Skip to main content

Azure Sentinel

This Integration is part of the Azure Sentinel Pack.#

Use the Azure Sentinel integration to get and manage incidents and get related entity information for incidents. This integration was integrated and tested with version 2021-04-01 of Azure Sentinel.

Authorize Cortex XSOAR for Azure Sentinel#

Follow these steps for a self-deployed configuration.

  1. To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal. To add the registration, refer to the Register an application section of the following Microsoft article. (Note: There is no need to create a redirect URI or complete subsequent steps of the article).
  2. In your registered app - create a new Client secret.
    1. Navigate in the Azure Portal to App registrations > your registered application > Certificates & secrets and click + New client secret.
    2. Copy and save the new secret value to use in the add credentials step.
  3. Assign a role to the registered app.
    1. In the Azure portal, go to the Subscriptions and select the subscription you are using -> Access control (IAM).
    2. Click Add > Add role assignment.
    3. Select the Azure Sentinel Contributor role > Select your registered app, and click Save.
  4. In Cortex XSOAR, go to Settings > Integrations > Credentials and create a new credentials set.
  5. In the Username parameter, enter your registered app Application (client) ID.
  6. In the Password parameter, enter the secret value you created.
  7. Copy your tenant ID for the integration configuration usage.

Configure the server URL#

If you have a dedicated server URL, enter it in the Server Url parameter.

Get the additional instance parameters#

To get the Subscription ID, Workspace Name and Resource Group parameters, in the Azure Portal navigate to Azure Sentinel > your workspace > Settings and click the Workspace Settings tab.

Configure Azure Sentinel on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Azure Sentinel.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server URLFalse
    Tenant IDTrue
    Client IDTrue
    Subscription IDTrue
    Resource Group NameTrue
    Workspace NameTrue
    Fetch incidentsFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
    The minimum severity of incidents to fetchFalse
    Incident typeFalse
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-sentinel-get-incident-by-id#


Gets a single incident from Azure Sentinel.

Base Command#

azure-sentinel-get-incident-by-id

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required

Context Output#

PathTypeDescription
AzureSentinel.Incident.IDStringThe incident ID.
AzureSentinel.Incident.TitleStringThe incident title.
AzureSentinel.Incident.DescriptionStringDescription of the incident.
AzureSentinel.Incident.SeverityStringThe incident severity.
AzureSentinel.Incident.StatusStringThe incident status.
AzureSentinel.Incident.AssigneeNameStringThe name of the incident assignee.
AzureSentinel.Incident.AssigneeEmailStringThe email address of the incident assignee.
AzureSentinel.Incident.Label.NameStringThe name of the incident label.
AzureSentinel.Incident.Label.TypeStringThe incident label type.
AzureSentinel.Incident.FirstActivityTimeUTCDateThe date and time of the incident's first activity.
AzureSentinel.Incident.LastActivityTimeUTCDateThe date and time of the incident's last activity.
AzureSentinel.Incident.LastModifiedTimeUTCDateThe date and time the incident was last modified.
AzureSentinel.Incident.CreatedTimeUTCDateThe date and time the incident was created.
AzureSentinel.Incident.IncidentNumberNumberThe incident number.
AzureSentinel.Incident.AlertsCountNumberThe number of the alerts in the incident.
AzureSentinel.Incident.BookmarkCountNumberThe number of bookmarks in the incident.
AzureSentinel.Incident.CommentCountNumberThe number of comments in the incident.
AzureSentinel.Incident.AlertProductNamesStringThe alert product names of the incident.
AzureSentinel.Incident.TacticsStringThe incident's tactics.
AzureSentinel.Incident.FirstActivityTimeGeneratedDateThe incident's generated first activity time.
AzureSentinel.Incident.LastActivityTimeGeneratedDateThe incident's generated last activity time.
AzureSentinel.Incident.EtagStringThe Etag of the incident.
AzureSentinel.Incident.IncidentUrlStringThe deep-link URL to the incident in the Azure portal.

Command Example#

!azure-sentinel-get-incident-by-id incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742

Context Example#

{
"AzureSentinel": {
"Incident": {
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": "test@test.com",
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 3,
"CreatedTimeUTC": "2020-01-15T09:29:14Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"2700a244-0000-0100-0000-6123a2930000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": null,
"ID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"IncidentNumber": 2,
"Label": [
{
"Name": "label_a",
"Type": "User"
},
{
"Name": "label_b",
"Type": "User"
}
],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": null,
"LastModifiedTimeUTC": "2021-08-23T13:28:51Z",
"Severity": "Informational",
"Status": "New",
"Tactics": null,
"Title": "SharePointFileOperation via previously unseen IPs"
}
}
}

Human Readable Output#

Incident 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 details#

IDIncident NumberTitleDescriptionSeverityStatusAssignee EmailLabelLast Modified Time UTCCreated Time UTCAlerts CountBookmarks CountComments CountAlert Product NamesEtag
8a44b7bb-c8ae-4941-9fa0-3aecc8ef17422SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
InformationalNewtest@test.com{'Name': 'label_a', 'Type': 'User'},
{'Name': 'label_b', 'Type': 'User'}
2021-08-23T13:28:51Z2020-01-15T09:29:14Z103Azure Sentinel"2700a244-0000-0100-0000-6123a2930000"

azure-sentinel-list-incidents#


Gets a list of incidents from Azure Sentinel.

Base Command#

azure-sentinel-list-incidents

Input#

Argument NameDescriptionRequired
limitThe maximum number of incidents to return. The maximum value is 200. Default is 50.Optional
filterFilter results using OData syntax. For example: properties/createdTimeUtc gt 2020-02-02T14:00:00Z`). For more information, see the Azure documentation: https://docs.microsoft.com/bs-latn-ba/azure/search/search-query-odata-filter.Optional
next_linkA link that specifies a starting point to use for subsequent calls. This argument overrides all of the other command arguments.Optional

Context Output#

PathTypeDescription
AzureSentinel.Incident.IDStringThe incident ID.
AzureSentinel.Incident.TitleStringThe incident title.
AzureSentinel.Incident.DescriptionStringDescription of the incident.
AzureSentinel.Incident.SeverityStringThe incident severity.
AzureSentinel.Incident.StatusStringThe incident status.
AzureSentinel.Incident.AssigneeNameStringThe name of the incident assignee.
AzureSentinel.Incident.AssigneeEmailStringThe email address of the incident assignee.
AzureSentinel.Incident.Label.NameStringThe name of the incident label.
AzureSentinel.Incident.Label.TypeStringThe incident label type.
AzureSentinel.Incident.FirstActivityTimeUTCDateThe date and time of the incident's first activity.
AzureSentinel.Incident.LastActivityTimeUTCDateThe date and time of the incident's last activity.
AzureSentinel.Incident.LastModifiedTimeUTCDateThe date and time the incident was last modified.
AzureSentinel.Incident.CreatedTimeUTCDateThe date and time the incident was created.
AzureSentinel.Incident.IncidentNumberNumberThe incident number.
AzureSentinel.Incident.AlertsCountNumberThe number of the alerts in the incident.
AzureSentinel.Incident.BookmarkCountNumberThe number of bookmarks in the incident.
AzureSentinel.Incident.CommentCountNumberThe number of comments in the incident.
AzureSentinel.Incident.AlertProductNamesStringThe alert product names of the incident.
AzureSentinel.Incident.TacticsStringThe incident's tactics.
AzureSentinel.Incident.FirstActivityTimeGeneratedDateThe incident's generated first activity time.
AzureSentinel.Incident.LastActivityTimeGeneratedDateThe incident's generated last activity time.
AzureSentinel.NextLink.DescriptionStringDescription of NextLink.
AzureSentinel.NextLink.URLStringUsed if an operation returns partial results. If a response contains a NextLink element, its value specifies a starting point to use for subsequent calls.
AzureSentinel.Incident.EtagStringThe Etag of the incident.

