Microsoft Sentinel 2.0.0
App Vendor: Microsoft
App Category: Analytics & SIEM
Connector Version: 2.1.0
API Version: 2024-09-01
About App
Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. This app allows security teams to manage incidents and incident comments.
The Microsoft Sentinel app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Append Tags to Threat Intelligence Indicator | This action appends tags to the specified threat intelligence indicator. |
Create Alert Rule | This action creates an alert rule. |
Create Incident | This action creates the incident by generating an ID. |
Create Incident Comment | This action creates the incident comment by generating an ID. |
Create Threat Intelligence Indicator | This action creates a new threat intelligence indicator. |
Create Watchlist | This action creates a watchlist. |
Create Watchlist Items | This action creates watchlist items in Microsoft Sentinel. |
Delete Alert Rule | This action deletes the specified alert rule. |
Delete Incident | This action deletes an incident. |
Delete Incident Comment | This action deletes a comment for a given incident. |
Delete Threat Intelligence Indicator | This action deletes a threat intelligence indicator. |
Delete Watchlist | This action deletes a watchlist. |
Delete Watchlist Item | This action deletes a watchlist item. |
Get Incident | This action retrieves an incident. |
Get Incident Alerts | This action retrieves all incident alerts. |
Get Incident Comment | This action retrieves an incident comment. |
Get Incident Relation | This action retrieves an incident relation. |
Get Threat Intelligence Indicator | This action retrieves the details of the specified threat intelligence indicator. |
Get Watchlist | This action retrieves the specified watchlist without its items. |
Get Watchlist Item | This action retrieves a watchlist item. |
List Alert Rules | This action lists all the alert rules. |
List Alert Rule Templates | This action lists all the alert rule templates. |
List Incident Comments | This action retrieves all incident comments. |
List Incident Entities | This action lists all the entities for an incident. |
List Incident Relations | This action retrieves all relations for a given incident. |
List Incidents | This action retrieves all incidents. |
List Subscriptions | This action lists all subscriptions for your tenant. |
List Threat Intelligence Indicators(Beta) | This action lists all the threat intelligence indicators. |
List Watchlist | This action retrieves all watchlists, without watchlist items. |
List Watchlist Items | This action retrieves all watchlist items. |
Query Threat Intelligence Indicators | This action queries threat intelligence indicators. |
Replace Threat Intelligence Indicator Tags | This action replaces tags added to a threat intelligence indicator. |
Update Alert Rule | This action updates an alert rule. |
Update Incident | This action updates the incident. |
Update Threat Intelligence Indicator | This action updates a threat intelligence indicator. |
Update Watchlist | This action updates a watchlist. |
Update Watchlist Items | This action updates a watchlist item. |
Generic Action | This is a generic action used to make requests to any Microsoft Sentinel endpoint. |
Configuration Parameters
The following configuration parameters are required for the Microsoft Sentinel app to communicate with the Microsoft Sentinel enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID that is assigned to your app. You can find this information in the portal where you registered your app. | Text | Required | |
Client Secret | Enter the URL-encoded client secret. | Password | Required | |
Tenant ID | Enter the tenant ID in GUID or domain name format. | Text | Required | |
Subscription ID | Enter the subscription ID. Example: d0cfe6b2-9ac0-4464-9919-dccaee2e48c0 | Text | Required | |
Resource Group Name | Enter the name of the resource group (case-insensitive). Example: MyRG | Text | Required | |
Workspace Name | Enter the name of the workspace. Example: myWorkspace | Text | Required | |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is enabled. |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Microsoft Sentinel. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Append Tags to Threat Intelligence Indicator
This action appends tags to the specified threat intelligence indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tags | Enter a list of tags to append to the indicator. Example: $LIST[tag1,tag2] | List | Required | |
Name | Enter the name of the threat intelligence indicator. Example: d9cd6f0b-96b9-3984-17cd-a779d1e15a93 | Text | Required | You can retrieve the name using the action List Threat Intelligence Indicators. |
Action: Create Alert Rule
