Microsoft Azure Sentinel

the azure sentinel connector enables seamless integration with swimlane turbine, allowing users to automate and orchestrate security workflows within azure sentinel microsoft azure sentinel is a scalable, cloud native security information event management (siem) and security orchestration automated response (soar) solution the azure sentinel turbine connector enables users to automate incident management and alert rule operations within azure sentinel directly from the swimlane platform by integrating with azure sentinel, swimlane turbine users can streamline their security workflows, enhance incident response, and leverage azure's extensive security telemetry for improved threat detection and management prerequisites before integrating microsoft azure sentinel with swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials for secure authentication, which include url the endpoint url for azure sentinel api access client id the unique identifier for your registered azure application client secret the secret key generated for your azure application to establish secure communication token url the url to retrieve the authentication token from azure active directory token url use the following as the token url, to run the log analytics query action, use https //login microsoftonline com/{tenant id}/oauth2/token for all other actions, use https //login microsoftonline com/{tenant id}/oauth2/v2 0/token host url to run the log analytics query action, use https //api loganalytics azure com/ for all other actions, use https //management azure com/ action setup to run the incident management actions, you need a resource group name , subscription id and workspace name steps to create the azure app go to the app registration page https //portal azure com/#blade/microsoft aad registeredapps/applicationslistblade in the azure portal click new registration enter a name for your new application and choose accounts in this organizational directory only , then click register at the bottom navigate to the api permissions tab on the left navigation menu select add a permission add the following permissions microsoft graph / securityevents readwrite all windowsdefenderatp / alert readwrite all navigate to the certificates & secrets tab and select new client secret fill out the description and expiration, then click the add button at the bottom the value of the secret you just created is the client secret needed for the swimlane asset navigate to the overview tab on the left menu the client id and tenant id needed in the asset are shown on this page go back to the main azure portal windows, and click on your app overview copy the following values resource group name subscription id workspace name workspace id capabilities the microsoft azure sentinel connector provides the following capabilities create or update fusion alert rule create or update incident create or update mssic(microsoftsecurityincidentcreation) alert rule create or update saved searches create or update scheduled alert rule delete alert rules delete incident delete incident comments delete saved searches get alert entities get alert rules by rule id get entity insights get incident get incident comment get saved searches and so on known issues if you get a 403 http error, you have to add that azure app to the sentinel workspace and assign the contributor role to it configurations ms azure sentinel oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the client id string required client secret the client secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add comment to incident adds a user defined comment to a specified incident in microsoft azure sentinel, utilizing subscription, resource group, workspace, and incident identifiers endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/comments/{{incidentcommentid}} method put input argument name type required description api version string required api version for the operation subscriptionid string required azure subscription id pattern is ^\[0 9a fa f]{8} (\[0 9a fa f]{4} ){3}\[0 9a fa f]{12}$ resourcegroupname string required the name of the resource group within the user's subscription the name is case insensitive minlength is 1, maxlength is 90, pattern is ^\[ \w ()]+$ workspacename string required the name of the workspace minlength is 1, maxlength is 90 incidentid string required unique identifier incidentcommentid string required unique identifier properties object required parameter for add comment to incident message string required the comment message output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource properties object output field properties message string response message createdtimeutc string output field createdtimeutc author object output field author objectid string unique identifier email string output field email userprincipalname string name of the resource name string name of the resource example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ", "name" "4bb36b7b 26ff 4d1c 9cbe 0d8ab3da0014", "type" "microsoft securityinsights/incidents/comments", "properties" {} } } ] create or update mssic alert rule create or update a microsoft security incident creation alert rule in azure sentinel, specifying subscription, resource group, workspace, and rule details endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules/{{ruleid}} method put input argument name type required description subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ ruleid string required alert rule id api version string required the api version to use for this operation etag string optional parameter for create or update mssic alert rule kind string optional parameter for create or update mssic alert rule properties object required parameter for create or update mssic alert rule productfilter string required parameter for create or update mssic alert rule displayname string required the display name for alerts created by this alert rule enabled boolean required determines whether this alert rule is enabled or disabled alertruletemplatename string optional the name of the alert rule template used to create this rule description string optional the description of the alert rule displaynamesexcludefilter array optional the alerts' displaynames on which the cases will not be