Command Example#

!azure-sentinel-list-incidents limit=5

Context Example#

{
"AzureSentinel": {
"Incident": [
{
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": "test@test.com",
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 3,
"CreatedTimeUTC": "2020-01-15T09:29:14Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"2700a244-0000-0100-0000-6123a2930000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": null,
"ID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"IncidentNumber": 2,
"Label": [
{
"Name": "label_a",
"Type": "User"
},
{
"Name": "label_b",
"Type": "User"
}
],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": null,
"LastModifiedTimeUTC": "2021-08-23T13:28:51Z",
"Severity": "Informational",
"Status": "New",
"Tactics": null,
"Title": "SharePointFileOperation via previously unseen IPs"
},
{
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": "test@test.com",
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 0,
"CreatedTimeUTC": "2020-01-15T09:34:12Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"dc00cb1c-0000-0100-0000-60992bf20000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": null,
"ID": "e0b06d71-b5a3-43a9-997f-f25b45085cb7",
"IncidentNumber": 4,
"Label": [
{
"Name": "f",
"Type": "User"
},
{
"Name": "o",
"Type": "User"
},
{
"Name": "o",
"Type": "User"
},
{
"Name": "1",
"Type": "User"
}
],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": null,
"LastModifiedTimeUTC": "2021-05-10T12:49:54Z",
"Severity": "Low",
"Status": "New",
"Tactics": null,
"Title": "SharePointFileOperation via previously unseen IPs"
},
{
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": null,
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 0,
"CreatedTimeUTC": "2020-01-15T09:40:09Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"0100c30e-0000-0100-0000-5fb883be0000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": "2020-01-15T08:04:05Z",
"ID": "a7977be7-1008-419b-877b-6793b7402a80",
"IncidentNumber": 6,
"Label": [],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": "2020-01-15T09:04:05Z",
"LastModifiedTimeUTC": "2020-01-15T09:40:09Z",
"Severity": "Medium",
"Status": "New",
"Tactics": null,
"Title": "SharePointFileOperation via previously unseen IPs"
},
{
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": null,
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 1,
"CreatedTimeUTC": "2020-01-15T09:44:12Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"0600a81f-0000-0100-0000-5fdb4e890000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": null,
"ID": "6440c129-c313-418c-a262-5df608aa9cd2",
"IncidentNumber": 7,
"Label": [],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": null,
"LastModifiedTimeUTC": "2020-12-17T12:26:49Z",
"Severity": "Medium",
"Status": "Active",
"Tactics": null,
"Title": "test_title"
},
{
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": null,
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 0,
"CreatedTimeUTC": "2020-01-15T09:49:12Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"0100b70e-0000-0100-0000-5fb883bd0000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": "2020-01-15T08:44:06Z",
"ID": "413e9d64-c7b4-4e33-ae26-bb39710d2187",
"IncidentNumber": 9,
"Label": [],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": "2020-01-15T09:44:06Z",
"LastModifiedTimeUTC": "2020-01-15T09:49:12Z",
"Severity": "Medium",
"Status": "New",
"Tactics": null,
"Title": "SharePointFileOperation via previously unseen IPs"
}
],
"NextLink": {
"Description": "NextLink for listing commands",
"URL": "https://test.com"
}
}
}

Human Readable Output#

Incidents List (5 results)#

IDIncident NumberTitleDescriptionSeverityStatusAssignee EmailLabelFirst Activity Time UTCLast Activity Time UTCLast Modified Time UTCCreated Time UTCAlerts CountBookmarks CountComments CountAlert Product NamesEtag
8a44b7bb-c8ae-4941-9fa0-3aecc8ef17422SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
InformationalNewtest@test.com{'Name': 'label_a', 'Type': 'User'},
{'Name': 'label_b', 'Type': 'User'}
2021-08-23T13:28:51Z2020-01-15T09:29:14Z103Azure Sentinel"2700a244-0000-0100-0000-6123a2930000"
e0b06d71-b5a3-43a9-997f-f25b45085cb74SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
LowNewtest@test.com{'Name': 'f', 'Type': 'User'},
{'Name': 'o', 'Type': 'User'},
{'Name': 'o', 'Type': 'User'},
{'Name': '1', 'Type': 'User'}
2021-05-10T12:49:54Z2020-01-15T09:34:12Z100Azure Sentinel"dc00cb1c-0000-0100-0000-60992bf20000"
a7977be7-1008-419b-877b-6793b7402a806SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
MediumNew2020-01-15T08:04:05Z2020-01-15T09:04:05Z2020-01-15T09:40:09Z2020-01-15T09:40:09Z100Azure Sentinel"0100c30e-0000-0100-0000-5fb883be0000"
6440c129-c313-418c-a262-5df608aa9cd27test_titleIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
MediumActive2020-12-17T12:26:49Z2020-01-15T09:44:12Z101Azure Sentinel"0600a81f-0000-0100-0000-5fdb4e890000"
413e9d64-c7b4-4e33-ae26-bb39710d21879SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
MediumNew2020-01-15T08:44:06Z2020-01-15T09:44:06Z2020-01-15T09:49:12Z2020-01-15T09:49:12Z100Azure Sentinel"0100b70e-0000-0100-0000-5fb883bd0000"

azure-sentinel-list-watchlists#


Gets a list of watchlists from Azure Sentinel.

Base Command#

azure-sentinel-list-watchlists

Input#

Argument NameDescriptionRequired
watchlist_aliasAlias of specific watchlist to get.Optional

Context Output#

PathTypeDescription
AzureSentinel.Watchlist.IDStringThe watchlist ID.
AzureSentinel.Watchlist.DescriptionStringA description of the watchlist.
AzureSentinel.Watchlist.DisplayNameStringThe display name of the watchlist.
AzureSentinel.Watchlist.ProviderStringThe provider of the watchlist.
AzureSentinel.Watchlist.SourceStringThe source of the watchlist.
AzureSentinel.Watchlist.CreatedDateThe time the watchlist was created.
AzureSentinel.Watchlist.UpdatedDateThe last time the watchlist was updated.
AzureSentinel.Watchlist.CreatedByStringThe name of the user who created the watchlist.
AzureSentinel.Watchlist.UpdatedByStringThe name of the user who updated the Watchlist.
AzureSentinel.Watchlist.AliasStringThe alias of the watchlist.
AzureSentinel.Watchlist.LabelunknownLabel that will be used to tag and filter on.
AzureSentinel.Watchlist.ItemsSearchKeyStringThe search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address.
AzureSentinel.NextLink.DescriptionStringDescription of NextLink.
AzureSentinel.NextLink.URLStringUsed if an operation returns partial results. If a response contains a NextLink element, its value specifies a starting point to use for subsequent calls.

Command Example#

!azure-sentinel-list-watchlists

Context Example#

{
"AzureSentinel": {
"Watchlist": [
{
"Alias": "booboo",
"Created": "2021-07-11T08:20:35Z",
"CreatedBy": "test@test.com",
"Description": "just for fun",
"ID": "35bffe30-19f2-40a6-8855-4a858e161fad",
"ItemsSearchKey": "IP",
"Label": [
"IP"
],
"Name": "booboo",
"Provider": "xsoar",
"Source": "Local file",
"Updated": "2021-07-11T08:20:35Z",
"UpdatedBy": "test@test.com"
},
{
"Alias": "test_2",
"Created": "2021-08-16T10:26:56Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"Description": "test watchlist",
"ID": "ceae6089-10dd-4f02-89d5-ab32285688dc",
"ItemsSearchKey": "IP",
"Label": [],
"Name": "test_2",
"Provider": "XSOAR",
"Source": "Local file",
"Updated": "2021-08-16T10:26:56Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd"
},
{
"Alias": "test_1",
"Created": "2021-08-15T14:14:28Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"Description": "",
"ID": "92863c74-fee7-4ffe-8288-bc1529d12597",
"ItemsSearchKey": "IP",
"Label": [],
"Name": "test_1",
"Provider": "XSOAR",
"Source": "Local file",
"Updated": "2021-08-15T14:14:28Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd"
},
{
"Alias": "test_4",
"Created": "2021-08-23T13:30:53Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"Description": "test watchlist",
"ID": "84d1fedd-5945-4670-ae34-5e8c94af2660",
"ItemsSearchKey": "IP",
"Label": [],
"Name": "test_4",
"Provider": "XSOAR",
"Source": "Local file",
"Updated": "2021-08-23T13:30:53Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd"
}
]
}
}

Human Readable Output#

Watchlists results#

NameIDDescription
booboo35bffe30-19f2-40a6-8855-4a858e161fadjust for fun
test_2ceae6089-10dd-4f02-89d5-ab32285688dctest watchlist
test_192863c74-fee7-4ffe-8288-bc1529d12597
test_484d1fedd-5945-4670-ae34-5e8c94af2660test watchlist

azure-sentinel-delete-watchlist#


Delete a watchlists from Azure Sentinel.

