessageCreated Time UTC
2310203992722404220477774369227216875238a44b7bb-c8ae-4941-9fa0-3aecc8ef1742test messages2021-08-23T13:30:42Z

azure-sentinel-incident-delete-comment#


Deletes a comment from incident in Azure Sentinel.

Base Command#

azure-sentinel-incident-delete-comment

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required
comment_idThe comment ID.Required

Context Output#

There is no context output for this command.

Command Example#

!azure-sentinel-incident-delete-comment incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 comment_id="296745069631925005023508651351426"

Human Readable Output#

Comment 296745069631925005023508651351426 was deleted successfully.

azure-sentinel-list-incident-relations#


Gets a list of an incident's related entities from Azure Sentinel.

Base Command#

azure-sentinel-list-incident-relations

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required
limitThe maximum number of related entities to return. Default is 50.Optional
next_linkA link that specifies a starting point to use for subsequent calls. Using this argument overrides all of the other command arguments.Optional
entity_kindsA comma-separated list of entity kinds to filter by. By default, the results won't be filtered by kind.
The optional kinds are: Account, Host, File, AzureResource, CloudApplication, DnsResolution, FileHash, Ip, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, Url, IoTDevice, SecurityAlert, Bookmark.
Optional
filterFilter results using OData syntax. For example: properties/createdTimeUtc gt 2020-02-02T14:00:00Z`). For more information see the Azure documentation: https://docs.microsoft.com/bs-latn-ba/azure/search/search-query-odata-filter.Optional

Context Output#

PathTypeDescription
AzureSentinel.IncidentRelatedResource.IDStringThe ID of the incident's related resource.
AzureSentinel.IncidentRelatedResource.KindStringThe kind of the incident's related resource.
AzureSentinel.NextLink.DescriptionStringThe description about nextLink.
AzureSentinel.NextLink.URLStringUsed if an operation returns a partial result. If a response contains a nextLink element, its value specifies a starting point to use for subsequent calls.
AzureSentinel.IncidentRelatedResource.IncidentIDStringThe incident ID.

Command Example#

!azure-sentinel-list-incident-relations incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742

Context Example#

{
"AzureSentinel": {
"IncidentRelatedResource": {
"ID": "bfb02efc-12b7-4147-a8e8-961338b1b834",
"IncidentID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"Kind": "SecurityAlert"
}
}
}

Human Readable Output#

Incident 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 Relations (1 results)#

IDIncident IDKind
bfb02efc-12b7-4147-a8e8-961338b1b8348a44b7bb-c8ae-4941-9fa0-3aecc8ef1742SecurityAlert

azure-sentinel-list-incident-entities#


Gets a list of an incident's entities from Azure Sentinel.

Base Command#

azure-sentinel-list-incident-entities

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required

Context Output#

PathTypeDescription
AzureSentinel.IncidentEntity.IDStringThe ID of the entity.
AzureSentinel.IncidentEntity.IncidentIdStringThe ID of the incident.
AzureSentinel.IncidentEntity.KindStringThe kind of the entity.
AzureSentinel.IncidentEntity.PropertiesUnknownThe properties of the entity.

Command Example#

!azure-sentinel-list-incident-entities incident_id=65d8cbc0-4e4d-4acb-ab7e-8aa19936002c

Context Example#

{
"AzureSentinel": {
"IncidentEntity": {
"ID": "176567ab-1ccc-8a53-53bf-97958a78d3b5",
"IncidentId": "65d8cbc0-4e4d-4acb-ab7e-8aa19936002c",
"Kind": "Account",
"Properties": {
"aadTenantId": "176567ab-1ccc-8a53-53bf-97958a78d3b5",
"aadUserId": "176567ab-1ccc-8a53-53bf-97958a78d3b5",
"accountName": "test_user_1",
"additionalData": {
"AdditionalMailAddresses": "[\"test@test.com\"]",
"City": "SantaClara",
"Country": "United States",
"GivenName": "test_name",
"IsDeleted": "False",
"IsEnabled": "True",
"JobTitle": "test",
"MailAddress": "test@test.com",
"ManagerName": "test_manager",
"Sources": "[\"AzureActiveDirectory\"]",
"State": "California",
"StreetAddress": "test address",
"Surname": "test_name",
"SyncFromAad": "True",
"TransitiveDirectoryRoles": "[\"Global Administrator\"]",
"TransitiveGroupsMembership": "[\"kkk\"]",
"UpnName": "test",
"UserType": "Member"
},
"displayName": "Test Name",
"friendlyName": "Test Name",
"isDomainJoined": true,
"upnSuffix": "test.com"
}
}
}
}

