Microsoft Azure Sentinel

113 min

the azure sentinel connector enables seamless integration with swimlane turbine, allowing users to automate and orchestrate security workflows within azure sentinel microsoft azure sentinel is a scalable, cloud native security information event management (siem) and security orchestration automated response (soar) solution the azure sentinel turbine connector enables users to automate incident management and alert rule operations within azure sentinel directly from the swimlane platform by integrating with azure sentinel, swimlane turbine users can streamline their security workflows, enhance incident response, and leverage azure's extensive security telemetry for improved threat detection and management prerequisites before integrating microsoft azure sentinel with swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials for secure authentication, which include url the endpoint url for azure sentinel api access client id the unique identifier for your registered azure application client secret the secret key generated for your azure application to establish secure communication token url the url to retrieve the authentication token from azure active directory token url use the following as the token url, to run the log analytics query action, use https //login microsoftonline com/{tenant id}/oauth2/token for all other actions, use https //login microsoftonline com/{tenant id}/oauth2/v2 0/token host url to run the log analytics query action, use https //api loganalytics azure com/ for all other actions, use https //management azure com/ action setup to run the incident management actions, you need a resource group name , subscription id and workspace name steps to create the azure app go to the https //portal azure com/#blade/microsoft aad registeredapps/applicationslistblade in the azure portal click new registration enter a name for your new application and choose accounts in this organizational directory only , then click register at the bottom navigate to the api permissions tab on the left navigation menu select add a permission add the following permissions microsoft graph / securityevents readwrite all windowsdefenderatp / alert readwrite all navigate to the certificates & secrets tab and select new client secret fill out the description and expiration, then click the add button at the bottom the value of the secret you just created is the client secret needed for the swimlane asset navigate to the overview tab on the left menu the client id and tenant id needed in the asset are shown on this page go back to the main azure portal windows, and click on your app overview copy the following values resource group name subscription id workspace name workspace id capabilities the microsoft azure sentinel connector provides the following capabilities create or update fusion alert rule create or update incident create or update mssic(microsoftsecurityincidentcreation) alert rule create or update saved searches create or update scheduled alert rule delete alert rules delete incident delete incident comments delete saved searches get alert entities get alert rules by rule id get entity insights get incident get incident comment get saved searches and so on known issues if you get a 403 http error, you have to add that azure app to the sentinel workspace and assign the contributor role to it notes https //learn microsoft com/en us/rest/api/securityinsights/stable/incidents https //learn microsoft com/en us/rest/api/loganalytics/saved searches https //learn microsoft com/en us/rest/api/loganalytics/dataaccess/query/get?tabs=http https //learn microsoft com/en us/azure/azure monitor/logs/api/access api https //learn microsoft com/en us/rest/api/securityinsights/api versions configurations ms azure sentinel oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the client id string required client secret the client secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add comment to incident adds a user defined comment to a specified incident in microsoft azure sentinel, utilizing subscription, resource group, workspace, and incident identifiers endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/comments/{{incidentcommentid}} method put input argument name type required description parameters api version string required api version for the operation path parameters subscriptionid string required azure subscription id pattern is ^\[0 9a fa f]{8} (\[0 9a fa f]{4} ){3}\[0 9a fa f]{12}$ path parameters resourcegroupname string required the name of the resource group within the user's subscription the name is case insensitive minlength is 1, maxlength is 90, pattern is ^\[ \w ()]+$ path parameters workspacename string required the name of the workspace minlength is 1, maxlength is 90 path parameters incidentid string required parameters for the add comment to incident action path parameters incidentcommentid string required parameters for the add comment to incident action properties object optional parameter for add comment to incident properties message string required the comment message input example {"parameters" {"api version" "2020 01 01"},"json body" {"properties" {"message" "some message"}},"path parameters" {"subscriptionid" "string","resourcegroupname" "string","workspacename" "string","incidentid" "string","incidentcommentid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource properties object output field properties properties message string response message properties createdtimeutc string output field properties createdtimeutc properties author object output field properties author properties author objectid string unique identifier properties author email string output field properties author email properties author userprincipalname string name of the resource properties author name string name of the resource output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ","name" "4bb36b7b 26ff 4d1c 9cbe 0d8ab3da0014","type" "microsoft securityinsights/incidents/comments","properties" {"message" "some message","createdtimeutc" "2019 01 01t13 15 30z","author" {}}}} create or update mssic alert rule create or update a microsoft security incident creation alert rule in azure sentinel, specifying subscription, resource group, workspace, and rule details endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules/{{ruleid}} method put input argument name type required description path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ path parameters ruleid string required alert rule id parameters api version string required the api version to use for this operation etag string optional parameter for create or update mssic alert rule kind string optional parameter for create or update mssic alert rule properties object optional parameter for create or update mssic alert rule properties productfilter string required parameter for create or update mssic alert rule properties displayname string required the display name for alerts created by this alert rule properties enabled boolean required determines whether this alert rule is enabled or disabled properties alertruletemplatename string optional the name of the alert rule template used to create this rule properties description string optional the description of the alert rule properties displaynamesexcludefilter array optional the alerts' displaynames on which the cases will not be generated properties displaynamesfilter array optional the alerts' displaynames on which the cases will be generated properties severitiesfilter array optional the alerts' severities on which the cases will be generated input example {"parameters" {"api version" "2024 03 01"},"json body" {"etag" "\\"260097e0 0000 0d00 0000 5d6fa88f0000\\"","kind" "microsoftsecurityincidentcreation","properties" {"productfilter" "microsoft cloud app security","displayname" "testing displayname","enabled"\ true,"alertruletemplatename" "template1","description" "description of the rule","displaynamesexcludefilter" "advanced multi stage attack