Microsoft Sentinel

Microsoft Sentinel is a cloud-native security information and event manager (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise.

Use the Azure Sentinel integration to get and manage incidents and get related entity information for incidents.

What does this pack do?

Gets a single incident or a list of incidents from Azure Sentinel.
Gets a list of watchlists from Azure Sentinel.
Creates, updates, or deletes a watchlist in Azure Sentinel.
Updates or deletes a single incident in Azure Sentinel.
Gets, adds, or deletes the comments of an incident from Azure Sentinel.
Gets a list of an incident's related entities from Azure Sentinel.
Gets a list of an incident's entities from Azure Sentinel.
Gets a list of an incident's alerts from Azure Sentinel.
Get a single watchlist item or list of watchlist items.
Creates, updates, deletes a watchlist item.
Returns a list of threat indicators.
Returns a list of threat indicators with specific entities.
Creates, updates, or deletes a threat indicator.
Appends new tags to an existing indicator.
Replaces the tags of a given indicator.

Use the Azure Sentinel integration to get and manage incidents and get related entity information for incidents.

What does this pack do?

Gets a single incident or a list of incidents from Azure Sentinel.
Gets a list of watchlists from Azure Sentinel.
Creates, updates, or deletes a watchlist in Azure Sentinel.
Updates or deletes a single incident in Azure Sentinel.
Gets, adds, or deletes the comments of an incident from Azure Sentinel.
Gets a list of an incident's related entities from Azure Sentinel.
Gets a list of an incident's entities from Azure Sentinel.
Gets a list of an incident's alerts from Azure Sentinel.
Get a single watchlist item or list of watchlist items.
Creates, updates, deletes a watchlist item.
Returns a list of threat indicators.
Returns a list of threat indicators with specific entities.
Creates, updates, or deletes a threat indicator.
Appends new tags to an existing indicator.
Replaces the tags of a given indicator.

Automations

Name	Description
MicrosoftSentinelConvertAlertsToTable	This script is used to convert alerts to a table.
MicrosoftSentinelConvertEntitiesToTable	This script is used to convert entities to a table.
MicrosoftSentinelConvertCommentsToTable	This script is used to convert comments to a table.
MicrosoftSentinelConvertRelationsToTable	This script is used to convert relations to a table.

Classifiers

Name	Description
Microsoft Sentinel - Classifier
Microsoft Sentinel - Incoming Mapper
Microsoft Sentinel - Outgoing Mapper

Incident Fields

Name	Description
Microsoft Sentinel Entities
Microsoft Sentinel Comments
Microsoft Sentinel Owner
Microsoft Sentinel Alert Count
Microsoft Sentinel Alerts
Microsoft Sentinel Rule Id
Microsoft Sentinel Relations
Microsoft Sentinel Incident Number
Microsoft Sentinel Classification Comment

Incident Types

Name	Description
Microsoft Sentinel Incident

Integrations

Name	Description
Microsoft Sentinel	Microsoft Sentinel is a scalable, cloud-native solution that provides: Security information and event management (SIEM) Security orchestration, automation, and response (SOAR).

Layouts

Name	Description
Microsoft Sentinel - default layout	This is the default layout for Microsoft Sentinel incidents.

Automations

Name	Description
MicrosoftSentinelConvertCommentsToTable	This script is used to convert comments to a table.
MicrosoftSentinelConvertEntitiesToTable	This script is used to convert entities to a table.
MicrosoftSentinelConvertRelationsToTable	This script is used to convert relations to a table.
MicrosoftSentinelConvertAlertsToTable	This script is used to convert alerts to a table.