This action creates an alert rule.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Kind | Enter the kind of alert rule to create. | Text | Required | Allowed values: Fusion, MicrosoftSecurityIncidentCreation, Scheduled |
Properties | Enter the properties of the alert rule to create. | Key Value | Required | Allowed keys when Kind is Fusion: alertRuleTemplateName, enabled Allowed keys when Kind is MicrosoftSecurityIncidentCreation: displayName, enabled, productFilter, alertRuleTemplateName, description, displayNamesExcludeFilter, displayNamesFilter, severitiesFilter Allowed keys when Kind is Scheduled: displayName, enabled, query, queryFrequency, queryPeriod, severity, suppressionDuration, suppressionEnabled, triggerOperator, triggerThreshold, alertDetailsOverride, alertRuleTemplateName, customDetails, description, entityMappings, eventGroupingSettings, incidentConfiguration, tactics, techniques, templateVersion |
Example Request
[
{
"kind": "MicrosoftSecurityIncidentCreation",
"properties": {
"enabled": "True",
"displayName": "Sample Name",
"productFilter": "Microsoft Cloud App Security"
}
}
]Action: Create Incident
This action creates an incident by generating an ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Severity | Enter the severity of the incident. Example: low | Text | Required | Allowed values: Low, High, Medium, Informational |
Status | Enter the status of the incident. Example: new | Text | Required | Allowed values: New, Active, Closed |
Title | Enter the title of the incident. Example: Sample Incident Title | Text | Required | |
Additional Parameters | Enter the additional incident variables. If the key is nested, enter it as "$top". | Key Value | Optional | Allowed keys: classification, classificationComment, classificationReason, description, firstActivityTimeUtc, labels, lastActivityTimeUtc, owner |
Example Request
[
{
"title": "Sample Incident Title",
"params": {},
"status": "New",
"severity": "Medium"
}
]Action: Create Incident Comment
This action creates an incident comment by generating an ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Message | Enter the comment message. Example: This is a sample comment. | Text | Required | |
Incident ID | Enter the incident ID for which you want to create the comment. Example: f71f378w-16e9-11ec-a6a4-0acb9ed22a43 | Text | Required | You can retrieve the incident ID using the action List Incidents. |
Example Request
[
{
"message": "This is a sample comment.",
"incident_id": "f71f378w-16e9-11ec-a6a4-0acb9ed22a43"
}
]Action: Create Threat Intelligence Indicator
This action creates a new threat intelligence indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Kind | Enter the kind of threat intelligence indicator entity. Example: indicator | Text | Required | |
Source | Enter the source of the threat intelligence entity. Example: Sentinel | Text | Required | |
Pattern | Enter the pattern of the threat intelligence entity. Example: [ip:value = '1.1.1.1'] | Text | Required | |
Pattern Type | Enter the pattern type of the threat intelligence entity. Example: ip | Text | Required | |
Extra Params | Enter the extra parameters to create a threat intelligence indicator. | Key Value | Optional | Allowed keys: confidence, created, createdByRef, defanged, description, displayName, extensions, externalId, externalLastUpdatedTimeUtc, externalReferences, granularMarkings, indicatorTypes, killChainPhases, labels, language, lastUpdatedTimeUtc, modified, objectMarkingRefs, parsedPattern, patternVersion, revoked, threatIntelligenceTags, threatTypes, validFrom, validUntil |
Example Request
[
{
"kind": "indicator",
"source": "Sentinel",
"pattern": "[ip:value = '1.1.1.1']",
"patternType": "ip",
"extra_params": {}
}
]Action: Create Watchlist
This action creates a watchlist.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist Alias | Enter the alias of the watchlist to create. Example: highValueAsset | Text | Required | |
Display Name | Enter the display name of the watchlist. Example: High Value Assets Watchlist | Text | Required | |
Items Search Key | Enter the search key to optimize query performance when joining watchlists with other data. Example: header1 | Text | Required | |
Provider | Enter the provider of the watchlist. Example: Microsoft | Text | Required | |
Extra Fields | Enter the extra fields to create a watchlist. | Key-Value | Optional | Allowed keys: contentType, created, createdBy, defaultDuration, description, isDeleted, labels, numberOfLinesToSkip, rawContent, source, sourceType, tenantId, updated, updatedBy, uploadStatus, watchlistId, watchlistType |
Example Request
[
{
"provider": "Microsoft",
"display_name": "High Value Assets Watchlist",
"extra_fields": {},
"watchlist_alias": "highValueAsset",
"items_search_key": "header1"
}
]Action: Create Watchlist Items