Base Command#

azure-sentinel-delete-watchlist

Input#

Argument NameDescriptionRequired
watchlist_aliasAlias of the watchlist to be deleted.Required

Context Output#

There is no context output for this command.

Command Example#

!azure-sentinel-delete-watchlist watchlist_alias=test_4

Human Readable Output#

Watchlist test_4 was deleted successfully.

azure-sentinel-watchlist-create-update#


Create or update a watchlist in Azure Sentinel.

Base Command#

azure-sentinel-watchlist-create-update

Input#

Argument NameDescriptionRequired
watchlist_aliasThe alias of the new watchlist or the watchlist to update.Required
watchlist_display_nameThe display name of the watchlist.Required
descriptionThe description of the watchlist.Optional
providerThe provider of the watchlist. Default is XSOAR.Optional
sourceThe source of the watchlist. Possible values are: Local file, Remote storage.Required
labelsThe labels of the watchlist.Optional
lines_to_skipThe number of lines in the CSV content to skip before the header. Default is 0.Optional
file_entry_idA file entry with raw content that represents the watchlist items to create.Required
items_search_keyThe search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address.Required
content_typeThe content type of the raw content. For now, only text/csv is valid. Default is Text/Csv.Optional

Context Output#

PathTypeDescription
AzureSentinel.Watchlist.NameStringThe name of the watchlist.
AzureSentinel.Watchlist.IDStringThe ID (GUID) of the watchlist.
AzureSentinel.Watchlist.DescriptionStringA description of the watchlist.
AzureSentinel.Watchlist.ProviderStringThe provider of the watchlist.
AzureSentinel.Watchlist.SourceStringThe source of the watchlist.
AzureSentinel.Watchlist.CreatedDateThe time the watchlist was created.
AzureSentinel.Watchlist.UpdatedDateThe time the watchlist was updated.
AzureSentinel.Watchlist.CreatedByStringThe user who created the watchlist.
AzureSentinel.Watchlist.UpdatedByStringThe user who updated the watchlist.
AzureSentinel.Watchlist.AliasStringThe alias of the watchlist.
AzureSentinel.Watchlist.LabelUnknownList of labels relevant to this watchlist.
AzureSentinel.Watchlist.ItemsSearchKeyStringThe search key is used to optimize query performance when using watchlists for joins with other data.

Command Example#

!azure-sentinel-watchlist-create-update items_search_key=IP raw_content=1711@3c9bd2a0-9eac-465b-8799-459df4997b2d source="Local file" watchlist_alias=test_4 watchlist_display_name=test_4 description="test watchlist"

Context Example#

{
"AzureSentinel": {
"Watchlist": {
"Alias": "test_4",
"Created": "2021-08-23T13:30:53Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"Description": "test watchlist",
"ID": "84d1fedd-5945-4670-ae34-5e8c94af2660",
"ItemsSearchKey": "IP",
"Label": [],
"Name": "test_4",
"Provider": "XSOAR",
"Source": "Local file",
"Updated": "2021-08-23T13:30:53Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd"
}
}
}

Human Readable Output#

Create watchlist results#

NameIDDescription
test_484d1fedd-5945-4670-ae34-5e8c94af2660test watchlist

azure-sentinel-update-incident#


Updates a single incident in Azure Sentinel.

Base Command#

azure-sentinel-update-incident

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required
titleThe incident's title.Optional
descriptionDescription of the incident.Optional
severityThe incident severity. Possible values are: High, Medium, Low, Informational.Optional
statusThe incident status. Possible values are: New, Active, Closed.Optional
classificationThe reason the incident was closed. Required when updating the status to Closed. Possible values are: BenignPositive, FalsePositive, TruePositive, Undetermined.Optional
classification_commentDescribes the reason the incident was closed.Optional
classification_reasonThe classification reason the incident was closed with. Required when updating the status to Closed and the classification is determined. Possible values are: InaccurateData, IncorrectAlertLogic, SuspiciousActivity, SuspiciousButExpected.Optional
assignee_emailThe email address of the incident assignee. It is recommended to update user_principal_name instead of this field. Note that the updated API field is owner.email.Optional
user_principal_nameThe user principal name of the client. Note that the updated API field is owner.userPrincipalName.Optional
labelsIncident labels. Note that all labels will be set as labelType='User'.Optional

Context Output#

PathTypeDescription
AzureSentinel.Incident.IDStringThe incident ID.
AzureSentinel.Incident.TitleStringThe incident's title.
AzureSentinel.Incident.DescriptionStringDescription of the incident.
AzureSentinel.Incident.SeverityStringThe incident severity.
AzureSentinel.Incident.StatusStringThe incident status.
AzureSentinel.Incident.AssigneeNameStringThe name of the incident assignee.
AzureSentinel.Incident.AssigneeEmailStringThe email address of the incident assignee.
AzureSentinel.Incident.Label.NameStringThe name of the incident label.
AzureSentinel.Incident.Label.TypeStringThe incident label type.
AzureSentinel.Incident.FirstActivityTimeUTCDateThe date and time of the incident's first activity.
AzureSentinel.Incident.LastActivityTimeUTCDateThe date and time of the incident's last activity.
AzureSentinel.Incident.LastModifiedTimeUTCDateThe date and time the incident was last modified.
AzureSentinel.Incident.CreatedTimeUTCDateThe date and time the incident was created.
AzureSentinel.Incident.IncidentNumberNumberThe incident number.
AzureSentinel.Incident.AlertsCountNumberThe number of the alerts in the incident.
AzureSentinel.Incident.BookmarkCountNumberThe number of bookmarks in the incident.
AzureSentinel.Incident.CommentCountNumberThe number of comments in the incident.
AzureSentinel.Incident.AlertProductNamesStringThe alert product names of the incident.
AzureSentinel.Incident.TacticsStringThe incident's tactics.
AzureSentinel.Incident.FirstActivityTimeGeneratedDateThe incident's generated first activity time.
AzureSentinel.Incident.LastActivityTimeGeneratedDateThe incident's generated last activity time.
AzureSentinel.Incident.EtagStringThe Etag of the incident.

Command Example#

!azure-sentinel-update-incident incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 labels=label_a,label_b

Context Example#

{
"AzureSentinel": {
"Incident": {
"AlertProductNames": [
"Azure Sentinel"
],
"AlertsCount": 1,
"AssigneeEmail": "test@test.com",
"AssigneeName": null,
"BookmarksCount": 0,
"CommentsCount": 4,
"CreatedTimeUTC": "2020-01-15T09:29:14Z",
"Deleted": false,
"Description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 100).",
"Etag": "\"27002845-0000-0100-0000-6123a3090000\"",
"FirstActivityTimeGenerated": null,
"FirstActivityTimeUTC": null,
"ID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"IncidentNumber": 2,
"Label": [
{
"Name": "label_a",
"Type": "User"
},
{
"Name": "label_b",
"Type": "User"
}
],
"LastActivityTimeGenerated": null,
"LastActivityTimeUTC": null,
"LastModifiedTimeUTC": "2021-08-23T13:30:49Z",
"Severity": "Informational",
"Status": "New",
"Tactics": null,
"Title": "SharePointFileOperation via previously unseen IPs"
}
}
}

Human Readable Output#

Updated incidents 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 details#

IDIncident NumberTitleDescriptionSeverityStatusAssignee EmailLabelLast Modified Time UTCCreated Time UTCAlerts CountBookmarks CountComments CountAlert Product NamesEtag
8a44b7bb-c8ae-4941-9fa0-3aecc8ef17422SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
InformationalNewtest@test.com{'Name': 'label_a', 'Type': 'User'},
{'Name': 'label_b', 'Type': 'User'}
2021-08-23T13:30:49Z2020-01-15T09:29:14Z104Azure Sentinel"27002845-0000-0100-0000-6123a3090000"

azure-sentinel-delete-incident#


Deletes a single incident in Azure Sentinel.

