Azure Sentinel
App Vendor: Microsoft
Connector Category: Analytics & SIEM
Connector Version: 1.2.0
API Version: 2021-04-01
About App
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. The Azure Sentinel app allows security teams to connect with the enterprise version of Azure Sentinel to manage incidents and incident comments.
The following are few use cases that can be achieved using Microsoft Azure Sentinel:
Integrate Microsoft Azure Sentinel alerts with Orchestrate.
Push intel from TIP (Threat Intelligence Platform) to watchlist.
Onboard incidents from Microsoft Azure Sentinel to ITSM (IT service management) tool.
Perform threat hunting using EDR (Endpoint Detection and Response) tool, Microsoft Azure Sentinel, and TIP.
The Microsoft Azure Sentinel app is configured with Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
List Incidents | This action retrieves the list of incidents. |
Get Incident | This action retrieves the details of an incident such as ID, ETag (entity tag), type, owner, title, status, and more. |
Get Incident Comment | This action retrieves the details of an incident comment such as ID, name, type, author, message, and more. |
List Incident Comments | This action retrieves the list of incident comments. |
Create Incident Comment | This action creates incident comment. |
Create Incident | This action creates an incident. |
Update Incident | This action updates an incident. |
Get Incident Alerts | This action retrieves incident alerts. |
Get Incident Relation | This action retrieves incident relation details. |
List Incident Relations | This action retrieves the list of incident relations. |
List Watchlist | This action retrieves a list of watchlist. |
List Watchlist Items | This action retrieves a list of watchlist items. |
Create Watchlist Items | This action creates new watchlist items. |
Update Watchlist Items | This action updates watchlist items. |
Configuration Parameters
The following configuration parameters are required for the Azure Sentinel app to communicate with the Azure Sentinel enterprise application. The parameters can be configured by creating instances in the Microsoft Azure Sentinel app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID that is assigned to your registered application in Azure Active Directory. Example: "ze456fs1-c348-1122-aa2e-a456tghkrcde" | Text | Required | To retrieve the client ID: 1. Log in to the Microsoft Azure portal and click Azure Active Directory. 3. Click App registrations. 4. To add a new application, click New registration. 5. In the Name field, enter a descriptive name for the application. 6. In the Supported Account types section, choose one of the three options to specify the type of accounts that can access the API. 7. Click Register to complete the settings and create the application. A success message appears at the top of the page stating that the new application has been created, and the page is redirected to the Overview page for the application. 8. Copy and securely store the Application (Client) ID. |
Client Secret | Enter the client secret that is generated for your application. | Password | Required | To retrieve the client secret:
Ensure that the client secret ID is URL-encoded. |
Tenant ID | Enter the tenant ID or directory ID. Example: "43ruljf767-4tu7-5tyf-6tuig-7894jmdvjakl" | Text | Required | To retrieve your Tenant ID :
|
Action: List Incidents
This action retrieves the list of all incidents.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the Azure subscription ID. Example: "9677ae65-e240-48aa-b929-13d57393b8c9" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the name of the resource group. Example: "azurepoc" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name of the workspace. Example: "azurepoc-workspace" | Text | Required | |
Additional Parameters | Enter the additional parameters in key-value pairs to filter the response data. Example: {"$top" : "1", "$filter": "properties/additionalData/alertsCount gt 1 AND properties/lastModifiedTimeUtc gt 2021-01-01T00:00:00Z " } | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"params": {
"$top": "1",
"$filter": "properties/additionalData/alertsCount gt 1 AND
properties/lastModifiedTimeUtc gt 2021-01-01T0 0:00:00Z"
},
"workspace_name": "azurepoc-workspace",
"subscription_id": "9677ae65-e240-48aa-b929-13d57393b8c9",
"resource_group_name": "azurepoc"
}
]Action: Get Incident
This action retrieves the details of an incident such as ID, ETag, type, owner, title, status, and so on.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the Azure subscription Id. Example: "9677ae65-e240-48aa-b929-13d57393b8c9" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the name of the resource group. Example: "azurepoc" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name of the workspace. Example: "azurepoc-workspace" | Text | Required | |
