Azure Sentinel
This Integration is part of the Azure Sentinel Pack.#
Use the Azure Sentinel integration to get and manage incidents and get related entity information for incidents. This integration was integrated and tested with version 2021-04-01 of Azure Sentinel.
Authorize Cortex XSOAR for Azure Sentinel#
Follow these steps for a self-deployed configuration.
- To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal. To add the registration, refer to the Register an application section of the following Microsoft article. (Note: There is no need to create a redirect URI or complete subsequent steps of the article).
- In your registered app - create a new Client secret.
- Navigate in the Azure Portal to App registrations > your registered application > Certificates & secrets and click + New client secret.
- Copy and save the new secret value to use in the add credentials step.
- Assign a role to the registered app.
- In Azure portal, go to the Subscriptions and select the subscription you are using -> Access control (IAM).
- Click Add -> Add role assignment.
- Select the Azure Sentinel Contributor role -> Select your registered app, and click Save.
- In Cortex XSOAR, go to Settings > Integrations > Credentials and create a new credentials set.
- In the Username parameter, enter your registered app Application (client) ID.
- In the Password parameter, enter the secret value you created.
- Copy your tenant ID for the integration configuration usage.
Configure the server URL#
If you have a dedicated server URL, enter it in the Server Url parameter.
Get the additional instance parameters#
To get the Subscription ID, Workspace Name and Resource Group parameters, in the Azure Portal navigate to Azure Sentinel > your workspace > Settings and click the Workspace Settings tab.
Configure Azure Sentinel on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Azure Sentinel.
Click Add instance to create and configure a new integration instance.
Parameter Required Server URL False Tenant ID True Client ID True Subscription ID True Resource Group Name True Workspace Name True Fetch incidents False First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) False The minimum severity of incidents to fetch False Incident type False Trust any certificate (not secure) False Use system proxy settings False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
azure-sentinel-get-incident-by-id#
Gets a single incident from Azure Sentinel.
Base Command#
azure-sentinel-get-incident-by-id
Input#
| Argument Name | Description | Required |
|---|---|---|
| incident_id | The incident ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| AzureSentinel.Incident.ID | String | The incident ID. |
| AzureSentinel.Incident.Title | String | The incident title. |
| AzureSentinel.Incident.Description | String | Description of the incident. |
| AzureSentinel.Incident.Severity | String | The incident severity. |
| AzureSentinel.Incident.Status | String | The incident status. |
| AzureSentinel.Incident.AssigneeName | String | The name of the incident assignee. |
| AzureSentinel.Incident.AssigneeEmail | String | The email address of the incident assignee. |
| AzureSentinel.Incident.Label.Name | String | The name of the incident label. |
| AzureSentinel.Incident.Label.Type | String | The incident label type. |
| AzureSentinel.Incident.FirstActivityTimeUTC | Date | The date and time of the incident's first activity. |
| AzureSentinel.Incident.LastActivityTimeUTC | Date | The date and time of the incident's last activity. |
| AzureSentinel.Incident.LastModifiedTimeUTC | Date | The date and time the incident was last modified. |
| AzureSentinel.Incident.CreatedTimeUTC | Date | The date and time the incident was created. |
| AzureSentinel.Incident.IncidentNumber | Number | The incident number. |
| AzureSentinel.Incident.AlertsCount | Number | The number of the alerts in the incident. |
| AzureSentinel.Incident.BookmarkCount | Number | The number of bookmarks in the incident. |
| AzureSentinel.Incident.CommentCount | Number | The number of comments in the incident. |
| AzureSentinel.Incident.AlertProductNames | String | The alert product names of the incident. |
| AzureSentinel.Incident.Tactics | String | The incident's tactics. |
| AzureSentinel.Incident.FirstActivityTimeGenerated | Date | The incident's generated first activity time. |
| AzureSentinel.Incident.LastActivityTimeGenerated | Date | The incident's generated last activity time. |
| AzureSentinel.Incident.Etag | String | The Etag of the incident. |
Command Example#
!azure-sentinel-get-incident-by-id incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742
Context Example#
Human Readable Output#
Incident 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 details#
ID Incident Number Title Description Severity Status Assignee Email Label Last Modified Time UTC Created Time UTC Alerts Count Bookmarks Count Comments Count Alert Product Names Etag 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 2 SharePointFileOperation via previously unseen IPs Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).Informational New test@test.com {'Name': 'label_a', 'Type': 'User'},
{'Name': 'label_b', 'Type': 'User'}2021-08-23T13:28:51Z 2020-01-15T09:29:14Z 1 0 3 Azure Sentinel "2700a244-0000-0100-0000-6123a2930000"
azure-sentinel-list-incidents#
Gets a list of incidents from Azure Sentinel.