Base Command#

azure-sentinel-delete-incident

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required

Context Output#

There is no context output for this command.

Command Example#

!azure-sentinel-delete-incident incident_id=c90cc84d-a95e-47a0-9478-89ebc9ee22fd

Context Example#

{
"AzureSentinel": {
"Incident": {
"Deleted": true,
"ID": "c90cc84d-a95e-47a0-9478-89ebc9ee22fd"
}
}
}

Human Readable Output#

Incident c90cc84d-a95e-47a0-9478-89ebc9ee22fd was deleted successfully.

azure-sentinel-list-incident-comments#


Gets the comments of an incident from Azure Sentinel.

Base Command#

azure-sentinel-list-incident-comments

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required
limitThe maximum number of incident comments to return. The maximum value is 50. Default is 50.Optional
next_linkA link that specifies a starting point to use for subsequent calls. Using this argument overrides all of the other command arguments.Optional

Context Output#

PathTypeDescription
AzureSentinel.IncidentComment.IDStringThe ID of the incident comment.
AzureSentinel.IncidentComment.IncidentIDStringThe incident ID.
AzureSentinel.IncidentComment.MessageStringThe incident's comment.
AzureSentinel.IncidentComment.AuthorNameStringThe name of the author of the incident's comment.
AzureSentinel.IncidentComment.AuthorEmailStringThe email address of the author of the incident comment.
AzureSentinel.IncidentComment.CreatedTimeUTCDateThe date and time that the incident comment was created.
AzureSentinel.NextLink.DescriptionStringDescription of NextLink.
AzureSentinel.NextLink.URLStringUsed if an operation returns a partial result. If a response contains a NextLink element, its value specifies a starting point to use for subsequent calls.

Command Example#

!azure-sentinel-list-incident-comments incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742

Context Example#

{
"AzureSentinel": {
"IncidentComment": [
{
"AuthorEmail": null,
"AuthorName": null,
"CreatedTimeUTC": "2021-08-23T13:30:42Z",
"ID": "231020399272240422047777436922721687523",
"IncidentID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"Message": "test messages"
},
{
"AuthorEmail": null,
"AuthorName": null,
"CreatedTimeUTC": "2021-08-23T13:26:26Z",
"ID": "251456744761940512356246980948458722890",
"IncidentID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"Message": "test messages"
},
{
"AuthorEmail": null,
"AuthorName": null,
"CreatedTimeUTC": "2021-08-12T10:57:44Z",
"ID": "152909182848719872520422267385960967748",
"IncidentID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"Message": "test messages"
},
{
"AuthorEmail": "test@test.com",
"AuthorName": null,
"CreatedTimeUTC": "2020-04-05T12:14:13Z",
"ID": "307866023137611282164566423986768628663",
"IncidentID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"Message": "hello world"
}
]
}
}

Human Readable Output#

Incident 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 Comments (4 results)#

IDIncident IDMessageAuthor EmailCreated Time UTC
2310203992722404220477774369227216875238a44b7bb-c8ae-4941-9fa0-3aecc8ef1742test messages2021-08-23T13:30:42Z
2514567447619405123562469809484587228908a44b7bb-c8ae-4941-9fa0-3aecc8ef1742test messages2021-08-23T13:26:26Z
1529091828487198725204222673859609677488a44b7bb-c8ae-4941-9fa0-3aecc8ef1742test messages2021-08-12T10:57:44Z
3078660231376112821645664239867686286638a44b7bb-c8ae-4941-9fa0-3aecc8ef1742hello worldtest@test.com2020-04-05T12:14:13Z

azure-sentinel-incident-add-comment#


Adds a comment to an incident in Azure Sentinel.

Base Command#

azure-sentinel-incident-add-comment

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required
messageThe comment message.Required

Context Output#

PathTypeDescription
AzureSentinel.IncidentComment.IDStringThe ID of the incident comment.
AzureSentinel.IncidentComment.IncidentIDStringThe incident ID.
AzureSentinel.IncidentComment.MessageStringThe incident's comment.
AzureSentinel.IncidentComment.AuthorNameStringThe name of the author of the incident's comment.
AzureSentinel.IncidentComment.AuthorEmailStringThe email address of the author of the incident comment.
AzureSentinel.IncidentComment.CreatedTimeUTCDateThe date and time that the incident comment was created.

Command Example#

!azure-sentinel-incident-add-comment incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 message="test messages"

Context Example#

{
"AzureSentinel": {
"IncidentComment": {
"AuthorEmail": null,
"AuthorName": null,
"CreatedTimeUTC": "2021-08-23T13:30:42Z",
"ID": "231020399272240422047777436922721687523",
"IncidentID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"Message": "test messages"
}
}
}

Human Readable Output#

Incident 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 new comment details#

IDIncident IDMessageCreated Time UTC
2310203992722404220477774369227216875238a44b7bb-c8ae-4941-9fa0-3aecc8ef1742test messages2021-08-23T13:30:42Z

azure-sentinel-incident-delete-comment#


Deletes a comment from incident in Azure Sentinel.

Base Command#

azure-sentinel-incident-delete-comment

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required
comment_idThe comment ID.Required

Context Output#

There is no context output for this command.

Command Example#

!azure-sentinel-incident-delete-comment incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 comment_id="296745069631925005023508651351426"

Human Readable Output#

Comment 296745069631925005023508651351426 was deleted successfully.

azure-sentinel-list-incident-relations#


Gets a list of an incident's related entities from Azure Sentinel.

Base Command#

azure-sentinel-list-incident-relations

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required
limitThe maximum number of related entities to return. Default is 50.Optional
next_linkA link that specifies a starting point to use for subsequent calls. Using this argument overrides all of the other command arguments.Optional
entity_kindsA comma-separated list of entity kinds to filter by. By default, the results won't be filtered by kind.
The optional kinds are: Account, Host, File, AzureResource, CloudApplication, DnsResolution, FileHash, Ip, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, Url, IoTDevice, SecurityAlert, Bookmark.
Optional
filterFilter results using OData syntax. For example: properties/createdTimeUtc gt 2020-02-02T14:00:00Z`). For more information see the Azure documentation: https://docs.microsoft.com/bs-latn-ba/azure/search/search-query-odata-filter.Optional

Context Output#

PathTypeDescription
AzureSentinel.IncidentRelatedResource.IDStringThe ID of the incident's related resource.
AzureSentinel.IncidentRelatedResource.KindStringThe kind of the incident's related resource.
AzureSentinel.NextLink.DescriptionStringThe description about NextLink.
AzureSentinel.NextLink.URLStringUsed if an operation returns a partial result. If a response contains a NextLink element, its value specifies a starting point to use for subsequent calls.
AzureSentinel.IncidentRelatedResource.IncidentIDStringThe incident ID.