Incident ID | Enter the incident UUID. Example: "c28e16ce-19e0-11ec-bdae-0acb9ed22a43" | Text | Required | You can retrieve the Incident ID using the List Incidents action. |
Example Request
[
{
"incident_id": "c28e16ce-19e0-11ec-bdae-0acb9ed22a43",
"workspace_name": "azurepoc-workspace",
"subscription_id": "9677ae65-e240-48aa-b929-13d57393b8c9",
"resource_group_name": "azurepoc"
}
]Action: Get Incident Comment
This action retrieves the details of an incident comment such as ID, name, type, author, message, and so on.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the Azure subscription ID. Example: "9677ae65-e240-48aa-b929-13d57393b8c9" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the name of the resource group. Example: "azurepoc" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name of the workspace. Example: "azurepoc-workspace" | Text | Required | |
Incident ID | Enter the incident UUID. Example: "c28e16ce-19e0-11ec-bdae-0acb9ed22a43" | Text | Required | You can retrieve the Incident ID from the List Incidents action. |
Incident Comment ID | Enter the incident comment UUID. Example: "2bdf1f98-19e0-11ec-bdae-0acb9ed22a43" | Text | Required | You can retrieve the Incident Comment ID from the List Incident Comments action. |
Example Request
[
{
"incident_comment_id": "2bdf1f98-19e0-11ec-bdae-0acb9ed22a43",
"incident_id": "c28e16ce-19e0-11ec-bdae-0acb9ed22a43",
"workspace_name": "azurepoc-workspace",
"subscription_id": "9677ae65-e240-48aa-b929-13d57393b8c9",
"resource_group_name": "azurepoc"
}
]Action: List Incident Comments
This action retrieves the list of all incident comments.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the Azure subscription ID. Example: "9677ae65-e240-48aa-b929-13d57393b8c9" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the name of the resource group. Example: "azurepoc" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name of the workspace. Example: "azurepoc-workspace" | Text | Required | |
Incident ID | Enter the incident UUID. Example: "2a46aeda-19e0-11ec-bdae-0acb9ed22a43" | Text | Required | You can retrieve the Incident ID using the List Incidents action. |
Additional Parameters | Enter the additional parameters to filter the response data. Example: {"$top" : "1", "$filter": "properties/additionalData/alertsCount gt 1 AND properties/lastModifiedTimeUtc gt 2021-01-01T00:00:00Z " } | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"params": {
"top" : "1",
"filter": "properties/additionalData/alertsCount gt 1 AND
properties/lastModifiedTimeUtc gt 2021-01-01T00:00:00Z"
},
"incident_id": "2a46aeda-19e0-11ec-bdae-0acb9ed22a43",
"workspace_name": "azurepoc-workspace",
"subscription_id": "9677ae65-e240-48aa-b929-13d57393b8c9",
"resource_group_name": "azurepoc"
}
]Action: Create Incident Comment
This action creates an incident comment by generating a UUID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the Azure subscription ID. Example: "9677ae65-e240-48aa-b929-13d57393b8c9" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the name of the resource group. Example: "azurepoc" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name of the workspace. Example: "azurepoc-workspace" | Text | Required | |
Incident ID | Enter the incident UUID. Example: "c28e16ce-19e0-11ec-bdae-0acb9ed22a43" | Text | Required | You can retrieve the Incident ID using the List Incidents action. |
Message | Enter the comment message. Example: "Sample Message" | Text | Required |
Example Request
[
{
"message": "Sample Message",
"incident_id": "c28e16ce-19e0-11ec-bdae-0acb9ed22a43",
"workspace_name": "azurepoc-workspace",
"subscription_id": "9677ae65-e240-48aa-b929-13d57393b8c9",
"resource_group_name": "azurepoc"
}
]Action: Create Incident
This action creates an incident by generating a UUID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the Azure subscription ID. Example: "9677ae65-e240-48aa-b929-13d57393b8c9" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the name of the resource group. Example: "azurepoc" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name of the workspace. Example: "azurepoc-workspace" | Text | Required | |
Severity | Enter the severity of the incident. Example: "Low" | Text | Required | Allowed keys:
|
Status | Enter the status of the incident. Example: "New" | Text | Required | Allowed keys:
|
Title | Enter the title of the incident. Example: "Sample Title" | Text | Required | |
Additional Parameters | Enter additional incident variables in key value pairs. Example: { "description": "Sample Description" } | Key Value | Optional | If the key is nested, then enter it as "$etag". Allowed keys:
|
Example Request
[
{
"title": "Sample Title",
"params": {
"description": "Sample Description"
},
"status": "New",
"severity": "Low",
"workspace_name": "azurepoc-workspace",
"subscription_id": "9677ae65-e240-48aa-b929-13d57393b8c9",
"resource_group_name": "azurepoc"
}
]Action: Update Incident