Base Command#
azure-sentinel-list-incidents
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | The maximum number of incidents to return. The default and maximum value is 50. | Optional |
| filter | Filter results using OData syntax. For example: properties/createdTimeUtc gt 2020-02-02T14:00:00Z`). For more information see the Azure documentation: https://docs.microsoft.com/bs-latn-ba/azure/search/search-query-odata-filter. | Optional |
| next_link | A link that specifies a starting point to use for subsequent calls. This argument overrides all of the other command arguments. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| AzureSentinel.Incident.ID | String | The incident ID. |
| AzureSentinel.Incident.Title | String | The incident title. |
| AzureSentinel.Incident.Description | String | Description of the incident. |
| AzureSentinel.Incident.Severity | String | The incident severity. |
| AzureSentinel.Incident.Status | String | The incident status. |
| AzureSentinel.Incident.AssigneeName | String | The name of the incident assignee. |
| AzureSentinel.Incident.AssigneeEmail | String | The email address of the incident assignee. |
| AzureSentinel.Incident.Label.Name | String | The name of the incident label. |
| AzureSentinel.Incident.Label.Type | String | The incident label type. |
| AzureSentinel.Incident.FirstActivityTimeUTC | Date | The date and time of the incident's first activity. |
| AzureSentinel.Incident.LastActivityTimeUTC | Date | The date and time of the incident's last activity. |
| AzureSentinel.Incident.LastModifiedTimeUTC | Date | The date and time the incident was last modified. |
| AzureSentinel.Incident.CreatedTimeUTC | Date | The date and time the incident was created. |
| AzureSentinel.Incident.IncidentNumber | Number | The incident number. |
| AzureSentinel.Incident.AlertsCount | Number | The number of the alerts in the incident. |
| AzureSentinel.Incident.BookmarkCount | Number | The number of bookmarks in the incident. |
| AzureSentinel.Incident.CommentCount | Number | The number of comments in the incident. |
| AzureSentinel.Incident.AlertProductNames | String | The alert product names of the incident. |
| AzureSentinel.Incident.Tactics | String | The incident's tactics. |
| AzureSentinel.Incident.FirstActivityTimeGenerated | Date | The incident's generated first activity time. |
| AzureSentinel.Incident.LastActivityTimeGenerated | Date | The incident's generated last activity time. |
| AzureSentinel.NextLink.Description | String | Description of nextLink. |
| AzureSentinel.NextLink.URL | String | Used if an operation returns partial results. If a response contains a nextLink element, its value specifies a starting point to use for subsequent calls. |
| AzureSentinel.Incident.Etag | String | The Etag of the incident. |
Command Example#
!azure-sentinel-list-incidents limit=5
Context Example#
Human Readable Output#
Incidents List (5 results)#
ID Incident Number Title Description Severity Status Assignee Email Label First Activity Time UTC Last Activity Time UTC Last Modified Time UTC Created Time UTC Alerts Count Bookmarks Count Comments Count Alert Product Names Etag 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 2 SharePointFileOperation via previously unseen IPs Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).Informational New test@test.com {'Name': 'label_a', 'Type': 'User'},
{'Name': 'label_b', 'Type': 'User'}2021-08-23T13:28:51Z 2020-01-15T09:29:14Z 1 0 3 Azure Sentinel "2700a244-0000-0100-0000-6123a2930000" e0b06d71-b5a3-43a9-997f-f25b45085cb7 4 SharePointFileOperation via previously unseen IPs Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).Low New test@test.com {'Name': 'f', 'Type': 'User'},
{'Name': 'o', 'Type': 'User'},
{'Name': 'o', 'Type': 'User'},
{'Name': '1', 'Type': 'User'}2021-05-10T12:49:54Z 2020-01-15T09:34:12Z 1 0 0 Azure Sentinel "dc00cb1c-0000-0100-0000-60992bf20000" a7977be7-1008-419b-877b-6793b7402a80 6 SharePointFileOperation via previously unseen IPs Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).Medium New 2020-01-15T08:04:05Z 2020-01-15T09:04:05Z 2020-01-15T09:40:09Z 2020-01-15T09:40:09Z 1 0 0 Azure Sentinel "0100c30e-0000-0100-0000-5fb883be0000" 6440c129-c313-418c-a262-5df608aa9cd2 7 test_title Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).Medium Active 2020-12-17T12:26:49Z 2020-01-15T09:44:12Z 1 0 1 Azure Sentinel "0600a81f-0000-0100-0000-5fdb4e890000" 413e9d64-c7b4-4e33-ae26-bb39710d2187 9 SharePointFileOperation via previously unseen IPs Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).Medium New 2020-01-15T08:44:06Z 2020-01-15T09:44:06Z 2020-01-15T09:49:12Z 2020-01-15T09:49:12Z 1 0 0 Azure Sentinel "0100b70e-0000-0100-0000-5fb883bd0000"
azure-sentinel-list-watchlists#
Gets a list of watchlists from Azure Sentinel.