generated displaynamesfilter array optional the alerts' displaynames on which the cases will be generated severitiesfilter array optional the alerts' severities on which the cases will be generated output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource etag string output field etag type string type of the resource kind string output field kind properties object output field properties productfilter string output field productfilter severitiesfilter object output field severitiesfilter displaynamesfilter object name of the resource displayname string name of the resource enabled boolean output field enabled description object output field description alertruletemplatename object name of the resource lastmodifiedutc string output field lastmodifiedutc example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ", "name" "microsoftsecurityincidentcreationruleexample", "etag" "\\"260097e0 0000 0d00 0000 5d6fa88f0000\\"", "type" "microsoft securityinsights/alertrules", "kind" "microsoftsecurityincidentcreation", "properties" {} } } ] create or update fusion alert rule create or update a fusion alert rule in microsoft azure sentinel, specifying subscription, resource group, workspace, and rule id endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules/{{ruleid}} method put input argument name type required description subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ ruleid string required alert rule id api version string required the api version to use for this operation kind string optional the alert rule kind etag string optional etag of the azure resource properties object required parameter for create or update fusion alert rule enabled boolean required determines whether this alert rule is enabled or disabled alertruletemplatename string required the name of the alert rule template used to create this rule output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource etag string output field etag type string type of the resource kind string output field kind properties object output field properties displayname string name of the resource description string output field description alertruletemplatename string name of the resource tactics array output field tactics severity string output field severity enabled boolean output field enabled lastmodifiedutc string output field lastmodifiedutc example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ", "name" "myfirstfusionrule", "etag" "\\"260090e2 0000 0d00 0000 5d6fb8670000\\"", "type" "microsoft securityinsights/alertrules", "kind" "fusion", "properties" {} } } ] create or update incident create or update an incident in microsoft azure sentinel using subscription id, resource group, workspace name, and incident properties endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}} method put input argument name type required description subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ incidentid string required incident id api version string required the api version to use for this action etag string optional parameter for create or update incident properties object required parameter for create or update incident lastactivitytimeutc string optional the time of the last activity in the incident firstactivitytimeutc string optional the time of the first activity in the incident description string optional the description of the incident title string required the title of the incident owner object optional describes a user that the incident is assigned to assignedto string optional parameter for create or update incident email string optional parameter for create or update incident objectid string optional unique identifier ownertype string optional type of the resource userprincipalname string optional name of the resource severity string required the severity of the incident classification string optional the reason the incident was closed classificationcomment string optional describes the reason the incident was closed classificationreason string optional the classification reason the incident was closed with status string required the status of the incident labels array optional list of labels relevant to this incident labelname string optional name of the resource labeltype string optional type of the resource output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource etag string output field etag properties object output field properties lastmodifiedtimeutc string output field lastmodifiedtimeutc createdtimeutc string output field createdtimeutc lastactivitytimeutc string output field lastactivitytimeutc firstactivitytimeutc string output field firstactivitytimeutc description string output field description title string output field title owner object output field owner objectid string unique identifier email string output field email userprincipalname string name of the resource assignedto string output field assignedto ownertype string type of the resource severity string output field severity classification string output field classification classificationcomment string output field classificationcomment classificationreason string response reason phrase status string status value incidenturl string url endpoint for the request example \[ { "status code" 201, "response headers" { "cache control" "no cache", "pragma" "no cache", "content length" "1480", "content type" "application/json; charset=utf 8", "expires" " 1", "server" "kestrel", "x ms ratelimit remaining subscription resource requests" "499", "x ms request id" "02b3f250 c3ec 47bc 9bf6 13c2233ea13d", "x ms correlation request id" "02b3f250 c3ec 47bc 9bf6 13c2233ea13d", "x ms routing request id" "southindia 20230729t120425z 02b3f250 c3ec 47bc 9bf6 13c2233ea13d", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "sat, 29 jul 2023 12 04 25 gmt" }, "reason" "created", "json body" { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ", "name" "73e01a99 5cd7 4139 a149 9f2736ff2ab5", "type" "microsoft securityinsights/incidents", "etag" "\\"0300bf09 0000 0000 0000 5c37296e0001\\"", "properties" {} } } ] create or update saved searches create or update saved searches in microsoft azure sentinel, specifying resource group, search id, subscription, workspace name, and properties endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/savedsearches/{{savedsearchid}} method