detection","displaynamesfilter" "advanced multi stage attack detection","severitiesfilter" "high"}}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource etag string output field etag type string type of the resource kind string output field kind properties object output field properties properties productfilter string output field properties productfilter properties severitiesfilter object output field properties severitiesfilter properties displaynamesfilter object name of the resource properties displayname string name of the resource properties enabled boolean output field properties enabled properties description object output field properties description properties alertruletemplatename object name of the resource properties lastmodifiedutc string output field properties lastmodifiedutc output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ","name" "microsoftsecurityincidentcreationruleexample","etag" "\\"260097e0 0000 0d00 0000 5d6fa88f0000\\"","type" "microsoft securityinsights/alertrules","kind" "microsoftsecurityincidentcreation","properties" {"productfilter" "microsoft cloud app security","severitiesfilter"\ null,"displaynamesfilter"\ null,"displayname" "testing displayname", create or update fusion alert rule create or update a fusion alert rule in microsoft azure sentinel, specifying subscription, resource group, workspace, and rule id endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules/{{ruleid}} method put input argument name type required description path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ path parameters ruleid string required alert rule id parameters api version string required the api version to use for this operation kind string optional the alert rule kind etag string optional etag of the azure resource properties object optional parameter for create or update fusion alert rule properties enabled boolean required determines whether this alert rule is enabled or disabled properties alertruletemplatename string required the name of the alert rule template used to create this rule input example {"parameters" {"api version" "2024 03 01"},"json body" {"kind" "fusion","etag" "3d00c3ca 0000 0100 0000 5d42d5010000","properties" {"enabled"\ true,"alertruletemplatename" "f71aba3d 28fb 450b b192 4e76a83015c8"}}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource etag string output field etag type string type of the resource kind string output field kind properties object output field properties properties displayname string name of the resource properties description string output field properties description properties alertruletemplatename string name of the resource properties tactics array output field properties tactics properties severity string output field properties severity properties enabled boolean output field properties enabled properties lastmodifiedutc string output field properties lastmodifiedutc output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ","name" "myfirstfusionrule","etag" "\\"260090e2 0000 0d00 0000 5d6fb8670000\\"","type" "microsoft securityinsights/alertrules","kind" "fusion","properties" {"displayname" "advanced multi stage attack detection","description" "in this mode, sentinel combines low fidelity alerts, which themselves may not be ","alertruletemplatename" "f71aba3d create or update incident create or update an incident in microsoft azure sentinel using subscription id, resource group, workspace name, and incident properties endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}} method put input argument name type required description path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ path parameters incidentid string required incident id parameters api version string required the api version to use for this action etag string optional parameter for create or update incident properties object optional parameter for create or update incident properties lastactivitytimeutc string optional the time of the last activity in the incident properties firstactivitytimeutc string optional the time of the first activity in the incident properties description string optional the description of the incident properties title string required the title of the incident properties owner object optional describes a user that the incident is assigned to properties owner assignedto string optional parameter for create or update incident properties owner email string optional parameter for create or update incident properties owner objectid string optional unique identifier properties owner ownertype string optional type of the resource properties owner userprincipalname string optional name of the resource properties severity string required the severity of the incident properties classification string optional the reason the incident was closed properties classificationcomment string optional describes the reason the incident was closed properties classificationreason string optional the classification reason the incident was closed with properties status string required the status of the incident properties labels array optional list of labels relevant to this incident properties labels labelname string optional name of the resource properties labels labeltype string optional type of the resource input example {"path parameters" {"subscriptionid" "string","resourcegroupname" "example name","workspacename" "example name","incidentid" "string"},"parameters" {"api version" "string"},"etag" "string","properties" {"lastactivitytimeutc" "string","firstactivitytimeutc" "string","description" "string","title" "string","owner" {"assignedto" "string","email" "user\@example com","objectid" "string","ownertype" "string","userprincipalname" "example name"},"severity" "string","classification" "string","classificationcomment" "string","classificationreason" "string","status" "active","labels" \[{"labelname" "example name","labeltype" "string"}]}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource etag string output field etag properties object output field properties properties lastmodifiedtimeutc string output field properties lastmodifiedtimeutc properties createdtimeutc string output field properties createdtimeutc properties lastactivitytimeutc string output field properties lastactivitytimeutc properties firstactivitytimeutc string output field properties firstactivitytimeutc properties description string output field properties description properties title string output field properties title properties owner object output field properties owner properties owner objectid string unique identifier properties owner email string output field properties owner email properties owner userprincipalname string name of the resource properties owner assignedto string output field properties owner assignedto properties owner ownertype string type of the resource properties severity string output field properties severity properties classification string output field properties classification properties classificationcomment string output field properties classificationcomment properties classificationreason string response reason phrase properties status string status value properties incidenturl string url endpoint for the request output example {"status code" 201,"response headers" {"cache control" "no cache","pragma" "no cache","content length" "1480","content type" "application/json; charset=utf 8","expires" " 1","server" "kestrel","x ms ratelimit remaining subscription resource requests" "499","x ms request id" "02b3f250 c3ec 47bc 9bf6 13c2233ea13d","x ms correlation request id" "02b3f250 c3ec 47bc 9bf6 13c2233ea13d","x ms routing request id" "southindia 20230729t120425z 02b3f250 c3ec 47bc 9bf6 13c2233ea13d","strict transport securi create or update saved searches create or update saved searches in microsoft azure sentinel, specifying resource group, search id, subscription, workspace name, and properties endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/savedsearches/{{savedsearchid}} method put input argument name type required description