Classifiers

Name	Description
Microsoft Sentinel - Classifier
Microsoft Sentinel - Outgoing Mapper
Microsoft Sentinel - Incoming Mapper

Incident Fields

Name	Description
Microsoft Sentinel Relations
Microsoft Sentinel Entities
Microsoft Sentinel Alerts
Microsoft Sentinel Owner
Microsoft Sentinel Rule Id
Microsoft Sentinel Incident Number
Microsoft Sentinel Comments
Microsoft Sentinel Alert Count
Microsoft Sentinel Classification Comment

Incident Types

Name	Description
Microsoft Sentinel Incident

Integrations

Name	Description
Microsoft Sentinel	Microsoft Sentinel is a scalable, cloud-native solution that provides: Security information and event management (SIEM) Security orchestration, automation, and response (SOAR).

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (2)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR

1.5.39 - 919924 (March 28, 2024)

Integrations

Added a timeout value to the retry on rate limit mechanism.

Related pull requests:
- 33566

Download

1.5.38 - 860237 (February 29, 2024)

Integrations

Microsoft Sentinel

Updated the MicrosoftApiModule to better handle the Authorization Code flow in the supported integrations.

Related pull requests:
- 31942

Download

1.5.37 - 823153 (February 12, 2024)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.87358.

Related pull requests:
- 32843

Download

1.5.36 - 798475 (February 1, 2024)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.86361.

Related pull requests:
- 32524

Download

1.5.35 - 760302 (January 14, 2024)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.84658.

Related pull requests:
- 32156

Download

1.5.34 - 7149458 (December 13, 2023)

Scripts

MicrosoftSentinelConvertAlertsToTable

Updated the Docker image to: demisto/python3:3.10.13.83255.

MicrosoftSentinelConvertRelationsToTable

Updated the Docker image to: demisto/python3:3.10.13.83255.

MicrosoftSentinelConvertEntitiesToTable

Updated the Docker image to: demisto/python3:3.10.13.83255.

MicrosoftSentinelConvertCommentsToTable

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31427

Download

1.5.33 - 7142940 (December 12, 2023)

Integrations

Microsoft Sentinel

Added support for incident assignment based on AssigneeObjectID in the azure-sentinel-update-incident command.
Added support for unassign incidents in the azure-sentinel-update-incident command.
Added the following context keys
- AzureSentinel.Incident.AssigneeObjectID
- AzureSentinel.Incident.AssigneeUPN
Updated the Docker image to: demisto/crypto:1.0.0.83343.

Related pull requests:
- 31419
- 31065
- 1

Download

1.5.32 - 7066068 (December 4, 2023)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.82278.

Related pull requests:
- 31292

Download

1.5.31 - 7029664 (November 30, 2023)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.81835.

Related pull requests:
- 31219

Download

1.5.29 - 6989486 (November 26, 2023)

Integrations

Microsoft Sentinel

Fixed an issue where the First fetch timestamp argument was not respected in fetch-incidents.

Related pull requests:
- 31058

Download

1.5.28 - 6935568 (November 19, 2023)

Integrations

Microsoft Sentinel

Fixed an issue where the Close Reason field contained the suffix 'Closed on Microsoft Sentinel' in case of closing mirrored incident.

Related pull requests:
- 30863

Download

1.5.27 - 6877054 (November 13, 2023)

Integrations

Microsoft Sentinel

Fixed an issue where providing a close reason separately before closing the incident in XSOAR sometimes resulted in the closed status not being mirrored to Microsoft Sentinel.
Updated the Docker image to: demisto/crypto:1.0.0.80214.

Related pull requests:
- 30291

Download

1.5.26 - 6808171 (November 6, 2023)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.79946.

Related pull requests:
- 30673

Download

1.5.25 - 6647170 (October 19, 2023)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.78196.
Added the limit parameter to configure the maximum number of incidents to fetch in fetch-incidents command, and reset the default value from 50 to 20.

Related pull requests:
- 30124

Download

1.5.24 - 6560427 (October 10, 2023)

Integrations

Microsoft Sentinel

Fixed an issue where outgoing mirroring changes did not update incidents in Azure Sentinel if those were not synced first into XSOAR.
Updated the Docker image to: demisto/crypto:1.0.0.76022.