Base Command#
azure-sentinel-list-watchlists
Input#
| Argument Name | Description | Required |
|---|---|---|
| watchlist_alias | Alias of specific watchlist to get. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| AzureSentinel.Watchlist.ID | String | The watchlist ID. |
| AzureSentinel.Watchlist.Description | String | A description of the watchlist. |
| AzureSentinel.Watchlist.DisplayName | String | The display name of the watchlist. |
| AzureSentinel.Watchlist.Provider | String | The provider of the watchlist. |
| AzureSentinel.Watchlist.Source | String | The source of the watchlist. |
| AzureSentinel.Watchlist.Created | Date | The time the watchlist was created. |
| AzureSentinel.Watchlist.Updated | Date | The last time the watchlist was updated. |
| AzureSentinel.Watchlist.CreatedBy | String | The name of the user who created the watchlist. |
| AzureSentinel.Watchlist.UpdatedBy | String | The name of the user who updated the Watchlist. |
| AzureSentinel.Watchlist.Alias | String | The alias of the watchlist. |
| AzureSentinel.Watchlist.Label | unknown | Label that will be used to tag and filter on. |
| AzureSentinel.Watchlist.ItemsSearchKey | String | The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. |
| AzureSentinel.NextLink.Description | String | Description of nextLink. |
| AzureSentinel.NextLink.URL | String | Used if an operation returns partial results. If a response contains a nextLink element, its value specifies a starting point to use for subsequent calls. |
Command Example#
!azure-sentinel-list-watchlists
Context Example#
Human Readable Output#
Watchlists results#
Name ID Description booboo 35bffe30-19f2-40a6-8855-4a858e161fad just for fun test_2 ceae6089-10dd-4f02-89d5-ab32285688dc test watchlist test_1 92863c74-fee7-4ffe-8288-bc1529d12597 test_4 84d1fedd-5945-4670-ae34-5e8c94af2660 test watchlist
azure-sentinel-delete-watchlist#
Delete a watchlists from Azure Sentinel.
Base Command#
azure-sentinel-delete-watchlist
Input#
| Argument Name | Description | Required |
|---|---|---|
| watchlist_alias | Alias of the watchlist to be deleted. | Required |
Context Output#
There is no context output for this command.
Command Example#
!azure-sentinel-delete-watchlist watchlist_alias=test_4
Human Readable Output#
Watchlist test_4 was deleted successfully.
azure-sentinel-watchlist-create-update#
Create or update a watchlist in Azure Sentinel.