path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters savedsearchid string required the id of the saved search path parameters subscriptionid string required the id of the target subscription path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ parameters api version string required the api version to use for this operation etag string optional the etag of the saved search to override an existing saved search, use " " or specify the current etag properties object optional parameter for create or update saved searches properties category string required the category of the saved search this helps the user to find a saved search faster properties displayname string required saved search display name properties functionalias string optional the function alias if query serves as a function properties functionparameters string optional the optional function parameters if query serves as a function properties query string required the query expression for the saved search properties tags array optional the tags attached to the saved search properties tags name string optional name of the resource properties tags value string optional value for the parameter properties version number optional the version number of the query language the current version is 2 and is the default input example {"parameters" {"api version" "2020 08 01"},"json body" {"etag" "","properties" {"category" "saved search test category","displayname" "create or update saved search test","functionalias" "heartbeat func","functionparameters" "a\ int=1","query" "heartbeat | summarize count() by computer | take a","tags" \[{"name" "group","value" "computer"}],"version" 2}},"path parameters" {"resourcegroupname" "","savedsearchid" "00000000 0000 0000 0000 00000000000","subscriptionid" "azure subscription 1","workspacename" ""}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier etag string output field etag properties object output field properties properties category string output field properties category properties displayname string name of the resource properties query string output field properties query properties version number output field properties version output example {"status code" 200,"response headers" {"cache control" "no cache","pragma" "no cache","transfer encoding" "chunked","content type" "application/json; charset=utf 8","content encoding" "gzip","expires" " 1","vary" "accept encoding","x ms ratelimit remaining subscription writes" "1199","request context" "appid=cid v1\ e6336c63 aab2 45f0 996a e5dbab2a1508","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","access control allow origin" " ","x powered create or update scheduled alert rule create or update a scheduledalertrule in microsoft azure sentinel using subscription id, resource group, workspace name, and rule id endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules/{{ruleid}} method put input argument name type required description path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ path parameters ruleid string required alert rule id parameters api version string required the api version to use for this operation kind string optional the alert rule kind etag string optional etag of the azure resource properties object optional parameter for create or update scheduled alert rule properties alertruletemplatename string optional the name of the alert rule template used to create this rule properties displayname string required the display name for alerts created by this alert rule properties description string optional the description of the alert rule properties severity string required the severity for alerts created by this alert rule properties enabled boolean required determines whether this alert rule is enabled or disabled properties tactics array optional the tactics of the alert rule properties techniques array optional the techniques of the alert rule properties templateversion string optional the version of the alert rule template used to create this rule in format \<a b c>, where all are numbers, for example 0 <1 0 2> properties query string required the query that creates alerts for this rule properties queryfrequency string required the frequency (in iso 8601 duration format) for this alert rule to run properties queryperiod string required the period (in iso 8601 duration format) that this alert rule looks at properties triggeroperator string required the operation against the threshold that triggers alert rule properties triggerthreshold number required the threshold triggers this alert rule properties suppressionduration string required the suppression (in iso 8601 duration format) to wait since last time this alert rule been triggered properties suppressionenabled boolean required determines whether the suppression for this alert rule is enabled or disabled properties eventgroupingsettings object optional the event grouping settings properties eventgroupingsettings aggregationkind string optional the event grouping aggregation kinds input example {"parameters" {"api version" "2024 03 01"},"json body" {"kind" "scheduled","etag" "\\"0300bf09 0000 0000 0000 5c37296e0000\\"","properties" {"alertruletemplatename" "","displayname" "my scheduled rule","description" "an example for a scheduled rule","severity" "high","enabled"\ true,"tactics" \["persistence","lateralmovement"],"techniques" \["xyz"],"templateversion" "","query" "heartbeat","queryfrequency" "pt1h","queryperiod" "p2dt1h30m","triggeroperator" "greaterthan","triggerthreshold" 0,"suppressionduration" "pt1h","suppressionenabled"\ false,"eventgroupingsettings" {"aggregationkind" "alertperresult"},"customdetails" {"operatingsystemname" "osname","operatingsystemtype" "ostype"},"entitymappings" \[{"entitytype" "host","fieldmappings" \[{"identifier" "fullname","columnname" "computer"}]}],"alertdetailsoverride" {"alertdisplaynameformat" "alert from {{computer}}","alertdescriptionformat" "suspicious activity was made by {{computerip}}","alertdynamicproperties" \[{"alertproperty" "productcomponentname","value" "productcomponentnamecustomcolumn"}]},"incidentconfiguration" {"createincident"\ true,"groupingconfiguration" {"enabled"\ true,"reopenclosedincident"\ false,"lookbackduration" "pt5h","matchingmethod" "selected","groupbyentities" \["host"],"groupbyalertdetails" \["displayname"],"groupbycustomdetails" \["operatingsystemtype","operatingsystemname"]}}}}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource kind string output field kind etag string output field etag properties object output field properties properties alertruletemplatename object name of the resource properties displayname string name of the resource properties description string output field properties description properties severity string output field properties severity properties enabled boolean output field properties enabled properties tactics array output field properties tactics properties query string output field properties query properties queryfrequency string output field properties queryfrequency properties queryperiod string output field properties queryperiod properties triggeroperator string output field properties triggeroperator properties triggerthreshold number output field properties triggerthreshold properties suppressionduration string output field properties suppressionduration properties suppressionenabled boolean output field properties suppressionenabled properties lastmodifiedutc string output field properties lastmodifiedutc properties eventgroupingsettings object output field properties eventgroupingsettings properties eventgroupingsettings aggregationkind string output field properties eventgroupingsettings aggregationkind properties customdetails object output field properties customdetails output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ","name" "73e01a99 5cd7 4139 a149 9f2736ff2ab5","type" "microsoft securityinsights/alertrules","kind" "scheduled","etag" "\\"0300bf09 0000 0000 0000 5c37296e0000\\"","properties" {"alertruletemplatename"\ null,"displayname" "my scheduled