Command Example#

!azure-sentinel-list-incident-relations incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742

Context Example#

{
"AzureSentinel": {
"IncidentRelatedResource": {
"ID": "bfb02efc-12b7-4147-a8e8-961338b1b834",
"IncidentID": "8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742",
"Kind": "SecurityAlert"
}
}
}

Human Readable Output#

Incident 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 Relations (1 results)#

IDIncident IDKind
bfb02efc-12b7-4147-a8e8-961338b1b8348a44b7bb-c8ae-4941-9fa0-3aecc8ef1742SecurityAlert

azure-sentinel-list-incident-entities#


Gets a list of an incident's entities from Azure Sentinel.

Base Command#

azure-sentinel-list-incident-entities

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required

Context Output#

PathTypeDescription
AzureSentinel.IncidentEntity.IDStringThe ID of the entity.
AzureSentinel.IncidentEntity.IncidentIdStringThe ID of the incident.
AzureSentinel.IncidentEntity.KindStringThe kind of the entity.
AzureSentinel.IncidentEntity.PropertiesUnknownThe properties of the entity.

Command Example#

!azure-sentinel-list-incident-entities incident_id=65d8cbc0-4e4d-4acb-ab7e-8aa19936002c

Context Example#

{
"AzureSentinel": {
"IncidentEntity": {
"ID": "176567ab-1ccc-8a53-53bf-97958a78d3b5",
"IncidentId": "65d8cbc0-4e4d-4acb-ab7e-8aa19936002c",
"Kind": "Account",
"Properties": {
"aadTenantId": "176567ab-1ccc-8a53-53bf-97958a78d3b5",
"aadUserId": "176567ab-1ccc-8a53-53bf-97958a78d3b5",
"accountName": "test_user_1",
"additionalData": {
"AdditionalMailAddresses": "[\"test@test.com\"]",
"City": "SantaClara",
"Country": "United States",
"GivenName": "test_name",
"IsDeleted": "False",
"IsEnabled": "True",
"JobTitle": "test",
"MailAddress": "test@test.com",
"ManagerName": "test_manager",
"Sources": "[\"AzureActiveDirectory\"]",
"State": "California",
"StreetAddress": "test address",
"Surname": "test_name",
"SyncFromAad": "True",
"TransitiveDirectoryRoles": "[\"Global Administrator\"]",
"TransitiveGroupsMembership": "[\"kkk\"]",
"UpnName": "test",
"UserType": "Member"
},
"displayName": "Test Name",
"friendlyName": "Test Name",
"isDomainJoined": true,
"upnSuffix": "test.com"
}
}
}
}

Human Readable Output#

Incident 65d8cbc0-4e4d-4acb-ab7e-8aa19936002c Entities (1 results)#

IDKindIncident Id
176567ab-1ccc-8a53-53bf-97958a78d3b5Account65d8cbc0-4e4d-4acb-ab7e-8aa19936002c

azure-sentinel-list-incident-alerts#


Gets a list of an incident's alerts from Azure Sentinel.

Base Command#

azure-sentinel-list-incident-alerts

Input#

Argument NameDescriptionRequired
incident_idThe incident ID.Required

Context Output#

PathTypeDescription
AzureSentinel.IncidentAlert.IDStringThe ID of the alert.
AzureSentinel.IncidentAlert.IncidentIdStringThe ID of the incident.
AzureSentinel.IncidentAlert.KindStringThe kind of the alert.
AzureSentinel.IncidentAlert.TacticUnknownThe tactics of the alert.
AzureSentinel.IncidentAlert.DisplayNameStringThe display name of the alert.
AzureSentinel.IncidentAlert.DescriptionStringThe description of the alert.
AzureSentinel.IncidentAlert.ConfidenceLevelStringThe confidence level of this alert.
AzureSentinel.IncidentAlert.SeverityStringThe severity of the alert.
AzureSentinel.IncidentAlert.VendorNameStringThe name of the vendor that raised the alert.
AzureSentinel.IncidentAlert.ProductNameStringThe name of the product that published this alert.
AzureSentinel.IncidentAlert.ProductComponentNameStringThe name of a component inside the product which generated the alert.

Command Example#

!azure-sentinel-list-incident-alerts incident_id=25c9ddf4-d951-4b67-9381-172f953feb57

Context Example#

{
"AzureSentinel": {
"IncidentAlert": {
"ConfidenceLevel": "Unknown",
"Description": "",
"DisplayName": "Test rule",
"ID": "f3319e38-3f5b-a1eb-9970-69679dcdf916",
"IncidentId": "25c9ddf4-d951-4b67-9381-172f953feb57",
"Kind": "SecurityAlert",
"ProductComponentName": "Scheduled Alerts",
"ProductName": "Azure Sentinel",
"Severity": "Medium",
"Tactic": [
"InitialAccess",
"Persistence",
"PrivilegeEscalation",
"DefenseEvasion",
"CredentialAccess",
"Discovery",
"LateralMovement",
"Execution",
"Collection",
"Exfiltration",
"CommandAndControl",
"Impact"
],
"VendorName": "Microsoft"
}
}
}

Human Readable Output#

Incident 25c9ddf4-d951-4b67-9381-172f953feb57 Alerts (1 results)#

IDKindIncident Id
f3319e38-3f5b-a1eb-9970-69679dcdf916SecurityAlert25c9ddf4-d951-4b67-9381-172f953feb57

azure-sentinel-list-watchlist-items#


Get a single watchlist item or list of watchlist items.

Base Command#

azure-sentinel-list-watchlist-items

Input#

Argument NameDescriptionRequired
watchlist_aliasThe alias of the watchlist.Required
watchlist_item_idThe ID of the single watchlist item.Optional

Context Output#

PathTypeDescription
AzureSentinel.WatchlistItem.WatchlistAliasStringThe alias of the watchlist.
AzureSentinel.WatchlistItem.IDStringThe ID (GUID) of the watchlist item.
AzureSentinel.WatchlistItem.CreatedDateThe time the watchlist item was created.
AzureSentinel.WatchlistItem.UpdatedDateThe last time the watchlist item was updated.
AzureSentinel.WatchlistItem.CreatedByStringThe name of the user.
AzureSentinel.WatchlistItem.UpdatedByStringThe user who updated this item.
AzureSentinel.WatchlistItem.ItemsKeyValueUnknownKey-value pairs for a watchlist item.

Command Example#

!azure-sentinel-list-watchlist-items watchlist_alias=test_4

Context Example#

{
"AzureSentinel": {
"WatchlistItem": [
{
"Created": "2021-08-23T13:30:53Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"ID": "28bd8f55-131b-42e6-bd5d-33d30f2d1291",
"ItemsKeyValue": {
"IP": "1.2.3.4",
"name": "test1"
},
"Name": "28bd8f55-131b-42e6-bd5d-33d30f2d1291",
"Updated": "2021-08-23T13:30:53Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"WatchlistAlias": "test_4"
},
{
"Created": "2021-08-23T13:30:53Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"ID": "510d8f80-99ad-441d-87f3-88341cc8b439",
"ItemsKeyValue": {
"IP": "1.2.3.5",
"name": "test2"
},
"Name": "510d8f80-99ad-441d-87f3-88341cc8b439",
"Updated": "2021-08-23T13:30:53Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"WatchlistAlias": "test_4"
}
]
}
}

Human Readable Output#

Watchlist items results#

IDItems Key Value
28bd8f55-131b-42e6-bd5d-33d30f2d1291name: test1
IP: 1.2.3.4
510d8f80-99ad-441d-87f3-88341cc8b439name: test2
IP: 1.2.3.5

azure-sentinel-delete-watchlist-item#


Delete a watchlist item.

Base Command#

azure-sentinel-delete-watchlist-item

Input#

Argument NameDescriptionRequired
watchlist_aliasThe watchlist alias.Required
watchlist_item_idThe watchlist item ID to be deleted.Required

Context Output#

There is no context output for this command.

Command Example#

!azure-sentinel-delete-watchlist-item watchlist_alias=test_2 watchlist_item_id=96c326c6-2dea-403c-94bd-6a005921c3c1

Human Readable Output#

Watchlist item 96c326c6-2dea-403c-94bd-6a005921c3c1 was deleted successfully.

azure-sentinel-create-update-watchlist-item#


Create or update a watchlist item.