Base Command#
azure-sentinel-watchlist-create-update
Input#
| Argument Name | Description | Required |
|---|---|---|
| watchlist_alias | The alias of the new watchlist or the watchlist to update. | Required |
| watchlist_display_name | The display name of the watchlist. | Required |
| description | The description of the watchlist. | Optional |
| provider | The provider of the watchlist. Default is XSOAR. | Optional |
| source | The source of the watchlist. Possible values are: Local file, Remote storage. | Required |
| labels | The labels of the watchlist. | Optional |
| lines_to_skip | The number of lines in a CSV content to skip before the header. Default is 0. | Optional |
| raw_content | A file entry with raw content that represents the watchlist items to create. | Required |
| items_search_key | The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. | Required |
| content_type | The content type of the raw content. For now, only text/CSV is valid. Default is Text/Csv. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| AzureSentinel.Watchlist.Name | String | The name of the watchlist. |
| AzureSentinel.Watchlist.ID | String | The ID (GUID) of the watchlist. |
| AzureSentinel.Watchlist.Description | String | A description of the watchlist. |
| AzureSentinel.Watchlist.Provider | String | The provider of the watchlist. |
| AzureSentinel.Watchlist.Source | String | The source of the watchlist. |
| AzureSentinel.Watchlist.Created | Date | The time the watchlist was created. |
| AzureSentinel.Watchlist.Updated | Date | The time the watchlist was updated. |
| AzureSentinel.Watchlist.CreatedBy | String | The user was created the watchlist. |
| AzureSentinel.Watchlist.UpdatedBy | String | The user was updated the watchlist. |
| AzureSentinel.Watchlist.Alias | String | The alias of the watchlist. |
| AzureSentinel.Watchlist.Label | Unknown | List of labels relevant to this watchlist. |
| AzureSentinel.Watchlist.ItemsSearchKey | String | The search key is used to optimize query performance when using watchlists for joins with other data. |
Command Example#
!azure-sentinel-watchlist-create-update items_search_key=IP raw_content=1711@3c9bd2a0-9eac-465b-8799-459df4997b2d source="Local file" watchlist_alias=test_4 watchlist_display_name=test_4 description="test watchlist"
Context Example#
Human Readable Output#
Create watchlist results#
Name ID Description test_4 84d1fedd-5945-4670-ae34-5e8c94af2660 test watchlist
azure-sentinel-update-incident#
Updates a single incident in Azure Sentinel.
Base Command#
azure-sentinel-update-incident
Input#
| Argument Name | Description | Required |
|---|---|---|
| incident_id | The incident ID. | Required |
| title | The incident's title. | Optional |
| description | Description of the incident. | Optional |
| severity | The incident severity. Possible values are: High, Medium, Low, Informational. | Optional |
| status | The incident status. Possible values are: New, Active, Closed. | Optional |
| classification | The reason the incident was closed. Required when updating the status to Closed. Possible values are: BenignPositive, FalsePositive, TruePositive, Undetermined. | Optional |
| classification_comment | Describes the reason the incident was closed. | Optional |
| classification_reason | The classification reason the incident was closed with. Required when updating the status to Closed and the classification is determined. Possible values are: InaccurateData, IncorrectAlertLogic, SuspiciousActivity, SuspiciousButExpected. | Optional |
| assignee_email | The email address of the incident assignee. Note that the updated API field is owner.email. | Optional |
| labels | Incident labels. Note that all labels will be set as labelType='User'. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| AzureSentinel.Incident.ID | String | The incident ID. |
| AzureSentinel.Incident.Title | String | The incident's title. |
| AzureSentinel.Incident.Description | String | Description of the incident. |
| AzureSentinel.Incident.Severity | String | The incident severity. |
| AzureSentinel.Incident.Status | String | The incident status. |
| AzureSentinel.Incident.AssigneeName | String | The name of the incident assignee. |
| AzureSentinel.Incident.AssigneeEmail | String | The email address of the incident assignee. |
| AzureSentinel.Incident.Label.Name | String | The name of the incident label. |
| AzureSentinel.Incident.Label.Type | String | The incident label type. |
| AzureSentinel.Incident.FirstActivityTimeUTC | Date | The date and time of the incident's first activity. |
| AzureSentinel.Incident.LastActivityTimeUTC | Date | The date and time of the incident's last activity. |
| AzureSentinel.Incident.LastModifiedTimeUTC | Date | The date and time the incident was last modified. |
| AzureSentinel.Incident.CreatedTimeUTC | Date | The date and time the incident was created. |
| AzureSentinel.Incident.IncidentNumber | Number | The incident number. |
| AzureSentinel.Incident.AlertsCount | Number | The number of the alerts in the incident. |
| AzureSentinel.Incident.BookmarkCount | Number | The number of bookmarks in the incident. |
| AzureSentinel.Incident.CommentCount | Number | The number of comments in the incident. |
| AzureSentinel.Incident.AlertProductNames | String | The alert product names of the incident. |
| AzureSentinel.Incident.Tactics | String | The incident's tactics. |
| AzureSentinel.Incident.FirstActivityTimeGenerated | Date | The incident's generated first activity time. |
| AzureSentinel.Incident.LastActivityTimeGenerated | Date | The incident's generated last activity time. |
| AzureSentinel.Incident.Etag | String | The Etag of the incident. |
Command Example#
!azure-sentinel-update-incident incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 labels=label_a,label_b
Context Example#
Human Readable Output#
Updated incidents 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 details#
ID Incident Number Title Description Severity Status Assignee Email Label Last Modified Time UTC Created Time UTC Alerts Count Bookmarks Count Comments Count Alert Product Names Etag 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 2 SharePointFileOperation via previously unseen IPs Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).Informational New test@test.com {'Name': 'label_a', 'Type': 'User'},
{'Name': 'label_b', 'Type': 'User'}2021-08-23T13:30:49Z 2020-01-15T09:29:14Z 1 0 4 Azure Sentinel "27002845-0000-0100-0000-6123a3090000"
azure-sentinel-delete-incident#
Deletes a single incident in Azure Sentinel.