rule","description" "an example for a scheduled rule","severity" "high","enabled"\ true,"tactics" \[],"query" delete alert rules removes specified alert rules in microsoft azure sentinel by utilizing subscription id, resource group, workspace name, and rule id endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules/{{ruleid}} method delete input argument name type required description path parameters ruleid string required alert rule id path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ parameters api version string required the api version to use for this operation input example {"parameters" {"api version" "2024 03 01"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} delete incident removes a specified incident from microsoft azure sentinel using subscription, resource group, workspace, and incident ids endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}} method delete input argument name type required description path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ path parameters incidentid string required incident id parameters api version string required the api version to use for this action input example {"path parameters" {"subscriptionid" "string","resourcegroupname" "example name","workspacename" "example name","incidentid" "string"},"parameters" {"api version" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"cache control" "no cache","pragma" "no cache","transfer encoding" "chunked","content type" "application/json; charset=utf 8","content encoding" "gzip","expires" " 1","vary" "accept encoding","server" "kestrel","x ms ratelimit remaining subscription deletes" "14999","x ms request id" "a1c0a95a ab5c 40ac 819e fa5d49e3c2db","x ms correlation request id" "a1c0a95a ab5c 40ac 819e fa5d49e3c2db","x ms routing request id" "southindia 20230729t121753z\ a1c0a95a ab5c delete incident comments removes a specific comment from an incident in microsoft azure sentinel using identifiers such as incidentcommentid and incidentid endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/comments/{{incidentcommentid}} method delete input argument name type required description path parameters incidentcommentid string required incident comment id path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern is ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ path parameters incidentid string required incident id parameters api version string required the api version to use for this operation input example {"parameters" {"api version" "2023 02 01"},"path parameters" {"incidentcommentid" "4bb36b7b 26ff 4d1c 9cbe 0d8ab3da0014","subscriptionid" "d0cfe6b2 9ac0 4464 9919 dccaee2e48c0","resourcegroupname" "myrg","workspacename" "myworkspace","incidentid" "73e01a99 5cd7 4139 a149 9f2736ff2ab5"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} delete saved searches removes a specified saved search from an azure sentinel workspace using resource group, search id, subscription id, and workspace name endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/savedsearches/{{savedsearchid}} method delete input argument name type required description path parameters resourcegroupname string required parameters for the delete saved searches action path parameters savedsearchid string required parameters for the delete saved searches action path parameters subscriptionid string required parameters for the delete saved searches action path parameters workspacename string required parameters for the delete saved searches action parameters api version string required parameters for the delete saved searches action input example {"parameters" {"api version" "2020 08 01"},"path parameters" {"resourcegroupname" "test","savedsearchid" "00000000 0000 0000 0000 00000000000","subscriptionid" "azure subscription 1","workspacename" "test"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 200,"response headers" {"cache control" "no cache","pragma" "no cache","expires" " 1","x ms ratelimit remaining subscription deletes" "14999","request context" "appid=cid v1\ e6336c63 aab2 45f0 996a e5dbab2a1508","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","access control allow origin" " ","x powered by" "asp net","x ms request id" "1744d53b b782 4116 9086 1ef0d39b76ba","x ms correlation request id" "1744d53b b782 4116 9086 1 entities expand expands a specific entity in microsoft azure sentinel using entityid, subscriptionid, resourcegroupname, and workspacename endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/entities/{{entityid}}/expand method post input argument name type required description parameters api version string required the api version to use for this operation path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ path parameters entityid string required entity id expansionid string optional the end date filter, so the only expansion results returned are before this date starttime string optional the id of the expansion to perform endtime string optional the start date filter, so the only expansion results returned are after this date input example {"parameters" {"api version" "2024 03 01"},"json body" {"expansionid" "a77992f3 25e9 4d01 99a4 5ff606cc410a","starttime" "2019 04 25t00 00 00 000z","endtime" "2019 05 26t00 00 00 000z"}} output parameter type description status code number http status code of the response reason string response reason phrase value object value for the parameter value entities array value for the parameter value entities id string unique identifier value entities name string name of the resource value entities type string type of the resource value entities kind string value for the parameter value entities properties object value for the parameter value entities properties address string value for the parameter value entities properties friendlyname string name of the resource value edges array value for the parameter value edges targetentityid string unique identifier value edges additionaldata object response data value edges additionaldata epochtimestamp string response data value edges additionaldata firstseen string response data value edges additionaldata source string response data metadata object response data metadata aggregations array response data metadata aggregations entitykind string response data metadata aggregations count number response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"value" {"entities" \[],"edges" \[]},"metadata" {"aggregations" \[]}}} get alert rules by rule id retrieve details for a specific alert rule in microsoft azure sentinel using subscription, resource group, workspace, and rule ids endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules/{{ruleid}} method get input argument name type required description path parameters ruleid string required alert rule id path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ parameters api version string required the api version to use for this operation input example {"parameters" {"api version" "2024 03 01"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource etag string output field etag type string type of the resource kind string output field kind properties object output field properties properties displayname string name of the resource properties description string output field properties description properties alertruletemplatename string name of the resource properties tactics array output field properties tactics properties severity string output field properties severity properties enabled boolean output field properties enabled properties lastmodifiedutc string output field properties lastmodifiedutc output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ","name" "myfirstfusionrule","etag" "\\"260090e2 0000 0d00 0000 5d6fb8670000\\"","type" "microsoft securityinsights/alertrules","kind" "fusion","properties" {"displayname" "advanced multi stage attack detection","description" "in this mode, sentinel combines low fidelity alerts, which themselves may not be ","alertruletemplatename" "f71aba3d get entity insights retrieve insights for a specified entity in