Related pull requests:
- 29900

Download

1.5.23 - 6395616 (September 22, 2023)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.74979.
Added the MITRE Att&ck information to the output in the azure-sentinel-list-incident-alerts command.

Related pull requests:
- 29829
- 29366

Download

1.5.22 - 6363299 (September 19, 2023)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.74057.

Related pull requests:
- 29733

Download

1.5.21 - 6226805 (September 3, 2023)

Integrations

Microsoft Sentinel

Added a moderate retry mechanism for the authorization HTTP request through oproxy.

Related pull requests:
- 29015

Download

1.5.20 - 6170593 (August 28, 2023)

Integrations

Microsoft Sentinel

Added an infrastructure support for Microsoft Graph Application Endpoints.

Related pull requests:
- 28801

Download

1.5.19 - 6133197 (August 23, 2023)

Integrations

Microsoft Sentinel

Fixed an issue where instances using version 1.5.18 of the pack could have authentication issues.

Related pull requests:
- 29173

Download

1.5.18 - 6106826 (August 21, 2023)

Integrations

Microsoft Sentinel

Fixed an issue where changes made to the Authorization code parameter were not being reflected in the integration code, resulting in the continued use of the first parameter.

Related pull requests:
- 29035
- 29173

Download

1.5.17 - 6058978 (August 15, 2023)

Integrations

Microsoft Sentinel

Fixed an issue where the Owner in an Azure incident was changed to Unassigned when mirroring out.
Updated the Docker image to: demisto/crypto:1.0.0.68914.
Fixed an issue with calling LOG instead of demisto.debug.
Updated the Docker image to: demisto/crypto:1.0.0.68914.

Related pull requests:
- 28988

Download

1.5.15 - 6010750 (August 10, 2023)

Integrations

Microsoft Sentinel

Added support for Microsoft Defender for Application Endpoints in the Microsoft API Module.

Related pull requests:
- 27705

Download

1.5.14 - 5910354 (July 30, 2023)

Integrations

Microsoft Sentinel

Added the azure-sentinel-auth-reset command which allows the user to restart the authentication process by resetting the integration context if necessary.
Updated the Docker image to: demisto/crypto:1.0.0.66562.
Maintenance and stability enhancements.

Related pull requests:
- 26482

Download

1.5.13 - R5866730 (July 25, 2023)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.65874.

Related pull requests:
- 28412

Download

1.5.12 - R5801668 (July 18, 2023)

Scripts

MicrosoftSentinelConvertAlertsToTable

Updated the Docker image to: demisto/python3:3.10.12.63474.

MicrosoftSentinelConvertRelationsToTable

Updated the Docker image to: demisto/python3:3.10.12.63474.

MicrosoftSentinelConvertEntitiesToTable

Updated the Docker image to: demisto/python3:3.10.12.63474.

MicrosoftSentinelConvertCommentsToTable

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27997

Download

1.5.11 - R5692327 (July 5, 2023)

Integrations

Microsoft Sentinel

Added the following new commands:
- azure-sentinel-subscriptions-list
- azure-sentinel-resource-group-list
Updated the Docker image to: demisto/crypto:1.0.0.63672.

Related pull requests:
- 27110

Download

1.5.10 - 5640115 (June 28, 2023)

Integrations

Microsoft Sentinel

Improved implementation by adding functionality to the MicrosoftAPIModule to be used in integrations that allow arguments to be set in the instance configuration or within the commands.
Improved implementation by adding functionality to the MicrosoftAPIModule to be used in integrations that use 'tag' as a filter.

Related pull requests:
- 26943

Download

1.5.9 - 5574470 (June 20, 2023)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.63672.
Added support for All Azure Cloud environments: Public, GCC, GCC-High, DoD, Germany, China.

Related pull requests:
- 27025

Download

1.5.8 - 5508533 (June 12, 2023)

Integrations

Microsoft Sentinel

Fixed an issue where azure-sentinel-threat-indicator-query would fail when provided with multiple keywords.
Updated the Docker image to: demisto/crypto:1.0.0.62834.