Base Command#
azure-sentinel-delete-incident
Input#
| Argument Name | Description | Required |
|---|---|---|
| incident_id | The incident ID. | Required |
Context Output#
There is no context output for this command.
Command Example#
!azure-sentinel-delete-incident incident_id=c90cc84d-a95e-47a0-9478-89ebc9ee22fd
Context Example#
Human Readable Output#
Incident c90cc84d-a95e-47a0-9478-89ebc9ee22fd was deleted successfully.
azure-sentinel-list-incident-comments#
Gets the comments of an incident from Azure Sentinel.
Base Command#
azure-sentinel-list-incident-comments
Input#
| Argument Name | Description | Required |
|---|---|---|
| incident_id | The incident ID. | Required |
| limit | The maximum number of incident comments to return. The default and maximum value is 50. | Optional |
| next_link | A link that specifies a starting point to use for subsequent calls. Using this argument overrides all of the other command arguments. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| AzureSentinel.IncidentComment.ID | String | The ID of the incident comment. |
| AzureSentinel.IncidentComment.IncidentID | String | The incident ID. |
| AzureSentinel.IncidentComment.Message | String | The incident comment. |
| AzureSentinel.IncidentComment.AuthorName | String | The name of the author of the incident comment. |
| AzureSentinel.IncidentComment.AuthorEmail | String | The email address of the author of the incident comment. |
| AzureSentinel.IncidentComment.CreatedTimeUTC | Date | The date and time that the incident comment was created. |
| AzureSentinel.NextLink.Description | String | Description of nextLink. |
| AzureSentinel.NextLink.URL | String | Used if an operation returns a partial result. If a response contains a nextLink element, its value specifies a starting point to use for subsequent calls. |
Command Example#
!azure-sentinel-list-incident-comments incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742
Context Example#
Human Readable Output#
Incident 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 Comments (4 results)#
ID Incident ID Message Author Email Created Time UTC 231020399272240422047777436922721687523 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 test messages 2021-08-23T13:30:42Z 251456744761940512356246980948458722890 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 test messages 2021-08-23T13:26:26Z 152909182848719872520422267385960967748 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 test messages 2021-08-12T10:57:44Z 307866023137611282164566423986768628663 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 hello world test@test.com 2020-04-05T12:14:13Z
azure-sentinel-incident-add-comment#
Adds a comment to an incident in Azure Sentinel.
Base Command#
azure-sentinel-incident-add-comment
Input#
| Argument Name | Description | Required |
|---|---|---|
| incident_id | The incident ID. | Required |
| message | The comment message. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| AzureSentinel.IncidentComment.ID | String | The ID of the incident comment. |
| AzureSentinel.IncidentComment.IncidentID | String | The incident ID. |
| AzureSentinel.IncidentComment.Message | String | The incident comment. |
| AzureSentinel.IncidentComment.AuthorName | String | The name of the author of the incident comment. |
| AzureSentinel.IncidentComment.AuthorEmail | String | The email address of the author of the incident comment. |
| AzureSentinel.IncidentComment.CreatedTimeUTC | Date | The date and time that the incident comment was created. |
Command Example#
!azure-sentinel-incident-add-comment incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 message="test messages"
Context Example#
Human Readable Output#
Incident 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 new comment details#
ID Incident ID Message Created Time UTC 231020399272240422047777436922721687523 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 test messages 2021-08-23T13:30:42Z
azure-sentinel-incident-delete-comment#
Deletes a comment from incident in Azure Sentinel.