microsoft azure sentinel, including time bound data requires subscriptionid, resourcegroupname, workspacename, entityid, and api version endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/entities/{{entityid}}/getinsights method post input argument name type required description parameters api version string required the api version to use for this operation path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group path parameters workspacename string required the name of the workspace path parameters entityid string required entity id adddefaultextendedtimerange boolean optional indicates if query time range should be extended with default time range of the query starttime string optional the start timeline date, so the results returned are after this date endtime string optional the end timeline date, so the results returned are before this date insightqueryids array optional list of insights query id if empty, default value is all insights of this entity input example {"parameters" {"api version" "2025 04 01 preview"},"json body" {"adddefaultextendedtimerange"\ false,"starttime" "2021 09 01t00 00 00 000z","endtime" "2021 10 01t00 00 00 000z","insightqueryids" \["cae8d0aa aa45 4d53 8d88 17dd64ffd4e4"]},"path parameters" {"subscriptionid" "d0cfe6b2 9ac0 4464 9919 dccaee2e48c0","resourcegroupname" "myrg","workspacename" "myworkspace","entityid" "e1d3d618 e11f 478b 98e3 bb381539a8e1"}} output parameter type description status code number http status code of the response value array value for the parameter value tablequeryresults object value for the parameter value tablequeryresults columns array value for the parameter value tablequeryresults columns name string name of the resource value tablequeryresults columns type string type of the resource value tablequeryresults rows array value for the parameter value tablequeryresults rows 0 string value for the parameter value tablequeryresults rows 1 string value for the parameter value tablequeryresults rows 2 string value for the parameter value tablequeryresults rows 3 string value for the parameter value tablequeryresults rows 4 string value for the parameter value chartqueryresults array value for the parameter value chartqueryresults columns array value for the parameter value chartqueryresults columns name string name of the resource value chartqueryresults columns type string type of the resource value chartqueryresults rows array value for the parameter value chartqueryresults rows 0 string value for the parameter value chartqueryresults rows 1 string value for the parameter value chartqueryresults rows 2 string value for the parameter value querytimeinterval object value for the parameter value querytimeinterval starttime string value for the parameter value querytimeinterval endtime string value for the parameter value queryid string unique identifier metadata object response data output example {"status code" 200,"json body" {"value" \[{}],"metadata" {"totalcount" 7,"errors" \[]}}} get incident retrieves detailed information for a specified incident in microsoft azure sentinel using subscription id, resource group, workspace name, and incident id endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}} method get input argument name type required description path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ path parameters incidentid string required incident id parameters api version string required the api version to use for this action input example {"path parameters" {"subscriptionid" "string","resourcegroupname" "example name","workspacename" "example name","incidentid" "string"},"parameters" {"api version" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource etag string output field etag properties object output field properties properties lastmodifiedtimeutc string output field properties lastmodifiedtimeutc properties createdtimeutc string output field properties createdtimeutc properties lastactivitytimeutc string output field properties lastactivitytimeutc properties firstactivitytimeutc string output field properties firstactivitytimeutc properties description string output field properties description properties title string output field properties title properties owner object output field properties owner properties owner objectid string unique identifier properties owner email string output field properties owner email properties owner userprincipalname string name of the resource properties owner assignedto string output field properties owner assignedto properties severity string output field properties severity properties classification string output field properties classification properties classificationcomment string output field properties classificationcomment properties classificationreason string response reason phrase properties status string status value properties incidenturl string url endpoint for the request properties incidentnumber number unique identifier output example {"status code" 200,"response headers" {"cache control" "no cache","pragma" "no cache","transfer encoding" "chunked","content type" "application/json; charset=utf 8","content encoding" "gzip","expires" " 1","vary" "accept encoding","server" "kestrel","x ms ratelimit remaining subscription reads" "11999","x ms request id" "80a0943c 0eaa 4a3d bac9 1e4e4eae73db","x ms correlation request id" "80a0943c 0eaa 4a3d bac9 1e4e4eae73db","x ms routing request id" "southindia 20230729t122616z 80a0943c 0eaa 4 get incident comment retrieve a specific comment from an incident in microsoft azure sentinel using the provided subscription, resource group, workspace, and incident ids endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/comments/{{incidentcommentid}} method get input argument name type required description path parameters subscriptionid string required parameters for the get incident comment action path parameters resourcegroupname string required parameters for the get incident comment action path parameters workspacename string required parameters for the get incident comment action path parameters incidentid string required parameters for the get incident comment action path parameters incidentcommentid string required parameters for the get incident comment action parameters api version string required parameters for the get incident comment action input example {"parameters" {"api version" "2023 02 01"},"path parameters" {"subscriptionid" "38d4cde9 8ef2 4c61 bc61 7fa8658ab74b","resourcegroupname" "test","workspacename" "swimlaneazuresentinel","incidentid" "99353b3a 794c 4d8a ac01 df3f109900ed","incidentcommentid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource etag string output field etag properties object output field properties properties message string response message properties createdtimeutc string output field properties createdtimeutc properties lastmodifiedtimeutc string output field properties lastmodifiedtimeutc properties author object output field properties author properties author objectid string unique identifier properties author email string output field properties author email properties author userprincipalname string name of the resource properties author name string name of the resource output example {"status code" 200,"response headers" {"cache control" "no cache","pragma" "no cache","transfer encoding" "chunked","content type" "application/json; charset=utf 8","content encoding" "gzip","expires" " 1","vary" "accept encoding","server" "kestrel","x ms ratelimit remaining subscription resource requests" "499","x ms request id" "aa473e1f 78ce 4466 a0c6 f14359c755a2","x ms correlation request id" "aa473e1f 78ce 4466 a0c6 f14359c755a2","x ms routing request id" "centralindia 20240118t092209z\ aa4 get saved searches retrieves a specific saved search from a microsoft azure sentinel workspace using resource group, search id, subscription, and workspace name endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/savedsearches/{{savedsearchid}} method get input argument name type required description path