Human Readable Output#

Incident 65d8cbc0-4e4d-4acb-ab7e-8aa19936002c Entities (1 results)#

IDKindIncident Id
176567ab-1ccc-8a53-53bf-97958a78d3b5Account65d8cbc0-4e4d-4acb-ab7e-8aa19936002c

azure-sentinel-list-incident-alerts#


Gets a list of an incident's alerts from Azure Sentinel.

Base Command#

azure-sentinel-list-incident-alerts

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required

Context Output#

PathTypeDescription
AzureSentinel.IncidentAlert.IDStringThe ID of the alert.
AzureSentinel.IncidentAlert.IncidentIdStringThe ID of the incident.
AzureSentinel.IncidentAlert.KindStringThe kind of the alert.
AzureSentinel.IncidentAlert.TacticUnknownThe tactics of the alert.
AzureSentinel.IncidentAlert.DisplayNameStringThe display name of the alert.
AzureSentinel.IncidentAlert.DescriptionStringThe description of the alert.
AzureSentinel.IncidentAlert.ConfidenceLevelStringThe confidence level of this alert.
AzureSentinel.IncidentAlert.SeverityStringThe severity of the alert.
AzureSentinel.IncidentAlert.VendorNameStringThe name of the vendor that raise the alert.
AzureSentinel.IncidentAlert.ProductNameStringThe name of the product that published this alert.
AzureSentinel.IncidentAlert.ProductComponentNameStringThe name of a component inside the product which generated the alert.

Command Example#

!azure-sentinel-list-incident-alerts incident_id=25c9ddf4-d951-4b67-9381-172f953feb57

Context Example#

{
"AzureSentinel": {
"IncidentAlert": {
"ConfidenceLevel": "Unknown",
"Description": "",
"DisplayName": "Test rule",
"ID": "f3319e38-3f5b-a1eb-9970-69679dcdf916",
"IncidentId": "25c9ddf4-d951-4b67-9381-172f953feb57",
"Kind": "SecurityAlert",
"ProductComponentName": "Scheduled Alerts",
"ProductName": "Azure Sentinel",
"Severity": "Medium",
"Tactic": [
"InitialAccess",
"Persistence",
"PrivilegeEscalation",
"DefenseEvasion",
"CredentialAccess",
"Discovery",
"LateralMovement",
"Execution",
"Collection",
"Exfiltration",
"CommandAndControl",
"Impact"
],
"VendorName": "Microsoft"
}
}
}

Human Readable Output#

Incident 25c9ddf4-d951-4b67-9381-172f953feb57 Alerts (1 results)#

IDKindIncident Id
f3319e38-3f5b-a1eb-9970-69679dcdf916SecurityAlert25c9ddf4-d951-4b67-9381-172f953feb57

azure-sentinel-list-watchlist-items#


Get single watchlist item or list of watchlist items.

Base Command#

azure-sentinel-list-watchlist-items

Input#

Argument NameDescriptionRequired
watchlist_aliasThe alias of the watchlist.Required
watchlist_item_idThe ID of the single watchlist item.Optional

Context Output#

PathTypeDescription
AzureSentinel.WatchlistItem.WatchlistAliasStringThe alias of the watchlist.
AzureSentinel.WatchlistItem.IDStringThe ID (GUID) of the watchlist item.
AzureSentinel.WatchlistItem.CreatedDateThe time the watchlist item was created.
AzureSentinel.WatchlistItem.UpdatedDateThe last time the watchlist item was updated.
AzureSentinel.WatchlistItem.CreatedByStringThe name of the user.
AzureSentinel.WatchlistItem.UpdatedByStringThe user who updated this item.
AzureSentinel.WatchlistItem.ItemsKeyValueUnknownKey-value pairs for a watchlist item.