Base Command#
azure-sentinel-incident-delete-comment
Input#
| Argument Name | Description | Required |
|---|---|---|
| incident_id | The incident ID. | Required |
| comment_id | The comment ID. | Required |
Context Output#
There is no context output for this command.
Command Example#
!azure-sentinel-incident-delete-comment incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 comment_id="296745069631925005023508651351426"
Human Readable Output#
Comment 296745069631925005023508651351426 was deleted successfully.
azure-sentinel-list-incident-relations#
Gets a list of an incident's related entities from Azure Sentinel.
Base Command#
azure-sentinel-list-incident-relations
Input#
| Argument Name | Description | Required |
|---|---|---|
| incident_id | The incident ID. | Required |
| limit | The maximum number of related entities to return. Default is 50. | Optional |
| next_link | A link that specifies a starting point to use for subsequent calls. Using this argument overrides all of the other command arguments. | Optional |
| entity_kinds | A comma-separated list of entity kinds to filter by. By default, the results won't be filtered by kind. The optional kinds are: Account, Host, File, AzureResource, CloudApplication, DnsResolution, FileHash, Ip, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, Url, IoTDevice, SecurityAlert, Bookmark. | Optional |
| filter | Filter results using OData syntax. For example: properties/createdTimeUtc gt 2020-02-02T14:00:00Z`). For more information see the Azure documentation: https://docs.microsoft.com/bs-latn-ba/azure/search/search-query-odata-filter. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| AzureSentinel.IncidentRelatedResource.ID | String | The ID of the incident's related resource. |
| AzureSentinel.IncidentRelatedResource.Kind | String | The kind of the incident's related resource. |
| AzureSentinel.NextLink.Description | String | The description about nextLink. |
| AzureSentinel.NextLink.URL | String | Used if an operation returns a partial result. If a response contains a nextLink element, its value specifies a starting point to use for subsequent calls. |
| AzureSentinel.IncidentRelatedResource.IncidentID | String | The incident ID. |
Command Example#
!azure-sentinel-list-incident-relations incident_id=8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742
Context Example#
Human Readable Output#
Incident 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 Relations (1 results)#
ID Incident ID Kind bfb02efc-12b7-4147-a8e8-961338b1b834 8a44b7bb-c8ae-4941-9fa0-3aecc8ef1742 SecurityAlert
azure-sentinel-list-incident-entities#
Gets a list of an incident's entities from Azure Sentinel.
Base Command#
azure-sentinel-list-incident-entities
Input#
| Argument Name | Description | Required |
|---|---|---|
| incident_id | The incident ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| AzureSentinel.IncidentEntity.ID | String | The ID of the entity. |
| AzureSentinel.IncidentEntity.IncidentId | String | The ID of the incident. |
| AzureSentinel.IncidentEntity.Kind | String | The kind of the entity. |
| AzureSentinel.IncidentEntity.Properties | Unknown | The properties of the entity. |
Command Example#
!azure-sentinel-list-incident-entities incident_id=65d8cbc0-4e4d-4acb-ab7e-8aa19936002c
Context Example#
Human Readable Output#
Incident 65d8cbc0-4e4d-4acb-ab7e-8aa19936002c Entities (1 results)#
ID Kind Incident Id 176567ab-1ccc-8a53-53bf-97958a78d3b5 Account 65d8cbc0-4e4d-4acb-ab7e-8aa19936002c
azure-sentinel-list-incident-alerts#
Gets a list of an incident's alerts from Azure Sentinel.
Base Command#
azure-sentinel-list-incident-alerts
Input#
| Argument Name | Description | Required |
|---|---|---|
| incident_id | The incident ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| AzureSentinel.IncidentAlert.ID | String | The ID of the alert. |
| AzureSentinel.IncidentAlert.IncidentId | String | The ID of the incident. |
| AzureSentinel.IncidentAlert.Kind | String | The kind of the alert. |
| AzureSentinel.IncidentAlert.Tactic | Unknown | The tactics of the alert. |
| AzureSentinel.IncidentAlert.DisplayName | String | The display name of the alert. |
| AzureSentinel.IncidentAlert.Description | String | The description of the alert. |
| AzureSentinel.IncidentAlert.ConfidenceLevel | String | The confidence level of this alert. |
| AzureSentinel.IncidentAlert.Severity | String | The severity of the alert. |
| AzureSentinel.IncidentAlert.VendorName | String | The name of the vendor that raise the alert. |
| AzureSentinel.IncidentAlert.ProductName | String | The name of the product that published this alert. |
| AzureSentinel.IncidentAlert.ProductComponentName | String | The name of a component inside the product which generated the alert. |
Command Example#
!azure-sentinel-list-incident-alerts incident_id=25c9ddf4-d951-4b67-9381-172f953feb57
Context Example#
Human Readable Output#
Incident 25c9ddf4-d951-4b67-9381-172f953feb57 Alerts (1 results)#
ID Kind Incident Id f3319e38-3f5b-a1eb-9970-69679dcdf916 SecurityAlert 25c9ddf4-d951-4b67-9381-172f953feb57
azure-sentinel-list-watchlist-items#
Get single watchlist item or list of watchlist items.