parameters resourcegroupname string required parameters for the get saved searches action path parameters savedsearchid string required parameters for the get saved searches action path parameters subscriptionid string required parameters for the get saved searches action path parameters workspacename string required parameters for the get saved searches action parameters api version string required parameters for the get saved searches action input example {"parameters" {"api version" "2020 08 01"},"path parameters" {"resourcegroupname" "","savedsearchid" "00000000 0000 0000 0000 00000000000","subscriptionid" "azure subscription 1","workspacename" ""}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier etag string output field etag properties object output field properties properties category string output field properties category properties displayname string name of the resource properties functionalias string output field properties functionalias properties functionparameters string parameters for the get saved searches action properties query string output field properties query properties version number output field properties version output example {"status code" 200,"response headers" {"cache control" "no cache","pragma" "no cache","content type" "application/json; charset=utf 8","expires" " 1","x ms failure cause" "gateway","x ms request id" "54b36bb1 0d41 45b8 a8ba 6f4552f3c8fe","x ms correlation request id" "54b36bb1 0d41 45b8 a8ba 6f4552f3c8fe","x ms routing request id" "jioindiacentral 20230810t090934z 54b36bb1 0d41 45b8 a8ba 6f4552f3c8fe","strict transport security" "max age=31536000; includesubdomains","x content type options" "nos list alert rules retrieve all alert rules from a specified microsoft azure sentinel workspace, requiring subscription id, resource group, and workspace name endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules method get input argument name type required description parameters api version string required the api version to use for this operation path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ input example {"parameters" {"api version" "2024 03 01"}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value id string unique identifier value name string name of the resource value type string type of the resource value kind string value for the parameter value etag string value for the parameter value properties object value for the parameter value properties displayname string name of the resource value properties description string value for the parameter value properties alertruletemplatename string name of the resource value properties tactics array value for the parameter value properties severity string value for the parameter value properties enabled boolean value for the parameter value properties lastmodifiedutc string value for the parameter output example {"status code" 200,"response headers" {"cache control" "no store, no cache","pragma" "no cache","content type" "application/json; charset=utf 8","expires" " 1","strict transport security" "max age=31536000; includesubdomains","x content type options" "nosniff","p3p" "cp=\\"dsp cur otpi ind otri onl fin\\"","x ms request id" "f04749a8 b1d4 42ed a64d 7c0cab024e00","x ms ests server" "2 1 18261 3 eus prodslices","x ms srs" "1 p","x xss protection" "0","set cookie" "fpc=ajlweeqe3n5asdykcuumbb5d3sw4a list by workspace saved searches retrieve all saved searches from a specified log analytics workspace in microsoft azure sentinel, including resource group, subscription id, and workspace name endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/savedsearches method get input argument name type required description path parameters resourcegroupname string required parameters for the list by workspace saved searches action path parameters subscriptionid string required parameters for the list by workspace saved searches action path parameters workspacename string required parameters for the list by workspace saved searches action parameters api version string required parameters for the list by workspace saved searches action input example {"parameters" {"api version" "2020 08 01"},"path parameters" {"resourcegroupname" "","subscriptionid" "azure subscription 1","workspacename" ""}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value id string unique identifier value etag string value for the parameter value properties object value for the parameter value properties displayname string name of the resource value properties category string value for the parameter value properties query string value for the parameter value properties version number value for the parameter value name string name of the resource value type string type of the resource output example {"status code" 200,"response headers" {"cache control" "no cache","pragma" "no cache","transfer encoding" "chunked","content type" "application/json; charset=utf 8","content encoding" "gzip","expires" " 1","vary" "accept encoding","x ms ratelimit remaining subscription reads" "11999","request context" "appid=cid v1\ e6336c63 aab2 45f0 996a e5dbab2a1508","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","access control allow origin" " ","x powered list incident alerts retrieve all alerts for a given incident in microsoft azure sentinel, detailing subscription id, resource group, workspace, and incident id endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/alerts method post input argument name type required description path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ path parameters incidentid string required incident id parameters api version string required the api version to use for this action input example {"path parameters" {"subscriptionid" "string","resourcegroupname" "example name","workspacename" "example name","incidentid" "string"},"parameters" {"api version" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value id string unique identifier value name string name of the resource value type string type of the resource value kind string value for the parameter value properties object value for the parameter value properties systemalertid string unique identifier value properties tactics array value for the parameter value properties tactics file name string name of the resource value properties tactics file string value for the parameter value properties alertdisplayname string name of the resource value properties description string value for the parameter value properties confidencelevel string unique identifier value properties severity string value for the parameter value properties vendorname string name of the resource value properties productname string name of the resource value properties productcomponentname string name of the resource value properties alerttype string type of the resource value properties processingendtime string value for the parameter value properties status string status value value properties endtimeutc string value for the parameter value properties starttimeutc string value for the parameter value properties timegenerated string value for the parameter output example {"status code" 200,"response headers" {"cache control" "no cache","pragma" "no cache","transfer encoding" "chunked","content type" "application/json; charset=utf 8","content encoding" "gzip","expires" " 1","vary" "accept encoding","server" "kestrel","x ms ratelimit remaining subscription resource requests" "499","x ms request id" "8745ade4 8c1e 4c0b beec 2969c4a779e9","x ms correlation request id" "8745ade4 8c1e 4c0b beec 2969c4a779e9","x ms routing request id" "southindia 20230729t111826z 8745a list incident bookmarks retrieve all bookmarks linked to a specific incident in microsoft azure sentinel, including necessary ids for subscription, resource group, workspace, and incident endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/bookmarks method post input argument name type required description path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ path parameters incidentid string required incident id