put input argument name type required description resourcegroupname string required the name of the resource group the name is case insensitive savedsearchid string required the id of the saved search subscriptionid string required the id of the target subscription workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ api version string required the api version to use for this operation etag string optional the etag of the saved search to override an existing saved search, use " " or specify the current etag properties object required parameter for create or update saved searches category string required the category of the saved search this helps the user to find a saved search faster displayname string required saved search display name functionalias string optional the function alias if query serves as a function functionparameters string optional the optional function parameters if query serves as a function query string required the query expression for the saved search tags array optional the tags attached to the saved search name string optional name of the resource value string optional value for the parameter version number optional the version number of the query language the current version is 2 and is the default output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier etag string output field etag properties object output field properties category string output field category displayname string name of the resource query string output field query version number output field version example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "x ms ratelimit remaining subscription writes" "1199", "request context" "appid=cid v1\ e6336c63 aab2 45f0 996a e5dbab2a1508", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "access control allow origin" " ", "x powered by" "asp net", "x ms request id" "23dc562b c32f 4155 ae6a 81f1f7962b77", "x ms correlation request id" "23dc562b c32f 4155 ae6a 81f1f7962b77" }, "reason" "ok", "json body" { "id" "/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/resourcegroups/test/provider ", "etag" "w/\\"datetime'2023 08 10t10%3a40%3a18 6215548z'\\"", "properties" {} } } ] create or update scheduled alert rule create or update a scheduledalertrule in microsoft azure sentinel using subscription id, resource group, workspace name, and rule id endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules/{{ruleid}} method put input argument name type required description subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ ruleid string required alert rule id api version string required the api version to use for this operation kind string optional the alert rule kind etag string optional etag of the azure resource properties object required parameter for create or update scheduled alert rule alertruletemplatename string optional the name of the alert rule template used to create this rule displayname string required the display name for alerts created by this alert rule description string optional the description of the alert rule severity string required the severity for alerts created by this alert rule enabled boolean required determines whether this alert rule is enabled or disabled tactics array optional the tactics of the alert rule techniques array optional the techniques of the alert rule templateversion string optional the version of the alert rule template used to create this rule in format \<a b c>, where all are numbers, for example 0 <1 0 2> query string required the query that creates alerts for this rule queryfrequency string required the frequency (in iso 8601 duration format) for this alert rule to run queryperiod string required the period (in iso 8601 duration format) that this alert rule looks at triggeroperator string required the operation against the threshold that triggers alert rule triggerthreshold number required the threshold triggers this alert rule suppressionduration string required the suppression (in iso 8601 duration format) to wait since last time this alert rule been triggered suppressionenabled boolean required determines whether the suppression for this alert rule is enabled or disabled eventgroupingsettings object optional the event grouping settings aggregationkind string optional the event grouping aggregation kinds output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource kind string output field kind etag string output field etag properties object output field properties alertruletemplatename object name of the resource displayname string name of the resource description string output field description severity string output field severity enabled boolean output field enabled tactics array output field tactics query string output field query queryfrequency string output field queryfrequency queryperiod string output field queryperiod triggeroperator string output field triggeroperator triggerthreshold number output field triggerthreshold suppressionduration string output field suppressionduration suppressionenabled boolean output field suppressionenabled lastmodifiedutc string output field lastmodifiedutc eventgroupingsettings object output field eventgroupingsettings aggregationkind string output field aggregationkind customdetails object output field customdetails example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ", "name" "73e01a99 5cd7 4139 a149 9f2736ff2ab5", "type" "microsoft securityinsights/alertrules", "kind" "scheduled", "etag" "\\"0300bf09 0000 0000 0000 5c37296e0000\\"", "properties" {} } } ] delete alert rules removes specified alert rules in microsoft azure sentinel by utilizing subscription id, resource group, workspace name, and rule id endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules/{{ruleid}} method delete input argument name type required description ruleid string required alert rule id subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ api version string required the api version to use for this operation output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] delete incident removes a specified incident from microsoft azure sentinel using subscription, resource group, workspace, and incident ids endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}} method delete input argument name type required description subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ incidentid string required incident id api version string required the api version to use for this action output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "server" "kestrel", "x ms ratelimit remaining subscription deletes" "14999", "x ms request id" "a1c0a95a ab5c 40ac 819e fa5d49e3c2db", "x ms correlation request id" "a1c0a95a ab5c 40ac 819e fa5d49e3c2db", "x ms routing request id" "southindia 20230729t121753z\ a1c0a95a ab5c 40ac 819e fa5d49e3c2db", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "sat, 29 jul 2023 12 17 53 gmt" }, "reason" "ok" } ] delete incident comments removes a specific comment from an incident in microsoft azure sentinel using identifiers such as incidentcommentid and incidentid endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/comments/{{incidentcommentid}} method delete input argument name type required description incidentcommentid string required incident comment id subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern is ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ incidentid string required incident id api version string required the api version to use for this operation output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] delete saved searches removes a specified saved search from an azure sentinel workspace using resource group, search id, subscription id, and workspace name endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/savedsearches/{{savedsearchid}} method delete input argument name type required description resourcegroupname string required name of the resource savedsearchid string required unique identifier subscriptionid string required unique identifier workspacename string required name of the resource api version string required parameter for delete saved searches output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "expires" " 1", "x ms ratelimit remaining subscription deletes" "14999", "request context" "appid=cid v1\ e6336c63 aab2 45f0 996a e5dbab2a1508", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "access control allow origin" " ", "x powered by" "asp net", "x ms request id" "1744d53b b782 4116 9086 1ef0d39b76ba", "x ms correlation request id" "1744d53b b782 4116 9086 1ef0d39b76ba", "x ms routing request id" "jioindiacentral 20230810t104541z 1744d53b b782 4116 9086 1ef0d39b76ba", "date" "thu, 10 aug 2023 10 45 40 gmt", "content length" "0" }, "reason" "ok", "response text" "" } ] entities expand expands a specific entity in microsoft azure sentinel using entityid, subscriptionid, resourcegroupname, and workspacename endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/entities/{{entityid}}/expand method post input argument name type required description api version string required the api version to use for this operation subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ entityid string required entity id expansionid string optional the end date filter, so the only expansion results returned are before this date starttime string optional the id of the expansion to perform endtime string optional the start date filter, so the only expansion results returned are after this date output parameter type description status code number http status code of the response reason string response reason phrase value object value for the parameter entities array output field entities id string unique identifier name string name of the resource type string type of the resource kind string output field kind properties object output field properties address string output field address friendlyname string name of the resource edges array output field edges targetentityid string unique identifier additionaldata object response data epochtimestamp string output field epochtimestamp firstseen string output field firstseen source string output field source metadata object response data aggregations array output field aggregations entitykind string output field entitykind count number count value example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "value" {}, "metadata" {} } } ] get alert rules by rule id retrieve details for a specific alert rule in microsoft azure sentinel using subscription, resource group, workspace, and rule ids endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules/{{ruleid}} method get input argument name type required description ruleid string required alert rule id subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ api version string required the api version to use for this operation output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource etag string output field etag type string type of the resource kind string output field kind properties object output field properties displayname string name of the resource description string output field description alertruletemplatename string name of the resource tactics array output field tactics severity string output field severity enabled boolean output field enabled lastmodifiedutc string output field lastmodifiedutc example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ", "name" "myfirstfusionrule", "etag" "\\"260090e2 0000 0d00 0000 5d6fb8670000\\"", "type" "microsoft securityinsights/alertrules", "kind" "fusion", "properties" {} } } ] get entity insights retrieve insights for a specified entity in microsoft azure sentinel, including time bound data requires subscriptionid, resourcegroupname, workspacename, entityid, and api version endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/entities/{{entityid}}/getinsights method post input argument name type required description api version string required the api version to use for this operation subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group workspacename string required the name of the workspace entityid string required entity id adddefaultextendedtimerange boolean optional indicates if query time range should be extended with default time range of the query starttime string required the start timeline date, so the results returned are after this date endtime string required the end timeline date, so the results returned are before this date insightqueryids array optional list of insights query id if empty, default value is all insights of this entity output parameter type description status code number http status code