Base Command#

azure-sentinel-create-update-watchlist-item

Input#

Argument NameDescriptionRequired
watchlist_aliasThe watchlist alias.Required
watchlist_item_idThe watchlist item ID (GUID) to update.Optional
item_key_valueThe JSON for the itemsKeyValue of the item (the key value is different from watchlist to watchlist).Required

Context Output#

PathTypeDescription
AzureSentinel.WatchlistItem.WatchlistAliasStringThe alias of the watchlist.
AzureSentinel.WatchlistItem.IDStringThe ID (GUID) of the watchlist item.
AzureSentinel.WatchlistItem.CreatedDateThe time the watchlist item was created.
AzureSentinel.WatchlistItem.UpdatedDateThe last time the watchlist item was updated.
AzureSentinel.WatchlistItem.CreatedByStringThe name of the user who created this watchlist item.
AzureSentinel.WatchlistItem.UpdatedByStringThe user who updated this watchlist item.
AzureSentinel.WatchlistItem.ItemsKeyValueUnknownKey-value pairs for a watchlist item.

Command Example#

``!azure-sentinel-create-update-watchlist-item watchlist_alias=test_4 item_key_value={"name": "test_4_item", "IP": "4.4.4.4"}````

Context Example#

{
"AzureSentinel": {
"WatchlistItem": {
"Created": "2021-08-23T13:30:59Z",
"CreatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"ID": "6b21d1ef-18fa-420f-ae4a-a6f94588ebe8",
"ItemsKeyValue": {
"IP": "4.4.4.4",
"name": "test_4_item"
},
"Name": "6b21d1ef-18fa-420f-ae4a-a6f94588ebe8",
"Updated": "2021-08-23T13:30:59Z",
"UpdatedBy": "78e658fe-3ff0-4785-80e7-ef089a3d6bdd",
"WatchlistAlias": "test_4"
}
}
}

Human Readable Output#

Create watchlist item results#

IDItems Key Value
6b21d1ef-18fa-420f-ae4a-a6f94588ebe8name: test_4_item
IP: 4.4.4.4

azure-sentinel-threat-indicator-list#


Returns a list of threat indicators.

Base Command#

azure-sentinel-threat-indicator-list

Input#

Argument NameDescriptionRequired
indicator_nameThe name of the indicator.Optional
limitThe maximum number of indicators to return. Default is 50.Optional
next_linkA link that specifies a starting point to use for subsequent calls.
This argument overrides all of the other command arguments.
Optional

Context Output#

PathTypeDescription
AzureSentinel.ThreatIndicator.IDStringThe ID of the indicator.
AzureSentinel.ThreatIndicator.NameStringThe name of the indicator.
AzureSentinel.ThreatIndicator.ETagStringThe ETag of the indicator.
AzureSentinel.ThreatIndicator.TypeStringThe type of the indicator.
AzureSentinel.ThreatIndicator.KindStringThe kind of the indicator.
AzureSentinel.ThreatIndicators.ConfidenceNumberThe confidence of the threat indicator. This is a number between 0-100.
AzureSentinel.ThreatIndicator.CreatedDateWhen the threat indicator was created.
AzureSentinel.ThreatIndicator.CreatedByRefStringThe creator of the indicator.
AzureSentinel.ThreatIndicator.ExternalIDStringThe external ID of the indicator.
AzureSentinel.ThreatIndicator.RevokedBooleanWhether the threat indicator was revoked.
AzureSentinel.ThreatIndicator.SourceStringThe source of the indicator.
AzureSentinel.ThreatIndicator.ETagsStringThe Etags of the indicator.
AzureSentinel.ThreatIndicator.DisplayNameStringThe display name of the indicator.
AzureSentinel.ThreatIndicator.DescriptionStringThe description of the indicator.
AzureSentinel.ThreatIndicator.ThreatTypesUnknownThe threat types of the indicator.
AzureSentinel.ThreatIndicator.KillChainPhases.KillChainNameUnknownThe kill chain's name of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeKeyUnknownThe pattern type key of the indicator.
AzureSentinel.ThreatIndicator.PatternStringThe pattern of the indicator.
AzureSentinel.ThreatIndicator.PatternTypeStringThe pattern type of the indicator.
AzureSentinel.ThreatIndicator.ValidFromDateThe date from which the indicator is valid.
AzureSentinel.ThreatIndicator.ValidUntilDateThe date until which the indicator is valid.
AzureSentinel.ThreatIndicator.KillChainPhases.PhaseNameStringThe phase name of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeValues.ValueStringThe value of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeValues.ValueTypeStringThe value type of the indicator.
AzureSentinel.ThreatIndicator.LastUpdatedTimeUtcDateThe last updated time of the indicator.
AzureSentinel.ThreatIndicator.TagsUnknownThe tags of the indicator.
AzureSentinel.ThreatIndicator.TypesUnknownThe threat types of the indicator.

Command Example#

!azure-sentinel-threat-indicator-list limit=2

Human Readable Output#

Threat Indicators (2 results)#

NameDisplay NameValuesTypesSourceTags
a31f2257-1af5-5eb9-bc82-acb8cc10becdNametest.valuemalicious-activityAzure SentinelTag
1286115b-3b65-5537-e831-969045792910DisplayNamedomain.dotbenignAzure SentinelNo Tags

azure-sentinel-threat-indicator-query#


Returns a list of threat indicators with specific entities.

Base Command#

azure-sentinel-threat-indicator-query

Input#

Argument NameDescriptionRequired
limitThe maximum number of indicators to return. Default is 50.Optional
next_linkA link that specifies a starting point to use for subsequent calls.
This argument overrides all of the other command arguments.
There may be no support for pagination.
Optional
min_confidenceThe minimum confidence number for a threat indicator.Optional
max_confidenceThe maximum confidence number for a threat indicator.Optional
min_valid_untilMinimum valid until value of indicators to query.Optional
max_valid_untilMaximum valid until value of indicators to query.Optional
include_disabledIf true, the query also returns disabled indicators. Possible values are: true, false. Default is false.Optional
sourcesThe sources of the threat indicator.Optional
indicator_typesThe indicator types of the threat indicator. Possible values are: ipv4, ipv6, file, url, domain.Optional
threat_typesA comma-separated list of threat types of the threat indicator. Possible values are: anomalous-activity, attribution, anonymization, benign, malicious-activity, compromised, unknown.Optional
keywordsA comma-separated list of keywords.Optional

Context Output#

PathTypeDescription
AzureSentinel.ThreatIndicator.IDStringThe ID of the indicator.
AzureSentinel.ThreatIndicator.NameStringThe name of the indicator.
AzureSentinel.ThreatIndicator.ETagStringThe ETag of the indicator.
AzureSentinel.ThreatIndicator.TypeStringThe type of the indicator.
AzureSentinel.ThreatIndicator.KindStringThe kind of the indicator.
AzureSentinel.ThreatIndicators.ConfidenceNumberThe confidence of the threat indicator. This is a number between 0-100.
AzureSentinel.ThreatIndicator.CreatedDateWhen the threat indicator was created.
AzureSentinel.ThreatIndicator.CreatedByRefStringThe creator of the indicator.
AzureSentinel.ThreatIndicator.ExternalIDStringThe external ID of the indicator.
AzureSentinel.ThreatIndicator.RevokedBooleanWhether the threat indicator was revoked.
AzureSentinel.ThreatIndicator.SourceStringThe source of the indicator.
AzureSentinel.ThreatIndicator.ETagsStringThe Etags of the indicator.
AzureSentinel.ThreatIndicator.DisplayNameStringThe display name of the indicator.
AzureSentinel.ThreatIndicator.DescriptionStringThe description of the indicator.
AzureSentinel.ThreatIndicator.ThreatTypesUnknownThe threat types of the indicator.
AzureSentinel.ThreatIndicator.KillChainPhases.KillChainNameStringThe kill chain's name of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeKeyUnknownThe pattern type key of the indicator.
AzureSentinel.ThreatIndicator.PatternStringThe pattern of the indicator.
AzureSentinel.ThreatIndicator.PatternTypeStringThe pattern type of the indicator.
AzureSentinel.ThreatIndicator.ValidFromDateThe date from which the indicator is valid.
AzureSentinel.ThreatIndicator.ValidUntilDateThe date until which the indicator is valid.
AzureSentinel.ThreatIndicator.KillChainPhases.PhaseNameStringThe phase name of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeValues.ValueStringThe value of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeValues.ValueTypeStringThe value type of the indicator.
AzureSentinel.ThreatIndicator.LastUpdatedTimeUtcDateThe last updated time of the indicator.
AzureSentinel.ThreatIndicator.TagsUnknownThe tags of the indicator.
AzureSentinel.ThreatIndicator.TypesUnknownThe threat types of the indicator.