parameters api version string required the api version to use for this action input example {"path parameters" {"subscriptionid" "string","resourcegroupname" "example name","workspacename" "example name","incidentid" "string"},"parameters" {"api version" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value id string unique identifier value name string name of the resource value type string type of the resource value kind string value for the parameter value properties object value for the parameter value properties displayname string name of the resource value properties created string value for the parameter value properties updated string value for the parameter value properties createdby object value for the parameter value properties createdby objectid string unique identifier value properties createdby email string value for the parameter value properties createdby name string name of the resource value properties updatedby object value for the parameter value properties updatedby objectid string unique identifier value properties updatedby email string value for the parameter value properties updatedby name string name of the resource value properties eventtime string value for the parameter value properties labels array value for the parameter value properties labels file name string name of the resource value properties labels file string value for the parameter value properties query string value for the parameter value properties queryresult string value for the parameter output example {"status code" 200,"response headers" {"cache control" "no cache","pragma" "no cache","transfer encoding" "chunked","content type" "application/json; charset=utf 8","content encoding" "gzip","expires" " 1","vary" "accept encoding","server" "kestrel","x ms ratelimit remaining subscription resource requests" "499","x ms request id" "fa5a78c9 cc33 4e7e 9aa1 800086279fbd","x ms correlation request id" "fa5a78c9 cc33 4e7e 9aa1 800086279fbd","x ms routing request id" "southindia 20230729t112006z\ fa5a7 list incident comments retrieve all comments for a given incident in microsoft azure sentinel, requiring subscriptionid, resourcegroupname, workspacename, and incidentid endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/comments method get input argument name type required description path parameters subscriptionid string required parameters for the list incident comments action path parameters resourcegroupname string required parameters for the list incident comments action path parameters workspacename string required parameters for the list incident comments action path parameters incidentid string required parameters for the list incident comments action parameters api version string required parameters for the list incident comments action parameters $filter string optional parameters for the list incident comments action parameters $orderby string optional parameters for the list incident comments action parameters $skiptoken string optional parameters for the list incident comments action parameters $top number optional parameters for the list incident comments action input example {"parameters" {"api version" "2023 02 01","$filter" "string","$orderby" "string","$skiptoken" "string","$top" 10},"path parameters" {"subscriptionid" "38d4cde9 8ef2 4c61 bc61 7fa8658ab74b","resourcegroupname" "test","workspacename" "swimlaneazuresentinel","incidentid" "99353b3a 794c 4d8a ac01 df3f109900ed"}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value id string unique identifier value name string name of the resource value type string type of the resource value etag string value for the parameter value properties object value for the parameter value properties message string value for the parameter value properties createdtimeutc string value for the parameter value properties lastmodifiedtimeutc string value for the parameter value properties author object value for the parameter value properties author objectid string unique identifier value properties author email string value for the parameter value properties author userprincipalname string name of the resource value properties author name string name of the resource output example {"status code" 200,"response headers" {"cache control" "no cache","pragma" "no cache","transfer encoding" "chunked","content type" "application/json; charset=utf 8","content encoding" "gzip","expires" " 1","vary" "accept encoding","server" "kestrel","x ms ratelimit remaining subscription resource requests" "499","x ms request id" "aa473e1f 78ce 4466 a0c6 f14359c755a2","x ms correlation request id" "aa473e1f 78ce 4466 a0c6 f14359c755a2","x ms routing request id" "centralindia 20240118t092209z\ aa4 list incident entities retrieve all entities associated with a given incident in microsoft azure sentinel, including details like subscriptionid, resourcegroupname, workspacename, and incidentid endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/entities method post input argument name type required description path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ path parameters incidentid string required incident id parameters api version string required the api version to use for this action input example {"path parameters" {"subscriptionid" "string","resourcegroupname" "example name","workspacename" "example name","incidentid" "string"},"parameters" {"api version" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase entities array output field entities entities id string unique identifier entities name string name of the resource entities type string type of the resource entities kind string output field entities kind entities properties object output field entities properties entities properties friendlyname string name of the resource entities properties accountname string name of the resource entities properties ntdomain string output field entities properties ntdomain metadata array response data metadata entitykind string response data metadata count number response data output example {"status code" 200,"response headers" {"cache control" "no cache","pragma" "no cache","transfer encoding" "chunked","content type" "application/json; charset=utf 8","content encoding" "gzip","expires" " 1","vary" "accept encoding","server" "kestrel","x ms ratelimit remaining subscription resource requests" "499","x ms request id" "48c22610 cfa7 4ba0 9315 fd8bbd2aadba","x ms correlation request id" "48c22610 cfa7 4ba0 9315 fd8bbd2aadba","x ms routing request id" "southindia 20230729t122235z 48c22 list incidents retrieve all incidents from microsoft azure sentinel by specifying subscription id, resource group, and workspace name endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents method get input argument name type required description path parameters subscriptionid string required the id of the target subscription path parameters resourcegroupname string required the name of the resource group the name is case insensitive path parameters workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ parameters api version string required the api version to use for this action parameters $filter string optional filter the results, based on a boolean condition parameters $orderby string optional sort the results parameters $skiptoken string optional skiptoken is only used if a previous operation returned a partial result if a previous response contains a nextlink element, the value of the nextlink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls parameters $top number optional return only the first n results input example {"path parameters" {"subscriptionid" "string","resourcegroupname" "example name","workspacename" "example name"},"parameters" {"api version" "string","$filter" "string","$orderby" "string","$skiptoken" "string","$top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value id string unique identifier value name string name of the resource value etag string value for the parameter value type string type of the resource value properties object value for the parameter value