This action updates an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the Azure Subscription ID. Example: "9677ae65-e240-48aa-b9-23435" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the resource group name for the incident. Example: "azure" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name of the workspace. Example: "My Workspace" | Text | Required | |
Incident ID | Enter the incident ID. Example: "f71f378w-16e9-11ec-a6a4-0acb9ed22a43" | Text | Required | You can retrieve incident IDs using the List Incidents action. |
Severity | Enter the severity of the incident. Example: "Medium" | Text | Optional | Allowed keys:
|
Status | Enter the status of the incident. Example: "New" | Text | Optional | Allowed keys:
|
Title | Enter the title of the incident to update. Example: "Ransomware Incident" | Text | Optional | |
Additional parameters | Enter additional incident variables. | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"subscription_id": "9677ae65-e240-48aa-b9-23435",
"resource_group_name": "Azure",
"workspace_name": "My Workspace",
"incident_id": "f71f378w-16e9-11ec-a6a4-0acb9ed22a43",
"severity": "Medium",
"status": "Active",
"title": "Ransomware Incident",
"params": {
"description": "Sample Description"
},
},
]Action: Get Incident Alerts
This action retrieves all incident alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the Azure subscription ID to retrieve the incident alerts. Example: "9677ae65-e240-48aa-b9-23435" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the name of the resource group. The name is not case-sensitive. Example: "Azure" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name for the workspace. Example: "My Workspace" | Text | Required | |
Incident ID | Enter the incident ID to retrieve incident alerts. Example: "9876ab54-3c21-98de-7ab6-5cde4ab32c19" | Text | Required | You can retrieve the Incident ID using List Incidents action. |
Example Request
[
{
"subscription_id": "9677ae65-e240-48aa-b9-23435",
"resource_group_name": "Azure",
"workspace_name": "My Workspace",
"incident_id": "9876ab54-3c21-98de-7ab6-5cde4ab32c19"
}
]Action: Get Incident Relation
This action retrieves the relations of an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter your Azure subscription ID. Example: "9677ae65-e240-48aa-b9-23435" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the name of the resource group. The group name is not case-sensitive. Example: "Azure" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name of the workspace. Example: "My Workspace" | Text | Required | |
Incident ID | Enter the incident ID. Example: "9876ab54-3c21-98de-7ab6-5cde4ab32c19" | Text | Required | You can retrieve the Incident ID using List Incidents action. |
Relation Name | Enter the name of the relation. Example: "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014" | Text | Required |
Example Request
[
{
"subscription_id": "9677ae65-e240-48aa-b9-23435",
"resource_group_name": "Azure",
"workspace_name": "My Workspace",
"incident_id": "9876ab54-3c21-98de-7ab6-5cde4ab32c19",
"relation_name": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014"
}
]Action: List Incident Relations
This action retrieves all relations for a given incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the Azure subscription ID. Example: "9677ae65-e240-48aa-b929-13d57393b8c9" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the name of the resource group. The name is not case-sensitive. Example: "Azure" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name of the workspace. Example: "My Workspace" | Text | Required | |
Incident ID | Enter the incident ID. Example: "9876ab54-3c21-98de-7ab6-5cde4ab32c19" | Text | Required | You can retrieve the Incident ID using List Incidents action. |
Skip Token | Enter skip token values. Example: "190057d0-0000-0d00-0000-5c6f5adb0000" | Text | Optional | Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextlink element, then the value of the nextlink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. |
Top | Enter if you want to return only the first n results. Example: 1 | Integer | Optional | |
Order by | Enter your preference to sort the results. Example: "Name" | Text | Optional | |
Filter | Enter your preference to filter the results, based on a boolean condition. Example: "SecurityAlert" | Text | Optional |
Example Request
[
{
"subscription_id": "9677ae65-e240-48aa-b929-13d57393b8c9",
"resource_group_name": "Azure",
"workspace_name": "My Workspace",
"incident_id": "9876ab54-3c21-98de-7ab6-5cde4ab32c19",
"skip_token": "190057d0-0000-0d00-0000-5c6f5adb0000",
"top": 1,
"order_by": "Name",
"filter_": "SecurityAlert"
}
]Action: List Watchlist
