List Incidents

6 min

description retrieve all incidents from microsoft azure sentinel using specified subscription id, resource group, and workspace name endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents method get inputs path parameters (object) – required path parameters subscriptionid (string) – required the id of the target subscription resourcegroupname (string) – required the name of the resource group the name is case insensitive workspacename (string) – required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ parameters (object) – required url query parameters api version (string) – required the api version to use for this action $filter (string) filter the results, based on a boolean condition $orderby (string) sort the results $skiptoken (string) skiptoken is only used if a previous operation returned a partial result if a previous response contains a nextlink element, the value of the nextlink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls $top (number) return only the first n results output example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "server" "kestrel", "x ms ratelimit remaining subscription reads" "11999", "x ms request id" "b0182057 82a0 4253 aa3c 5be0c8ab9809", "x ms correlation request id" "b0182057 82a0 4253 aa3c 5be0c8ab9809", "x ms routing request id" "southindia 20230729t110918z\ b0182057 82a0 4253 aa3c 5be0c8ab9809", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "sat, 29 jul 2023 11 09 17 gmt" }, "reason" "ok", "json body" { "value" \[ { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/providers/microsoft securityinsights/incidents/99353b3a 794c 4d8a ac01 df3f109900ed", "name" "99353b3a 794c 4d8a ac01 df3f109900ed", "etag" "\\"09001676 0000 1100 0000 64c45d7e0000\\"", "type" "microsoft securityinsights/incidents", "properties" { "title" "azure sentinel update alert", "description" "update alert", "severity" "medium", "status" "new", "owner" { "objectid" null, "email" null, "assignedto" null, "userprincipalname" null }, "labels" \[], "firstactivitytimeutc" "2023 07 28t19 45 39 4493887z", "lastactivitytimeutc" "2023 07 28t19 50 00 684261z", "lastmodifiedtimeutc" "2023 07 29t00 29 50 7425845z", "createdtimeutc" "2023 07 29t00 29 50 7425845z", "incidentnumber" 17081, "additionaldata" { "alertscount" 1, "bookmarkscount" 0, "commentscount" 0, "alertproductnames" \[ "azure sentinel" ], "tactics" \[] }, "relatedanalyticruleids" \[ "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/providers/microsoft securityinsights/alertrules/6134bf18 8d6a 46ff a3f1 cdd43cafbf57" ], "incidenturl" "https //portal azure com/#asset/microsoft azure security insights/incident/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/providers/microsoft securityinsights/incidents/99353b3a 794c 4d8a ac01 df3f109900ed", "providername" "azure sentinel", "providerincidentid" "17081" } }, { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/providers/microsoft securityinsights/incidents/49b0b22c 9ba2 40e5 888f e230f1624d75", "name" "49b0b22c 9ba2 40e5 888f e230f1624d75", "etag" "\\"09007d75 0000 1100 0000 64c45d4e0000\\"", "type" "microsoft securityinsights/incidents", "properties" { "title" "sentinel test alert", "description" "test alert", "severity" "medium", "status" "new", "owner" { "objectid" null, "email" null, "assignedto" null, "userprincipalname" null }, "labels" \[], "firstactivitytimeutc" "2023 07 28t19 45 39 4493887z", "lastactivitytimeutc" "2023 07 28t19 50 00 684261z", "lastmodifiedtimeutc" "2023 07 29t00 29 02 0205176z", "createdtimeutc" "2023 07 29t00 29 02 0205176z", "incidentnumber" 17080, "additionaldata" { "alertscount" 1, "bookmarkscount" 0, "commentscount" 0, "alertproductnames" \[ "azure sentinel" ], "tactics" \[] }, "relatedanalyticruleids" \[ "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/providers/microsoft securityinsights/alertrules/8a0d8e78 58a9 4d66 af3a b054778b4aa2" ], "incidenturl" "https //portal azure com/#asset/microsoft azure security