of the response value array value for the parameter tablequeryresults object result of the operation columns array output field columns name string name of the resource type string type of the resource rows array output field rows 0 string output field 0 1 string output field 1 2 string output field 2 3 string output field 3 4 string output field 4 chartqueryresults array result of the operation columns array output field columns name string name of the resource type string type of the resource rows array output field rows 0 string output field 0 1 string output field 1 2 string output field 2 querytimeinterval object output field querytimeinterval starttime string time value endtime string time value queryid string unique identifier metadata object response data example \[ { "status code" 200, "json body" { "value" \[], "metadata" {} } } ] get incident retrieves detailed information for a specified incident in microsoft azure sentinel using subscription id, resource group, workspace name, and incident id endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}} method get input argument name type required description subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ incidentid string required incident id api version string required the api version to use for this action output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource etag string output field etag properties object output field properties lastmodifiedtimeutc string output field lastmodifiedtimeutc createdtimeutc string output field createdtimeutc lastactivitytimeutc string output field lastactivitytimeutc firstactivitytimeutc string output field firstactivitytimeutc description string output field description title string output field title owner object output field owner objectid string unique identifier email string output field email userprincipalname string name of the resource assignedto string output field assignedto severity string output field severity classification string output field classification classificationcomment string output field classificationcomment classificationreason string response reason phrase status string status value incidenturl string url endpoint for the request incidentnumber number unique identifier example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "server" "kestrel", "x ms ratelimit remaining subscription reads" "11999", "x ms request id" "80a0943c 0eaa 4a3d bac9 1e4e4eae73db", "x ms correlation request id" "80a0943c 0eaa 4a3d bac9 1e4e4eae73db", "x ms routing request id" "southindia 20230729t122616z 80a0943c 0eaa 4a3d bac9 1e4e4eae73db", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "sat, 29 jul 2023 12 26 16 gmt" }, "reason" "ok", "json body" { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ", "name" "73e01a99 5cd7 4139 a149 9f2736ff2ab5", "type" "microsoft securityinsights/incidents", "etag" "\\"0300bf09 0000 0000 0000 5c37296e0000\\"", "properties" {} } } ] get incident comment retrieve a specific comment from an incident in microsoft azure sentinel using the provided subscription, resource group, workspace, and incident ids endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/comments/{{incidentcommentid}} method get input argument name type required description subscriptionid string required unique identifier resourcegroupname string required name of the resource workspacename string required name of the resource incidentid string required unique identifier incidentcommentid string required unique identifier api version string required parameter for get incident comment output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource etag string output field etag properties object output field properties message string response message createdtimeutc string output field createdtimeutc lastmodifiedtimeutc string output field lastmodifiedtimeutc author object output field author objectid string unique identifier email string output field email userprincipalname string name of the resource name string name of the resource example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "server" "kestrel", "x ms ratelimit remaining subscription resource requests" "499", "x ms request id" "aa473e1f 78ce 4466 a0c6 f14359c755a2", "x ms correlation request id" "aa473e1f 78ce 4466 a0c6 f14359c755a2", "x ms routing request id" "centralindia 20240118t092209z\ aa473e1f 78ce 4466 a0c6 f14359c755a2", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "thu, 18 jan 2024 09 22 08 gmt" }, "reason" "ok", "json body" { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ", "name" "4bb36b7b 26ff 4d1c 9cbe 0d8ab3da0014", "type" "microsoft securityinsights/incidents/comments", "etag" "0300bf09 0000 0000 0000 5c37296e0000", "properties" {} } } ] get saved searches retrieves a specific saved search from a microsoft azure sentinel workspace using resource group, search id, subscription, and workspace name endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/savedsearches/{{savedsearchid}} method get input argument name type required description resourcegroupname string required name of the resource savedsearchid string required unique identifier subscriptionid string required unique identifier workspacename string required name of the resource api version string required parameter for get saved searches output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier etag string output field etag properties object output field properties category string output field category displayname string name of the resource functionalias string output field functionalias functionparameters string parameters for the get saved searches action query string output field query version number output field version example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "content type" "application/json; charset=utf 8", "expires" " 1", "x ms failure cause" "gateway", "x ms request id" "54b36bb1 0d41 45b8 a8ba 6f4552f3c8fe", "x ms correlation request id" "54b36bb1 0d41 45b8 a8ba 6f4552f3c8fe", "x ms routing request id" "jioindiacentral 20230810t090934z 54b36bb1 0d41 45b8 a8ba 6f4552f3c8fe", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "thu, 10 aug 2023 09 09 34 gmt", "content length" "139" }, "reason" "ok", "json body" { "id" "subscriptions/00000000 0000 0000 0000 000000000005/resourcegroups/mms eus/provid ", "etag" "w/\\"datetime'2017 10 02t23%3a15%3a41 0709875z'\\"", "properties" {} } } ] list alert rules retrieve all alert rules from a specified microsoft azure sentinel workspace, requiring subscription id, resource group, and workspace name endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/alertrules method get input argument name type required description api version string required the api version to use for this operation subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter id string unique identifier name string name of the resource type string type of the resource kind string output field kind etag string output field etag properties object output field properties displayname string name of the resource description string output field description alertruletemplatename string name of the resource tactics array output field tactics severity string output field severity enabled boolean output field enabled lastmodifiedutc string output field lastmodifiedutc example \[ { "status code" 200, "response headers" { "cache control" "no store, no cache", "pragma" "no cache", "content type" "application/json; charset=utf 8", "expires" " 1", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "p3p" "cp=\\"dsp cur otpi ind otri onl fin\\"", "x ms request id" "f04749a8 b1d4 42ed a64d 7c0cab024e00", "x ms ests server" "2 1 18261 3 eus prodslices", "x ms srs" "1 p", "x xss protection" "0", "set cookie" "fpc=ajlweeqe3n5asdykcuumbb5d3sw4aqaaak9y 90oaaaa; expires=fri, 12 jul 2024 10 42 ", "date" "wed, 12 jun 2024 10 42 55 gmt", "content length" "695" }, "reason" "unauthorized", "json body" { "value" \[] } } ] list by workspace saved searches retrieve all saved searches from a specified log analytics workspace in microsoft azure sentinel, including resource group, subscription id, and workspace name endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/savedsearches method get input argument name type required description resourcegroupname string required name of the resource subscriptionid string required unique identifier workspacename string required name of the resource api version string required parameter for list by workspace saved searches output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter id string unique identifier etag string output field etag properties object output field properties displayname string name of the resource category string output field category query string output field query version number output field version name string name of the resource type string type of the resource example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "x ms ratelimit remaining subscription reads" "11999", "request context" "appid=cid v1\ e6336c63 aab2 45f0 996a e5dbab2a1508", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "access control allow origin" " ", "x powered by" "asp net", "x ms request id" "dee963e1 17f2 461b 83a1 321ca07cb530", "x ms correlation request id" "dee963e1 17f2 461b 83a1 321ca07cb530" }, "reason" "ok", "json body" { "value" \[] } } ] list incident alerts retrieve all alerts for a given incident in microsoft azure sentinel, detailing subscription id, resource group, workspace, and incident id endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/alerts method post input argument name type required description subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ incidentid string required incident id api version string required the api version to use for this action output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter id string unique identifier name string name of the resource type string type of the resource kind string output field kind properties object output field properties systemalertid string unique identifier tactics array output field tactics file name string name of the resource file string output field file alertdisplayname string name of the resource description string output field description confidencelevel string unique identifier severity string output field severity vendorname string name of the resource productname string name of the resource productcomponentname string name of the resource alerttype string type of the resource processingendtime string time value status string status value endtimeutc string output field endtimeutc starttimeutc string output field starttimeutc timegenerated string output field timegenerated example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "server" "kestrel", "x ms ratelimit remaining subscription resource requests" "499", "x ms request id" "8745ade4 8c1e 4c0b beec 2969c4a779e9", "x ms correlation request id" "8745ade4 8c1e 4c0b beec 2969c4a779e9", "x ms routing request id" "southindia 20230729t111826z 8745ade4 8c1e 4c0b beec 2969c4a779e9", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "sat, 29 jul 2023 11 18 26 gmt" }, "reason" "ok", "json body" { "value" \[] } } ] list incident bookmarks retrieve all bookmarks linked to a specific incident in microsoft azure sentinel, including necessary ids for subscription, resource group, workspace, and incident endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/bookmarks method post input argument name type required description subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ incidentid string required incident id api version string required the api version to use for this action output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter id string unique identifier name string name of the resource type string type of the resource kind string output field kind properties object output field properties displayname string name of the resource created string output field created updated string output field updated createdby object output field createdby objectid string unique identifier email string output field email name string name of the resource updatedby object output field updatedby objectid string unique identifier email string output field email name string name of the resource eventtime string time value labels array output field labels file name string name of the resource file string output field file query string output field query queryresult string result of the operation example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "server" "kestrel", "x ms ratelimit remaining subscription resource requests" "499", "x