Base Command#
azure-sentinel-list-watchlist-items
Input#
| Argument Name | Description | Required |
|---|---|---|
| watchlist_alias | The alias of the watchlist. | Required |
| watchlist_item_id | The ID of the single watchlist item. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| AzureSentinel.WatchlistItem.WatchlistAlias | String | The alias of the watchlist. |
| AzureSentinel.WatchlistItem.ID | String | The ID (GUID) of the watchlist item. |
| AzureSentinel.WatchlistItem.Created | Date | The time the watchlist item was created. |
| AzureSentinel.WatchlistItem.Updated | Date | The last time the watchlist item was updated. |
| AzureSentinel.WatchlistItem.CreatedBy | String | The name of the user. |
| AzureSentinel.WatchlistItem.UpdatedBy | String | The user who updated this item. |
| AzureSentinel.WatchlistItem.ItemsKeyValue | Unknown | Key-value pairs for a watchlist item. |
Command Example#
!azure-sentinel-list-watchlist-items watchlist_alias=test_4
Context Example#
Human Readable Output#
Watchlist items results#
ID Items Key Value 28bd8f55-131b-42e6-bd5d-33d30f2d1291 name: test1
IP: 1.2.3.4510d8f80-99ad-441d-87f3-88341cc8b439 name: test2
IP: 1.2.3.5
azure-sentinel-delete-watchlist-item#
Delete a watchlist item.
Base Command#
azure-sentinel-delete-watchlist-item
Input#
| Argument Name | Description | Required |
|---|---|---|
| watchlist_alias | The watchlist alias. | Required |
| watchlist_item_id | The watchlist item ID to be deleted. | Required |
Context Output#
There is no context output for this command.
Command Example#
!azure-sentinel-delete-watchlist-item watchlist_alias=test_2 watchlist_item_id=96c326c6-2dea-403c-94bd-6a005921c3c1
Human Readable Output#
Watchlist item 96c326c6-2dea-403c-94bd-6a005921c3c1 was deleted successfully.
azure-sentinel-create-update-watchlist-item#
Create or update a watchlist item.
Base Command#
azure-sentinel-create-update-watchlist-item
Input#
| Argument Name | Description | Required |
|---|---|---|
| watchlist_alias | The watchlist alias. | Required |
| watchlist_item_id | The watchlist item ID (GUID) to update. | Optional |
| item_key_value | The JSON for the itemsKeyValue of the item (the key value is different from watchlist to watchlist). | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| AzureSentinel.WatchlistItem.WatchlistAlias | String | The alias of the watchlist |
| AzureSentinel.WatchlistItem.ID | String | The ID (GUID) of the watchlist item. |
| AzureSentinel.WatchlistItem.Created | Date | The time the watchlist item was created. |
| AzureSentinel.WatchlistItem.Updated | Date | The last time the watchlist item was updated. |
| AzureSentinel.WatchlistItem.CreatedBy | String | The name of the user. |
| AzureSentinel.WatchlistItem.UpdatedBy | String | The user who update this item. |
| AzureSentinel.WatchlistItem.ItemsKeyValue | Unknown | Key-value pairs for a watchlist item. |
Command Example#
``!azure-sentinel-create-update-watchlist-item watchlist_alias=test_4 item_key_value={"name": "test_4_item", "IP": "4.4.4.4"}````
Context Example#
Human Readable Output#
Create watchlist item results#
ID Items Key Value 6b21d1ef-18fa-420f-ae4a-a6f94588ebe8 name: test_4_item
IP: 4.4.4.4