Command Example#

!azure-sentinel-list-watchlist-items watchlist_alias=test_4

Context Example#

{
"AzureSentinel": {
"WatchlistItem": [
{
"Created": "2021-08-23T13:30:53Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"ID": "28bd8f55-131b-42e6-bd5d-33d30f2d1291",
"ItemsKeyValue": {
"IP": "1.2.3.4",
"name": "test1"
},
"Name": "28bd8f55-131b-42e6-bd5d-33d30f2d1291",
"Updated": "2021-08-23T13:30:53Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"WatchlistAlias": "test_4"
},
{
"Created": "2021-08-23T13:30:53Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"ID": "510d8f80-99ad-441d-87f3-88341cc8b439",
"ItemsKeyValue": {
"IP": "1.2.3.5",
"name": "test2"
},
"Name": "510d8f80-99ad-441d-87f3-88341cc8b439",
"Updated": "2021-08-23T13:30:53Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"WatchlistAlias": "test_4"
}
]
}
}

Human Readable Output#

Watchlist items results#

IDItems Key Value
28bd8f55-131b-42e6-bd5d-33d30f2d1291name: test1
IP: 1.2.3.4
510d8f80-99ad-441d-87f3-88341cc8b439name: test2
IP: 1.2.3.5

azure-sentinel-delete-watchlist-item#


Delete a watchlist item.

Base Command#

azure-sentinel-delete-watchlist-item

Input#

Argument NameDescriptionRequired
watchlist_aliasThe watchlist alias.Required
watchlist_item_idThe watchlist item ID to be deleted.Required

Context Output#

There is no context output for this command.

Command Example#

!azure-sentinel-delete-watchlist-item watchlist_alias=test_2 watchlist_item_id=96c326c6-2dea-403c-94bd-6a005921c3c1

Human Readable Output#

Watchlist item 96c326c6-2dea-403c-94bd-6a005921c3c1 was deleted successfully.

azure-sentinel-create-update-watchlist-item#


Create or update a watchlist item.

Base Command#

azure-sentinel-create-update-watchlist-item

Input#

Argument NameDescriptionRequired
watchlist_aliasThe watchlist alias.Required
watchlist_item_idThe watchlist item ID (GUID) to update.Optional
item_key_valueThe JSON for the itemsKeyValue of the item (the key value is different from watchlist to watchlist).Required

Context Output#

PathTypeDescription
AzureSentinel.WatchlistItem.WatchlistAliasStringThe alias of the watchlist
AzureSentinel.WatchlistItem.IDStringThe ID (GUID) of the watchlist item.
AzureSentinel.WatchlistItem.CreatedDateThe time the watchlist item was created.
AzureSentinel.WatchlistItem.UpdatedDateThe last time the watchlist item was updated.
AzureSentinel.WatchlistItem.CreatedByStringThe name of the user.
AzureSentinel.WatchlistItem.UpdatedByStringThe user who update this item.
AzureSentinel.WatchlistItem.ItemsKeyValueUnknownKey-value pairs for a watchlist item.

Command Example#

``!azure-sentinel-create-update-watchlist-item watchlist_alias=test_4 item_key_value={"name": "test_4_item", "IP": "4.4.4.4"}````

Context Example#

{
"AzureSentinel": {
"WatchlistItem": {
"Created": "2021-08-23T13:30:59Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"ID": "6b21d1ef-18fa-420f-ae4a-a6f94588ebe8",
"ItemsKeyValue": {
"IP": "4.4.4.4",
"name": "test_4_item"
},
"Name": "6b21d1ef-18fa-420f-ae4a-a6f94588ebe8",
"Updated": "2021-08-23T13:30:59Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"WatchlistAlias": "test_4"
}
}
}

Human Readable Output#

Create watchlist item results#

IDItems Key Value
6b21d1ef-18fa-420f-ae4a-a6f94588ebe8name: test_4_item
IP: 4.4.4.4