ms request id" "fa5a78c9 cc33 4e7e 9aa1 800086279fbd", "x ms correlation request id" "fa5a78c9 cc33 4e7e 9aa1 800086279fbd", "x ms routing request id" "southindia 20230729t112006z\ fa5a78c9 cc33 4e7e 9aa1 800086279fbd", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "sat, 29 jul 2023 11 20 05 gmt" }, "reason" "ok", "json body" { "value" \[] } } ] list incident comments retrieve all comments for a given incident in microsoft azure sentinel, requiring subscriptionid, resourcegroupname, workspacename, and incidentid endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/comments method get input argument name type required description subscriptionid string required unique identifier resourcegroupname string required name of the resource workspacename string required name of the resource incidentid string required unique identifier api version string required parameter for list incident comments $filter string optional parameter for list incident comments $orderby string optional parameter for list incident comments $skiptoken string optional parameter for list incident comments $top number optional parameter for list incident comments output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter id string unique identifier name string name of the resource type string type of the resource etag string output field etag properties object output field properties message string response message createdtimeutc string output field createdtimeutc lastmodifiedtimeutc string output field lastmodifiedtimeutc author object output field author objectid string unique identifier email string output field email userprincipalname string name of the resource name string name of the resource example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "server" "kestrel", "x ms ratelimit remaining subscription resource requests" "499", "x ms request id" "aa473e1f 78ce 4466 a0c6 f14359c755a2", "x ms correlation request id" "aa473e1f 78ce 4466 a0c6 f14359c755a2", "x ms routing request id" "centralindia 20240118t092209z\ aa473e1f 78ce 4466 a0c6 f14359c755a2", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "thu, 18 jan 2024 09 22 08 gmt" }, "reason" "ok", "json body" { "value" \[] } } ] list incident entities retrieve all entities associated with a given incident in microsoft azure sentinel, including details like subscriptionid, resourcegroupname, workspacename, and incidentid endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/entities method post input argument name type required description subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ incidentid string required incident id api version string required the api version to use for this action output parameter type description status code number http status code of the response reason string response reason phrase entities array output field entities id string unique identifier name string name of the resource type string type of the resource kind string output field kind properties object output field properties friendlyname string name of the resource accountname string name of the resource ntdomain string output field ntdomain metadata array response data entitykind string output field entitykind count number count value example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "server" "kestrel", "x ms ratelimit remaining subscription resource requests" "499", "x ms request id" "48c22610 cfa7 4ba0 9315 fd8bbd2aadba", "x ms correlation request id" "48c22610 cfa7 4ba0 9315 fd8bbd2aadba", "x ms routing request id" "southindia 20230729t122235z 48c22610 cfa7 4ba0 9315 fd8bbd2aadba", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "sat, 29 jul 2023 12 22 34 gmt" }, "reason" "ok", "json body" { "entities" \[], "metadata" \[] } } ] list incidents retrieve all incidents from microsoft azure sentinel by specifying subscription id, resource group, and workspace name endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents method get input argument name type required description subscriptionid string required the id of the target subscription resourcegroupname string required the name of the resource group the name is case insensitive workspacename string required the name of the workspace regex pattern ^\[a za z0 9]\[a za z0 9 ]+\[a za z0 9]$ api version string required the api version to use for this action $filter string optional filter the results, based on a boolean condition $orderby string optional sort the results $skiptoken string optional skiptoken is only used if a previous operation returned a partial result if a previous response contains a nextlink element, the value of the nextlink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls $top number optional return only the first n results output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter id string unique identifier name string name of the resource etag string output field etag type string type of the resource properties object output field properties title string output field title description string output field description severity string output field severity status string status value owner object output field owner objectid object unique identifier email object output field email assignedto object output field assignedto userprincipalname object name of the resource labels array output field labels file name string name of the resource file string output field file firstactivitytimeutc string output field firstactivitytimeutc lastactivitytimeutc string output field lastactivitytimeutc lastmodifiedtimeutc string output field lastmodifiedtimeutc createdtimeutc string output field createdtimeutc incidentnumber number unique identifier example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "server" "kestrel", "x ms ratelimit remaining subscription reads" "11999", "x ms request id" "b0182057 82a0 4253 aa3c 5be0c8ab9809", "x ms correlation request id" "b0182057 82a0 4253 aa3c 5be0c8ab9809", "x ms routing request id" "southindia 20230729t110918z\ b0182057 82a0 4253 aa3c 5be0c8ab9809", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "sat, 29 jul 2023 11 09 17 gmt" }, "reason" "ok", "json body" { "value" \[], "nextlink" "https //management azure com/subscriptions/38d4cde9 8ef2 4c61 bc61 7fa8658ab74b/ " } } ] run analytics query executes an analytics query in microsoft azure