insights/incident/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/providers/microsoft securityinsights/incidents/49b0b22c 9ba2 40e5 888f e230f1624d75", "providername" "azure sentinel", "providerincidentid" "17080" } } ], "nextlink" "https //management azure com/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/providers/microsoft operationalinsights/workspaces/swimlaneazuresentinel/providers/microsoft securityinsights/incidents?api version=2023 02 01&$top=2&$skiptoken=h4siaaaaaaaacj1wxvmisrd8l riraasrq4r95d9mumdgzq4ubmx94cefog6rq42snh32y rdz0ihz7urs7kzkrmr197p9vn9cpe6v5nftzpf5dm8ylquzzb9ergfqa4ip755 7s prw 3xmt3v86k7hb7cnw90i2v3 yvlkc5zlz86rbbwll9w5vfs7x0v17o rxxtcnvev ntobkn cvim tbfmezwz6dfj46odvejlu5p9ovp9bqipfkfk8a 528mfbwcbhwftpz1jrgptgw6vepaciybv3hnppvl5kvqpkhnucunn 124budm 63bve12719w2b64vtrtyfzr9shpp3ll93tbljudvnqodsuo0j 81wlrmqik4lag rzvyfddasgku9cswsfudkdjlrc7yzj9owb5wslnfprr4zxgv s6xz6kfrwom6uhked6l7cgwez1zebyevtz63uvef7uv99fkpjk51xrj5wxuhhfgybezhh3kr4ggz6gey8q4kvd9q4fcyabzzhchel4gdxtkxtma1ebpmcoo1pa8ntmk psamzxpu fp7em6z5kdeiurc930dfyct1tjcmtpv8zdpzw 4veughxxxstomxt5reezjmfjtyl7if5 h8sjrmoruc47woody dp0zcvtgfen8pidzjo01hvpjvmbjeakdz0u8l7bk qgobi4ziufoax6v4kmqe1pwemqfsxnfq5w35n1az4q ub4i frnucdykmjfg2pymrjng0bj3hpoki6esfjwpnlphkthc8tph0vz2on6kudb cm9kv3ul1ej0pyp3zljrl4ihztwtels cx5plmur4b6win ekp 3pyhe7wlb0rq8 uczg8vun 86vpd5pn6eczhzsv8jtb a 8nt3zv52f1j qlwspkiv evnrtundy4kh g6h6wua81nel4x6u bp tacz iflbeobfqv87ukrcwer1en7olk50dzf80nxuishzse3arynv7myf6gr7qgdrz8ozjoni7logf1ecdjcrfhfupgvea4dq q8zdzb955rdamopaemnhb6kenhjhdrnkvst5gx5inxxsjqv hgmbsvhoe5rxjv8fb t6qfhfz4sm6zqwldrrob29waay7kbubjhldsa8vdorpi 6afvyinazksdxf8z 9h23yr yoekmadbrk 1khijr9l3mq la0mc vmnvafs5ewowycyy 9oftfabkxxyq936mbdvmt 9qjeduc71ssh9oceb5t5kseg467jfqngnmlvmylz424dn5jx7 xlowlkpiv59r7zbrh xj4olaq cf9ybdan8xdzmotob9rtxrkfmx y6jc6rivoniackdadwntzx7dk1cgk9pqvopzm8gm0hsnnbiihyojx qhzlo3vfagp46jc7gy9ldafrvdd1mbmwxinvnd3ymylcc5lx26tj7xeyvwvby0c0pnuy 3c9wbt5swbx0 azemutxcy1nu9utcl1vm 0b66lhxva ugqhidq9ydvu 7s02 vxuma8f9cbbirthe5zot7rlciyg11lpyynbrx7hkztn0nrwgs2ogynlyycyalxxnbsrqgfvk u7jcy6iruddmdxzxnrh rcxpiz8ims 3fkwiyag36qwrpefryp7vqeofkjd0wmh9ptx7npcjze5oofityqiunhrwlwots2kz2jiliayjorhy4 di2mfm3ltgw tuzy4vn6ipprasxxdpkm y2dghi5xxvvn627jc0h6xn1sahb rgkifjuyrvcceits8gqcpxefznymygwrguelaf6ykblarzsrf avjgqp jhmy8068zjflxzd8r3sqe9nzthlg5e owidzmowjluttwpygzlomob8bmrg6fac utt45630z7medoahdd3lwsrpqbuae xvcnfqix0ob3ane4husomjtwbynoblszzxygpm0ppmfjivywivtcjg2ntazzkeam59sryh5u6oxkwxepgzask0lwzojqizofnssmsmndkflibfte0g8uqbti q7yoxl4iqph6f f85d4pkul883keiz3jr8t3p tgedhrjdncailr6kta7gq up1zffbzmwvoenpllas5otfa36wnvbm956uqrwwxjryiua9xldav18ztweojvzhyv8yt8h6yl4of62meqhdk4y6av7ge8d7p2x97r8kou9019792v9gxtwza 9oy7y4zl v9x vn5 y9f vv3 yuvc8b7cgaa" } } ] output parameters status code (number) reason (string) json body (object) value (array) id (string) name (string) etag (string) type (string) properties (object) title (string) description (string) severity (string) status (string) owner (object) objectid (object) email (object) assignedto (object) userprincipalname (object) labels (array) file name (string) – required file (string) – required firstactivitytimeutc (string) lastactivitytimeutc (string) lastmodifiedtimeutc (string) createdtimeutc (string) incidentnumber (number) additionaldata (object) alertscount (number) bookmarkscount (number) commentscount (number) alertproductnames (array) tactics (array) file name (string) – required file (string) – required relatedanalyticruleids (array) incidenturl (string) providername (string) providerincidentid (string) nextlink (string) response headers header type cache control string pragma string transfer encoding string content type string content encoding string expires string vary string server string x ms ratelimit remaining subscription reads string x ms request id string x ms correlation request id string x ms routing request id string strict transport security string x content type options string date string

List Incident Entities

Microsoft Azure Sentinel Connector