Command Example#

!azure-sentinel-threat-indicator-query max_confidence=70

Human Readable Output#

Threat Indicators (2 results)#

NameDisplay NameValuesTypesSourceConfidenceTags
a31f2257-1af5-5eb9-bc82-acb8cc10becdDisplayNamedomain.dotcompromisedAzure Sentinel50newTag
1286115b-3b65-5537-e831-969045792910Nametest.dotcompromisedAzure Sentinel68No Tags

azure-sentinel-threat-indicator-create#


Creates a new threat indicator.

Base Command#

azure-sentinel-threat-indicator-create

Input#

Argument NameDescriptionRequired
valueThe value of the threat indicator.Required
display_nameThe display name of the new indicator.Required
descriptionThe description of the new indicator.Optional
indicator_typeThe type of the new indicator. Possible values are: ipv4, ipv6, file, url, domain.Required
hash_typeThe hash type of the new indicator. This argument is mandatory if the indicator type is file. Possible values are: MD5, SHA-1, SHA-256, SHA-512.Optional
confidenceThe confidence of the new threat indicator. Should be a number between 0-100.Optional
threat_typesA comma-separated list of threat types of the threat indicator. Possible values are: anomalous-activity, attribution, anonymization, benign, malicious-activity, compromised, unknown.Required
kill_chainsThe kill chains phases of the indicator.Optional
tagsA comma-separated list of tags of the new threat indicator.Optional
valid_fromThe date from which the indicator is valid.Optional
valid_untilThe date until which the indicator is valid.Optional
created_byThe creator of the new indicator.Optional
revokedIf true, the indicator is revoked. Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
AzureSentinel.ThreatIndicator.IDStringThe ID of the indicator.
AzureSentinel.ThreatIndicator.NameStringThe name of the indicator.
AzureSentinel.ThreatIndicator.ETagStringThe ETag of the indicator.
AzureSentinel.ThreatIndicator.TypeStringThe type of the indicator.
AzureSentinel.ThreatIndicator.KindStringThe kind of the indicator.
AzureSentinel.ThreatIndicators.ConfidenceNumberThe confidence of the threat indicator. This is a number between 0-100.
AzureSentinel.ThreatIndicator.CreatedDateWhen the threat indicator was created.
AzureSentinel.ThreatIndicator.CreatedByRefStringThe creator of the indicator.
AzureSentinel.ThreatIndicator.ExternalIDStringThe external ID of the indicator.
AzureSentinel.ThreatIndicator.RevokedBooleanWhether the threat indicator was revoked.
AzureSentinel.ThreatIndicator.SourceStringThe source of the indicator.
AzureSentinel.ThreatIndicator.ETagsStringThe Etags of the indicator.
AzureSentinel.ThreatIndicator.DisplayNameStringThe display name of the indicator.
AzureSentinel.ThreatIndicator.DescriptionStringThe description of the indicator.
AzureSentinel.ThreatIndicator.ThreatTypesUnknownThe threat types of the indicator.
AzureSentinel.ThreatIndicator.KillChainPhases.KillChainNameStringThe kill chain's name of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeKeyUnknownThe pattern type key of the indicator.
AzureSentinel.ThreatIndicator.PatternStringThe pattern of the indicator.
AzureSentinel.ThreatIndicator.PatternTypeStringThe pattern type of the indicator.
AzureSentinel.ThreatIndicator.ValidFromDateThe date from which the indicator is valid.
AzureSentinel.ThreatIndicator.ValidUntilDateThe date until which the indicator is valid.
AzureSentinel.ThreatIndicator.KillChainPhases.PhaseNameStringThe phase name of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeValues.ValueStringThe value of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeValues.ValueTypeStringThe value type of the indicator.
AzureSentinel.ThreatIndicator.LastUpdatedTimeUtcDateThe last updated time of the indicator.
AzureSentinel.ThreatIndicator.TagsUnknownThe tags of the indicator.
AzureSentinel.ThreatIndicator.TypesUnknownThe threat types of the indicator.

Command Example#

!azure-sentinel-threat-indicator-create display_name=name indicator_type=domain threat_types=benign value=good.test confidence=77

Human Readable Output#

New threat Indicator was created#

NameDisplay NameValuesTypesSourceConfidenceTags
a31f2257-1af5-5eb9-bc82-acb8cc10becdnamegood.testbenignAzure Sentinel77No Tags

azure-sentinel-threat-indicator-update#


Updates an existing threat indicator.

Base Command#

azure-sentinel-threat-indicator-update

Input#

Argument NameDescriptionRequired
indicator_nameThe name of the indicator.Required
valueThe value of the indicator.Required
display_nameThe display name of the indicator.Required
descriptionThe description of the threat indicator.Optional
indicator_typeThe type of the indicator. Possible values are: ipv4, ipv6, file, url, domain.Required
hash_typeIf indicator_type is a file, this entry is mandatory.Optional
revokedWhether the indicator is revoked.Optional
confidenceThe confidence of the threat indicator. This is a number between 0-100.Optional
threat_typesA comma-separated list of threat types of the threat indicator. Possible values are: anomalous-activity, attribution, anonymization, benign, malicious-activity, compromised, unknown.Optional
kill_chainsA comma-separated list of kill chains phases of the indicator.Optional
tagsA comma-separated list of tags of the threat indicator.Optional
valid_fromThe date from which the indicator is valid.Optional
valid_untilThe date until which the indicator is valid.Optional
created_byThe creator of the indicator.Optional

Context Output#

PathTypeDescription
AzureSentinel.ThreatIndicator.IDStringThe ID of the indicator.
AzureSentinel.ThreatIndicator.NameStringThe name of the indicator.
AzureSentinel.ThreatIndicator.ETagStringThe ETag of the indicator.
AzureSentinel.ThreatIndicator.TypeStringThe type of the indicator.
AzureSentinel.ThreatIndicator.KindStringThe kind of the indicator.
AzureSentinel.ThreatIndicators.ConfidenceNumberThe confidence of the threat indicator. This is a number between 0-100.
AzureSentinel.ThreatIndicator.CreatedDateWhen the threat indicator was created.
AzureSentinel.ThreatIndicator.CreatedByRefStringThe creator of the indicator.
AzureSentinel.ThreatIndicator.ExternalIDStringThe external ID of the indicator.
AzureSentinel.ThreatIndicator.RevokedBooleanWas the threat indicator revoked or not.
AzureSentinel.ThreatIndicator.SourceStringThe source of the indicator.
AzureSentinel.ThreatIndicator.ETagsStringThe Etags of the indicator.
AzureSentinel.ThreatIndicator.DisplayNameStringThe display name of the indicator.
AzureSentinel.ThreatIndicator.DescriptionStringThe description of the indicator.
AzureSentinel.ThreatIndicator.ThreatTypesUnknownThe threat types of the indicator.
AzureSentinel.ThreatIndicator.KillChainPhases.KillChainNameStringThe kill chain's name of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeKeyUnknownThe pattern type key of the indicator.
AzureSentinel.ThreatIndicator.PatternStringThe pattern of the indicator.
AzureSentinel.ThreatIndicator.PatternTypeStringThe pattern type of the indicator.
AzureSentinel.ThreatIndicator.ValidFromDateThe date from which the indicator is valid.
AzureSentinel.ThreatIndicator.ValidUntilDateThe date until which the indicator is valid.
AzureSentinel.ThreatIndicator.KillChainPhases.PhaseNameStringThe phase name of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeValues.ValueStringThe value of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeValues.ValueTypeStringThe value type of the indicator.
AzureSentinel.ThreatIndicator.LastUpdatedTimeUtcDateThe last updated time of the indicator.
AzureSentinel.ThreatIndicator.TagsUnknownThe tags of the indicator.
AzureSentinel.ThreatIndicator.TypesUnknownThe threat types of the indicator.