sentinel using a workspace id and a specific query string, optionally specifying the api version endpoint url /v1/workspaces/{{workspaceid}}/query method get input argument name type required description workspaceid string required unique identifier query string required the analytics query timespan string optional the timespan over which to query data this is an iso8601 time period value this timespan is applied in addition to any that are specified in the query expression api version string required the api version to use for this action output parameter type description status code number http status code of the response reason string response reason phrase tables array output field tables name string name of the resource columns array output field columns name string name of the resource type string type of the resource rows array output field rows example \[ { "status code" 200, "response headers" { "date" "fri, 11 aug 2023 03 08 43 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "via" "1 1 draft oms 74c8fb9684 6rv8g", "x content type options" "nosniff", "access control allow origin" " ", "access control expose headers" "retry after,age,www authenticate,x resource identities,x ms status location", "vary" "accept encoding", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains" }, "reason" "ok", "json body" { "tables" \[] } } ] update incident comment create or update a comment on an incident within microsoft azure sentinel using identifiers such as subscriptionid, resourcegroupname, workspacename, incidentid, and incidentcommentid endpoint url /subscriptions/{{subscriptionid}}/resourcegroups/{{resourcegroupname}}/providers/microsoft operationalinsights/workspaces/{{workspacename}}/providers/microsoft securityinsights/incidents/{{incidentid}}/comments/{{incidentcommentid}} method put input argument name type required description subscriptionid string required unique identifier resourcegroupname string required name of the resource workspacename string required name of the resource incidentid string required unique identifier incidentcommentid string required unique identifier api version string required parameter for update incident comment properties object required parameter for update incident comment message string required response message etag string optional parameter for update incident comment output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource type string type of the resource etag string output field etag properties object output field properties message string response message createdtimeutc string output field createdtimeutc lastmodifiedtimeutc string output field lastmodifiedtimeutc author object output field author objectid string unique identifier email string output field email userprincipalname string name of the resource name string name of the resource example \[ { "status code" 200, "response headers" { "cache control" "no cache", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json; charset=utf 8", "content encoding" "gzip", "expires" " 1", "vary" "accept encoding", "server" "kestrel", "x ms ratelimit remaining subscription resource requests" "499", "x ms request id" "aa473e1f 78ce 4466 a0c6 f14359c755a2", "x ms correlation request id" "aa473e1f 78ce 4466 a0c6 f14359c755a2", "x ms routing request id" "centralindia 20240118t092209z\ aa473e1f 78ce 4466 a0c6 f14359c755a2", "strict transport security" "max age=31536000; includesubdomains", "x content type options" "nosniff", "date" "thu, 18 jan 2024 09 22 08 gmt" }, "reason" "ok", "json body" { "id" "/subscriptions/d0cfe6b2 9ac0 4464 9919 dccaee2e48c0/resourcegroups/myrg/provider ", "name" "4bb36b7b 26ff 4d1c 9cbe 0d8ab3da0014", "type" "microsoft securityinsights/incidents/comments", "etag" "0300bf09 0000 0000 0000 5c37296e0000", "properties" {} } } ] response headers header description example access control allow origin http response header access control allow origin access control expose headers http response header access control expose headers retry after,age,www authenticate,x resource identities,x ms status location cache control directives for caching mechanisms no store, no cache connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 695 content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated sat, 29 jul 2023 11 18 26 gmt expires the date/time after which the response is considered stale 1 p3p http response header p3p cp="dsp cur otpi ind otri onl fin" pragma http response header pragma no cache request context http response header request context appid=cid v1 \ e6336c63 aab2 45f0 996a e5dbab2a1508 server information about the software used by the origin server kestrel set cookie http response header set cookie fpc=ajlweeqe3n5asdykcuumbb5d3sw4aqaaak9y 90oaaaa; expires=fri, 12 jul 2024 10 42 55 gmt; path=/; secure; httponly; samesite=none, x ms gateway slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly strict transport security http response header strict transport security max age=15724800; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding via http response header via 1 1 draft oms 74c8fb9684 6rv8g x content type options http response header x content type options nosniff x ms correlation request id http response header x ms correlation request id dee963e1 17f2 461b 83a1 321ca07cb530 x ms ests server http response header x ms ests server 2 1 18261 3 eus prodslices x ms failure cause http response header x ms failure cause gateway x ms ratelimit remaining subscription deletes http response header x ms ratelimit remaining subscription deletes 14999 x ms ratelimit remaining subscription reads http response header x ms ratelimit remaining subscription reads 11999 x ms ratelimit remaining subscription resource requests http response header x ms ratelimit remaining subscription resource requests 499 notes incident management api https //learn microsoft com/en us/rest/api/securityinsights/stable/incidents saved searches api https //learn microsoft com/en us/rest/api/loganalytics/saved searches analytics query https //learn microsoft com/en us/rest/api/loganalytics/dataaccess/query/get?tabs=http analytics query auth and permissions https //learn microsoft com/en us/azure/azure monitor/logs/api/access api api version doc https //learn microsoft com/en us/rest/api/securityinsights/api versions