This action retrieves the list of all watchlists, without watchlist items.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the Azure subscription ID. Example: "9677ae65-e240-48aa-b929-13d57393b8c9" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the name of the resource group. The name is not case insensitive. Example: "Azure" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name of the workspace. Example: "My Workspace" | Text | Required | |
Operational Insights Resource Provider | Enter the namespace of the workspaces resource provider. Example: "microsoft.operationalinsights" | Text | Required | |
Skip Token | Enter the skiptoken. Example: "190057d0-0000-0d00-0000-5c6f5adb0000" | Text | Optional | Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextlink element, then the value of the nextlink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. |
Example Request
[
{
"subscription_id": "9677ae65-e240-48aa-b929-13d57393b8c9",
"resource_group_name": "azure",
"workspace_name": "My Workspace",
"operational_insights_resource_provider": "microsoft.operationalinsights",
"skip_token": "190057d0-0000-0d00-0000-5c6f5adb0000"
}
]Action: List Watchlist Items
This action retrieves the list of all watchlist items.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the Azure subscription ID. Example: "9677ae65-e240-48aa-b929-13d57393b8c9" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the name of the resource group. The name is not case-sensitive. Example: "Azure" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name of the workspace. Example: "My Workspace" | Text | Required | |
Watchlist Alias | Enter the alias of the watchlist. Example: "Sample Alias" | Text | Required | |
Operational Insights Resource Provider | Enter the namespace of workspaces resource provider. Example: "microsoft.operationalinsights" | Text | Required | |
Skip Token | Enter the skiptoken. The skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextlink element, the value of the nextlink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Example: "190057d0-0000-0d00-0000-5c6f5adb0000" | Text | Optional |
Example Request
[
{
"subscription_id": "9677ae65-e240-48aa-b929-13d57393b8c9",
"resource_group_name": "Azure",
"workspace_name": "My Workspace",
"watch_list_alias": "Sample Alias",
"operational_insights_resource_provider": "microsoft.operationalinsights",
"skip_token": "190057d0-0000-0d00-0000-5c6f5adb0000"
}
]Action: Create Watchlist Items
This action creates a watchlist item.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the Azure subscription ID to create a watchlist item. Example: "9677ae65-e240-48aa-b929-13d57393b8c9" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the name of the resource group. The name is not case sensitive. Example: "Azure" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name of the workspace. Example: "My Workspace" | Text | Required | |
Watchlist Alias | Enter the alias of the watchlist. Example: "Sample Alias" | Text | Required | |
Operational Insights Resource Provider | Enter the namespace of workspaces resource provider. Example: "microsoft.operationalinsights" | Text | Required | |
Items Keys and Values | Enter the key-value pairs for a watchlist item. | Key Value | Required | Allowed keys:
|
Example Request
[
{
"subscription_id": "9677ae65-e240-48aa-b929-13d57393b8c9",
"resource_group_name": "Azure",
"workspace_name": "My Workspace",
"watch_list_alias": "Sample Alias",
"operational_insights_resource_provider": "Microsoft.OperationalInsights",
"items_keys_and_values": {
"Web Tier": "10.0.1.0/24"
},
},
] Action: Update Watchlist Items
This action updates details of a watchlist item.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the Azure subscription ID. Example: "9677ae65-e240-48aa-b929-13d57393b8c9" | Text | Required | To retrieve the subscription ID:
|
Resource Group Name | Enter the name of the resource group. The name is not case sensitive. Example: "Azure" | Text | Required | A resource group is a collection of resources that share the same lifecycle, permissions, and policies. |
Workspace Name | Enter the name of the workspace. Example: "My Workspace" | Text | Required | |
Watch List Alias | Enter the alias of the watchlist. Example: "Sample Alias" | Text | Required | |
Operational Insights Resource Provider | Enter the namespace of workspaces resource provider. Example: "microsoft.operationalinsights" | Text | Required | |
Watchlist Item ID | Enter the watchlist item ID to update. Example: "82ba292c-dc97-4dfc-969d-d4dd9e666842" | Text | Required | You can retrieve watchlist item ID using Get Watchlist action |
Items Keys and Values | Enter the additional items as key-value pairs. | Key Value | Required | Allowed keys:
|
Example Request
[
{
"subscription_id": "9677ae65-e240-48aa-b929-13d57393b8c9",
"resource_group_name": "Azure",
"workspace_name": "My Workspace",
"watch_list_alias": "Sample Alias",
"operational_insights_resource_provider": "microsoft.operationalinsights",
"watch_list_item_id": "82ba292c-dc97-4dfc-969d-d4dd9e666842",
"items_keys_and_values": {
"Gateway subnet": "10.0.255.224/27",
},
},
]