Command Example#

!azure-sentinel-threat-indicator-update indicator_name=a31f2257-1af5-5eb9-bc82-acb8cc10becd display_name=WeChangedTheDisplayName indicator_type="domain-name" value=verynew.value

Human Readable Output#

Threat Indicator a31f2257-1af5-5eb9-bc82-acb8cc10becd was updated#

NameDisplay NameValuesTypesSourceTags
a31f2257-1af5-5eb9-bc82-acb8cc10becdWeChangedTheDisplayNameverynew.valuemalicious-activityAzure SentinelReplaceTheTag

azure-sentinel-threat-indicator-delete#


Deletes an existing threat indicator.

Base Command#

azure-sentinel-threat-indicator-delete

Input#

Argument NameDescriptionRequired
indicator_namesA comma-separated list of indicators to delete.Required

Context Output#

There is no context output for this command.

Command Example#

!azure-sentinel-threat-indicator-delete indicator_names=1286115b-3b65-5537-e831-969045792910

Human Readable Output#

Threat Intelligence Indicators 1286115b-3b65-5537-e831-969045792910 were deleted successfully.

azure-sentinel-threat-indicator-tags-append#


Appends new tags to an existing indicator.

Base Command#

azure-sentinel-threat-indicator-tags-append

Input#

Argument NameDescriptionRequired
indicator_nameThe name of the indicator.Required
tagsA comma-separated list of tags to append.Required

Context Output#

PathTypeDescription
AzureSentinel.ThreatIndicator.IDStringThe ID of the indicator.
AzureSentinel.ThreatIndicator.NameStringThe name of the indicator.
AzureSentinel.ThreatIndicator.ETagStringThe ETag of the indicator.
AzureSentinel.ThreatIndicator.TypeStringThe type of the indicator.
AzureSentinel.ThreatIndicator.KindStringThe kind of the indicator.
AzureSentinel.ThreatIndicators.ConfidenceNumberThe confidence of the threat indicator. THis is a number between 0-100.
AzureSentinel.ThreatIndicator.CreatedDateWhen the threat indicator was created.
AzureSentinel.ThreatIndicator.CreatedByRefStringThe creator of the indicator.
AzureSentinel.ThreatIndicator.ExternalIDStringThe external ID of the indicator.
AzureSentinel.ThreatIndicator.RevokedBooleanWas the threat indicator revoked or not.
AzureSentinel.ThreatIndicator.SourceStringThe source of the indicator.
AzureSentinel.ThreatIndicator.ETagsStringThe Etags of the indicator.
AzureSentinel.ThreatIndicator.DisplayNameStringThe display name of the indicator.
AzureSentinel.ThreatIndicator.DescriptionStringThe description of the indicator.
AzureSentinel.ThreatIndicator.ThreatTypesUnknownThe threat types of the indicator.
AzureSentinel.ThreatIndicator.KillChainPhases.KillChainNameStringThe kill chain's name of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeKeyUnknownThe pattern type key of the indicator.
AzureSentinel.ThreatIndicator.PatternStringThe pattern of the indicator.
AzureSentinel.ThreatIndicator.PatternTypeStringThe pattern type of the indicator.
AzureSentinel.ThreatIndicator.ValidFromDateThe date from which the indicator is valid.
AzureSentinel.ThreatIndicator.ValidUntilDateThe date until which the indicator is valid.
AzureSentinel.ThreatIndicator.KillChainPhases.PhaseNameStringThe phase name of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeValues.ValueStringThe value of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeValues.ValueTypeStringThe value type of the indicator.
AzureSentinel.ThreatIndicator.LastUpdatedTimeUtcDateThe last updated time of the indicator.
AzureSentinel.ThreatIndicator.TagsUnknownThe tags of the indicator.
AzureSentinel.ThreatIndicator.TypesUnknownThe threat types of the indicator.

Command Example#

!azure-sentinel-threat-indicator-tags-append indicator_name=1286115b-3b65-5537-e831-969045792910 tags=newtag

Human Readable Output#

Tags were appended to 1286115b-3b65-5537-e831-969045792910 Threat Indicator.

azure-sentinel-threat-indicator-tags-replace#


Replaces the tags of a given indicator.

Base Command#

azure-sentinel-threat-indicator-tags-replace

Input#

Argument NameDescriptionRequired
indicator_nameThe name of the indicator.Required
tagsA comma-separated list of tags to replace.Required

Context Output#

PathTypeDescription
AzureSentinel.ThreatIndicator.IDStringThe ID of the indicator.
AzureSentinel.ThreatIndicator.NameStringThe name of the indicator.
AzureSentinel.ThreatIndicator.ETagStringThe ETag of the indicator.
AzureSentinel.ThreatIndicator.TypeStringThe type of the indicator.
AzureSentinel.ThreatIndicator.KindStringThe kind of the indicator.
AzureSentinel.ThreatIndicators.ConfidenceNumberThe confidence of the threat indicator. This is a number between 0-100.
AzureSentinel.ThreatIndicator.CreatedDateWhen the threat indicator was created.
AzureSentinel.ThreatIndicator.CreatedByRefStringThe creator of the indicator.
AzureSentinel.ThreatIndicator.ExternalIDStringThe external ID of the indicator.
AzureSentinel.ThreatIndicator.RevokedBooleanWhether the threat indicator was revoked.
AzureSentinel.ThreatIndicator.SourceStringThe source of the indicator.
AzureSentinel.ThreatIndicator.ETagsStringThe Etags of the indicator.
AzureSentinel.ThreatIndicator.DisplayNameStringThe display name of the indicator.
AzureSentinel.ThreatIndicator.DescriptionStringThe description of the indicator.
AzureSentinel.ThreatIndicator.ThreatTypesUnknownThe threat types of the indicator.
AzureSentinel.ThreatIndicator.KillChainPhases.KillChainNameStringThe kill chain's name of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeKeyUnknownThe pattern type key of the indicator.
AzureSentinel.ThreatIndicator.PatternStringThe pattern of the indicator.
AzureSentinel.ThreatIndicator.PatternTypeStringThe pattern type of the indicator.
AzureSentinel.ThreatIndicator.ValidFromDateThe date from which the indicator is valid.
AzureSentinel.ThreatIndicator.ValidUntilDateThe date until which the indicator is valid.
AzureSentinel.ThreatIndicator.KillChainPhases.PhaseNameStringThe phase name of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeValues.ValueStringThe value of the indicator.
AzureSentinel.ThreatIndicator.ParsedPattern.PatternTypeValues.ValueTypeStringThe value type of the indicator.
AzureSentinel.ThreatIndicator.LastUpdatedTimeUtcDateThe last updated time of the indicator.
AzureSentinel.ThreatIndicator.TagsUnknownThe tags of the indicator.
AzureSentinel.ThreatIndicator.TypesUnknownThe threat types of the indicator.

Command Example#

!azure-sentinel-threat-indicator-tags-replace name=1286115b-3b65-5537-e831-969045792910 tags=newtag

Human Readable Output#

Tags were replaced to 1286115b-3b65-5537-e831-969045792910 Threat Indicator.