Related pull requests:
- 27025
- 27380

Download

1.5.7 - R5450895 (June 5, 2023)

Integrations

Microsoft Sentinel

Fixed an issue where the get-modified-remote-data command did not work correctly with non-UTC timezones.
Updated the Docker image to: demisto/crypto:1.0.0.61689.

Related pull requests:
- 25916

Download

1.5.6 - 5277943 (May 16, 2023)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.58768.

Related pull requests:
- 26529

Download

1.5.5 - R5170573 (May 2, 2023)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.56396.

Related pull requests:
- 26178

Download

1.5.4 - 5057113 (April 17, 2023)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.54987.

Related pull requests:
- 25878

Download

1.5.3 - 4954430 (April 2, 2023)

Integrations

Microsoft Sentinel

Added support for old docker images which do not have the defusedxml package.

Related pull requests:
- 25670

Download

1.5.2 - 4872060 (March 22, 2023)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.49599.

Related pull requests:
- 25386

Download

1.5.1 - 4748070 (March 5, 2023)

Scripts

MicrosoftSentinelConvertAlertsToTable

Improvement in reading the context data

MicrosoftSentinelConvertCommentsToTable

Improvement in reading the context data

MicrosoftSentinelConvertRelationsToTable

Improvement in reading the context data

MicrosoftSentinelConvertEntitiesToTable

Improvement in reading the context data

Related pull requests:
- 25057

Download

1.5.0 - 4746941 (March 5, 2023)

Classifiers

New: Microsoft Sentinel - Classifier

(Available from Cortex XSOAR 6.5.0).

Incident Fields

New: Microsoft Sentinel Classification Comment
New: Microsoft Sentinel Rule Id
New: Microsoft Sentinel Comments
New: Microsoft Sentinel Alerts
New: Microsoft Sentinel Owner
New: Microsoft Sentinel Incident Number
New: Microsoft Sentinel Entities
New: Microsoft Sentinel Alert Count
New: Microsoft Sentinel Relations

Incident Types

New: Microsoft Sentinel Incident

Integrations

Microsoft Sentinel

Updated the API version to 2022-11-01.
Added the subscription_id and resource_group_name arguments to every command.
Added mirroring functionality to Microsoft Sentinel Incident type.
Updated the fetch to support fetching of additional incident information (comments, alerts, entities, relations).
Added the following commands:
- azure-sentinel-list-alert-rule
- azure-sentinel-list-alert-rule-template
- azure-sentinel-delete-alert-rule
- azure-sentinel-create-alert-rule
- azure-sentinel-update-alert-rule

Layouts

New: Microsoft Sentinel - default layout
(Available from Cortex XSOAR 6.5.0).

Mappers

New: Microsoft Sentinel - Outgoing Mapper

(Available from Cortex XSOAR 6.5.0).

New: Microsoft Sentinel - Incoming Mapper

(Available from Cortex XSOAR 6.5.0).

Scripts

New: MicrosoftSentinelConvertAlertsToTable

This script is used to convert alerts to a table. (Available from Cortex XSOAR 5.5.0).

New: MicrosoftSentinelConvertRelationsToTable

This script is used to convert relations to a table. (Available from Cortex XSOAR 5.5.0).

New: MicrosoftSentinelConvertEntitiesToTable

This script is used to convert entities to a table. (Available from Cortex XSOAR 5.5.0).

New: MicrosoftSentinelConvertCommentsToTable

This script is used to convert comments to a table. (Available from Cortex XSOAR 5.5.0).

Related pull requests:
- 24528

Download

1.4.15 - 4718798 (March 1, 2023)

Integrations

Microsoft Sentinel

Updated the Docker image to: demisto/crypto:1.0.0.49392.

Related pull requests:
- 24960

Download

Certification	Certified	Read more
Supported By	Cortex
Created	September 7, 2020
Last Release	March 28, 2024