properties title string value for the parameter value properties description string value for the parameter value properties severity string value for the parameter value properties status string status value value properties owner object value for the parameter value properties owner objectid object unique identifier value properties owner email object value for the parameter value properties owner assignedto object value for the parameter value properties owner userprincipalname object name of the resource value properties labels array value for the parameter value properties labels file name string name of the resource value properties labels file string value for the parameter value properties firstactivitytimeutc string value for the parameter value properties lastactivitytimeutc string value for the parameter value properties lastmodifiedtimeutc string value for the parameter value properties createdtimeutc string value for the parameter value properties incidentnumber number unique identifier output example {"status code" 200,"response headers" {"cache control" "no cache","pragma" "no cache","transfer encoding" "chunked","content type" "application/json; charset=utf 8","content encoding" "gzip","expires" " 1","vary" "accept encoding","server" "kestrel","x ms ratelimit remaining subscription reads" "11999","x ms request id" "b0182057 82a0 4253 aa3c 5be0c8ab9809","x ms correlation request id" "b0182057 82a0 4253 aa3c 5be0c8ab9809","x ms routing request id" "southindia 20230729t110918z\ b0182057 82a0 4 run analytics query executes an analytics query in microsoft azure sentinel using a workspace id and a specific query string, optionally specifying the api version endpoint url /v1/workspaces/{{workspaceid}}/query method get input argument name type required description path parameters workspaceid string required parameters for the run analytics query action parameters query string required the analytics query parameters timespan string optional the timespan over which to query data this is an iso8601 time period value this timespan is applied in addition to any that are specified in the query expression parameters api version string required the api version to use for this action input example {"path parameters" {"workspaceid" "string"},"parameters" {"query" "string","timespan" "string","api version" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase tables array output field tables tables name string name of the resource tables columns array output field tables columns tables columns name string name of the resource tables columns type string type of the resource tables rows array output field tables rows output example {"status code" 200,"response headers" {"date" "fri, 11 aug 2023 03 08 43 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","via" "1 1 draft oms 74c8fb9684 6rv8g","x content type options" "nosniff","access control allow origin" " ","access control expose headers" "retry after,age,www authenticate,x resource identities,x ms status location","vary" "accept encoding","content encoding" "gzip","strict transport security" "max age=15724800; i update incident comment create or update a comment on an incident within microsoft azure sentinel using identifiers such as subscriptionid, resourcegroupname, workspacename, incidentid, and incidentcommentid endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/comments/{{incidentcommentid}} method put input argument name type required description path parameters subscriptionid string required parameters for the update incident comment action path parameters resourcegroupname string required parameters for the update incident comment action path parameters workspacename string required parameters for the update incident comment action path parameters incidentid string required parameters for the update incident comment action path parameters incidentcommentid string required parameters for the update incident comment action parameters api version string required parameters for the update incident comment action properties object optional parameter for update incident comment properties message string required response message etag string optional parameter for update incident comment input example {"parameters" {"api version" "2023 02 01"},"json body" {"properties" {"message" "some message"},"etag" "string"},"path parameters" {"subscriptionid" "38d4cde9 8ef2 4c61 bc61 7fa8658ab74b","resourcegroupname" "test","workspacename" "swimlaneazuresentinel","incidentid" "99353b3a 794c 4d8a ac01 df3f109900ed","incidentcommentid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource etag string output field etag properties object output field properties properties message string response message properties createdtimeutc string output field properties createdtimeutc properties lastmodifiedtimeutc string output field properties lastmodifiedtimeutc properties author object output field properties author properties author objectid string unique identifier properties author email string output field properties author email properties author userprincipalname string name of the resource properties author name string name of the resource output example {"status code" 200,"response headers" {"cache control" "no cache","pragma" "no cache","transfer encoding" "chunked","content type" "application/json; charset=utf 8","content encoding" "gzip","expires" " 1","vary" "accept encoding","server" "kestrel","x ms ratelimit remaining subscription resource requests" "499","x ms request id" "aa473e1f 78ce 4466 a0c6 f14359c755a2","x ms correlation request id" "aa473e1f 78ce 4466 a0c6 f14359c755a2","x ms routing request id" "centralindia 20240118t092209z\ aa4 response headers header description example access control allow origin http response header access control allow origin access control expose headers http response header access control expose headers retry after,age,www authenticate,x resource identities,x ms status location cache control directives for caching mechanisms no store, no cache connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 0 content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated sat, 29 jul 2023 12 04 25 gmt expires the date/time after which the response is considered stale 1 p3p http response header p3p cp="dsp cur otpi ind otri onl fin" pragma http response header pragma no cache request context http response header request context appid=cid v1 \ e6336c63 aab2 45f0 996a e5dbab2a1508 server information about the software used by the origin server kestrel set cookie http response header set cookie fpc=ajlweeqe3n5asdykcuumbb5d3sw4aqaaak9y 90oaaaa; expires=fri, 12 jul 2024 10 42 55 gmt; path=/; secure; httponly; samesite=none, x ms gateway slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding via http response header via 1 1 draft oms 74c8fb9684 6rv8g x content type options http response header x content type options nosniff x ms correlation request id http response header x ms correlation request id 80a0943c 0eaa 4a3d bac9 1e4e4eae73db x ms ests server http response header x ms ests server 2 1 18261 3 eus prodslices x ms failure cause http response header x ms failure cause gateway x ms ratelimit remaining subscription deletes http response header x ms ratelimit remaining subscription deletes 14999 x ms ratelimit remaining subscription reads http response header x ms ratelimit remaining subscription reads 11999 x ms ratelimit remaining subscription resource requests http response header x ms ratelimit remaining subscription resource requests 499 x ms ratelimit remaining subscription writes http response header x ms ratelimit remaining subscription writes 1199 x ms request id http response header x ms request id dee963e1 17f2 461b 83a1 321ca07cb530 x ms routing request id http response header x ms routing request id jioindiacentral 20230810t104541z 1744d53b b782 4116 9086 1ef0d39b76ba x ms srs http response header x ms srs 1 p x powered by http response header x powered by asp net x xss protection http response header x xss protection 0