Run Analytics Query

7 min

description executes an analytics query in microsoft azure sentinel using a workspace id and a specific query string, with an optional api version parameter endpoint url /v1/workspaces/{{workspaceid}}/query method get inputs path parameters (object) – required path parameters workspaceid (string) – required parameters (object) – required url query parameters query (string) – required the analytics query timespan (string) the timespan over which to query data this is an iso8601 time period value this timespan is applied in addition to any that are specified in the query expression api version (string) – required the api version to use for this action output example \[ { "status code" 200, "response headers" { "date" "fri, 11 aug 2023 03 08 43 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "via" "1 1 draft oms 74c8fb9684 6rv8g", "x content type options" "nosniff", "access control allow origin" " ", "access control expose headers" "retry after,age,www authenticate,x resource identities,x ms status location", "vary" "accept encoding", "content encoding" "gzip", "strict transport security" "max age=15724800; includesubdomains" }, "reason" "ok", "json body" { "tables" \[ { "name" "primaryresult", "columns" \[ { "name" "tenantid", "type" "string" }, { "name" "timegenerated", "type" "datetime" }, { "name" "displayname", "type" "string" }, { "name" "alertname", "type" "string" }, { "name" "alertseverity", "type" "string" }, { "name" "description", "type" "string" }, { "name" "providername", "type" "string" }, { "name" "vendorname", "type" "string" }, { "name" "vendororiginalid", "type" "string" }, { "name" "systemalertid", "type" "string" }, { "name" "resourceid", "type" "string" }, { "name" "sourcecomputerid", "type" "string" }, { "name" "alerttype", "type" "string" }, { "name" "confidencelevel", "type" "string" }, { "name" "confidencescore", "type" "real" }, { "name" "isincident", "type" "bool" }, { "name" "starttime", "type" "datetime" }, { "name" "endtime", "type" "datetime" }, { "name" "processingendtime", "type" "datetime" }, { "name" "remediationsteps", "type" "string" }, { "name" "extendedproperties", "type" "string" }, { "name" "entities", "type" "string" }, { "name" "sourcesystem", "type" "string" }, { "name" "workspacesubscriptionid", "type" "string" }, { "name" "workspaceresourcegroup", "type" "string" }, { "name" "extendedlinks", "type" "string" }, { "name" "productname", "type" "string" }, { "name" "productcomponentname", "type" "string" }, { "name" "alertlink", "type" "string" }, { "name" "status", "type" "string" }, { "name" "compromisedentity", "type" "string" }, { "name" "tactics", "type" "string" }, { "name" "techniques", "type" "string" }, { "name" "type", "type" "string" } ], "rows" \[ \[ "7b3f088b d55a 485c b030 4cb167e8cffd", "2023 07 24t20 29 01 8010707z", "sentinel test alert", "sentinel test alert", "medium", "test alert", "asi scheduled alerts", "microsoft", "dff52d0f 17f9 4c6e a212 bdecfdb67c11", "e9122c20 4ec9 483f 51ce 9039d3a40729", "", "", "7b3f088b d55a 485c b030 4cb167e8cffd 8a0d8e78 58a9 4d66 af3a b054778b4aa2", "", null, false, "2023 07 24t19 45 43 1962911z", "2023 07 24t19 50 01 0155241z", "2023 07 24t20 29 01 761047z", "", "{\\"query period\\" \\"05 00 00\\",\\"trigger operator\\" \\"greaterthan\\",\\"trigger threshold\\" \\"0\\",\\"correlation id\\" \\"5ebca6d9 f72d 45b5 b9e3 118c6a8d56c8\\",\\"search query results overall count\\" \\"12\\",\\"data sources\\" \\"\[\\\\\\"swimlaneazuresentinel\\\\\\"]\\",\\"query\\" \\"// the query now parameter represents the time (in utc) at which the scheduled analytics rule ran to produce this alert \\\nset query now = datetime(2023 07 24t20 23 59 1070000z);\\\nunion azureactivity\\",\\"query start time utc\\" \\"2023 07 24 15 23 59z\\",\\"query end time utc\\" \\"2023 07 24 20 24 00z\\",\\"analytic rule ids\\" \\"\[\\\\\\"8a0d8e78 58a9 4d66 af3a b054778b4aa2\\\\\\"]\\",\\"event grouping\\" \\"singlealert\\",\\"analytic rule name\\" \\"sentinel test alert\\",\\"processedbysentinel\\" \\"true\\",\\"alert generation status\\" \\"full alert created\\"}", "", "detection", "38d4cde9 8ef2 4c61 bc61 7fa8658ab74b", "test", "", "azure sentinel", "scheduled alerts", "", "new", "", "unknown", "", "securityalert" ], \[ "7b3f088b d55a 485c b030 4cb167e8cffd", "2023 08 10t22 29 04 8630406z", "sentinel test alert", "sentinel test alert", "medium", "test alert", "asi scheduled alerts", "microsoft", "02c5e70c dda1 4900 b609 a1c258deb4d0", "30085f40 d418 6b72 bf49 30fe7c3d9b73", "", "", "7b3f088b d55a 485c b030 4cb167e8cffd 8a0d8e78 58a9 4d66 af3a b054778b4aa2", "", null, false, "2023 08 10t19 45 40 8560733z", "2023 08 10t19 50 01 423544z", "2023 08 10t22 29 04 8195353z", "", "{\\"query period\\" \\"05 00 00\\",\\"trigger operator\\" \\"greaterthan\\",\\"trigger threshold\\" \\"0\\",\\"correlation id\\" \\"d2d2173a ee82 4fa7 8b48 c76d745fe54e\\",\\"search query results overall count\\" \\"12\\",\\"data sources\\" \\"\[\\\\\\"swimlaneazuresentinel\\\\\\"]\\",\\"query\\" \\"// the query now parameter represents the time (in utc) at which the scheduled analytics rule ran to produce this alert \\\nset query now = datetime(2023 08 10t22 23 59 1070000z);\\\nunion azureactivity\\",\\"query start time utc\\" \\"2023 08 10 17 23 59z\\",\\"query end time utc\\" \\"2023 08 10 22 24 00z\\",\\"analytic rule ids\\" \\"\[\\\\\\"8a0d8e78 58a9 4d66 af3a b054778b4aa2\\\\\\"]\\",\\"event grouping\\" \\"singlealert\\",\\"analytic rule name\\" \\"sentinel test alert\\",\\"processedbysentinel\\" \\"true\\",\\"alert generation status\\" \\"full alert created\\"}", "", "detection", "38d4cde9 8ef2 4c61 bc61 7fa8658ab74b", "test", "", "azure sentinel", "scheduled alerts", "", "new", "", "unknown", "", "securityalert" ] ] } ] } } ] output parameters status code (number) reason (string) json body (object) tables (array) name (string) columns (array) name (string) type (string) rows (array) response headers header type date string content type string transfer encoding string connection string via string x content type options string access control allow origin string access control expose headers string vary string content encoding string strict transport security string

Update Incident Comment

Microsoft Graph API Connector