This action creates watchlist items.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist Alias | Enter the alternate name or alias for the watchlist. Example: highValueAsset | Text | Required | |
Items Keys and Values | Enter key-value pairs while creating watchlist items. Example: "indicator": "10.0.255.224/2" | Key Value | Required | Allowed keys: Gateway subnet, Web Tier, Business tier, Data tier, Private DMZ in, Public DMZ out |
Example Request
[
{
"watch_list_alias": "Sample Alias",
"items_keys_and_values": {
"Web Tier": "10.0.1.0/24"
},
},
] Action: Delete Alert Rule
This action deletes the specified alert rule.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Rule ID | Enter the ID of the alert rule to delete. Example: 73e01a99-5cd7-4139-a149-9f2736ff2ab5 | Text | Required | You can retrieve the rule ID using the action List Alert Rules. |
Example Request
[
{
"rule_id": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
}
]Action: Delete Incident
This action deletes an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the ID of the incident to delete. Example: 73e01a99-5cd7-4139-a149-9f2736ff2ab5 | Text | Required | You can retrieve the incident ID using the action List Incidents. |
Example Request
[
{
"incident_id": "73e01a99-5cd7-4139-a149-9f2736ff2ab5"
}
]Action: Delete Incident Comment
This action deletes a comment for a given incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the ID of the incident. Example: 73e01a99-5cd7-4139-a149-9f2736ff2ab5 | Text | Required | You can retrieve the incident ID using the action List Incidents. |
Incident Comment ID | Enter the ID of the incident comment you want to delete. Example: 4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014 | Text | Required | You can retrieve the incident comment ID using the action List Incident Comments. |
Example Request
[
{
"incident_id": "25c17d89-c02a-4b02-9a1d-a761047f081b",
"incident_comment_id": "4bb36b7b-26ff-4d1c-9cbe-0d8ab3da0014"
}
]Action: Delete Threat Intelligence Indicator
This action deletes a threat intelligence indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator Name | Enter the name of the threat intelligence indicator to delete. Example: d9cd6f0b-96b9-3984-17cd-a779d1e15a93 | Text | Required | You can retrieve the indicator name using the action List Threat Intelligence Indicators. |
Example Request
[
{
"indicator_name": "d9cd6f0b-96b9-3984-17cd-a779d1e15a93"
}
]Action: Delete Watchlist
This action deletes a watchlist.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist Alias | Enter the watchlist alias to delete. Example: HighValueAssets | Text | Required | You can retrieve the watchlist alias using the action List Watchlist. |
Example Request
[
{
"watchlist_alias": "HighValueAssets"
}
]Action: Delete Watchlist Item
This action deletes a watchlist item.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist Alias | Enter the watchlist alias to delete the item. Example: highValueAsset | Text | Required | You can retrieve the watchlist alias using the action List Watchlist. |
Watchlist Item ID | Enter the ID of the watchlist item to delete. Example: 4008512e-1d30-48b2-9ee2-d3612ed9d3ea | Text | Required | You can retrieve the watchlist item ID using the action List Watchlist Items. |
Example Request
[
{
"watch_list_alias": "highValueAsset",
"watch_list_item_id": "4008512e-1d30-48b2-9ee2-d3612ed9d3ea"
}
]Action: Get Incident
This action retrieves the details of an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID to retrieve the details. Example: f71f378w-16e9-11ec-a6a4-0acb9ed22a43 | Text | Required | You can retrieve the incident ID using the action List Incidents. |
Example Request
[
{
"incident_id": "f71f378w-16e9-11ec-a6a4-0acb9ed22a43"
}
]Action: Get Incident Alerts
This action retrieves all the incident alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the ID of the incident to retrieve associated alerts. Example: 9876ab54-3c21-98de-7ab6-5cde4ab32c19 | Text | Required | You can retrieve the incident ID using the action List Incidents. |
Example Request
[
{
"incident_id": "9876ab54-3c21-98de-7ab6-5cde4ab32c19"
}
]Action: Get Incident Comment
This action retrieves an incident comment.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID for which you want to retrieve the comment. Example: f71f378w-16e9-11ec-a6a4-0acb9ed22a43 | Text | Required | You can retrieve the incident ID using the action List Incidents. |
Incident Comment ID | Enter the incident comment ID to retrieve the details. Example: b915ed46-16e9-11ec-a6a4 | Text | Required | You can retrieve the incident comment ID using the action List Incident Comments. |
Example Request
[
{
"incident_id": "f71f378w-16e9-11ec-a6a4-0acb9ed22a43",
"incident_comment_id": "b915ed46-16e9-11ec-a6a4"
}
]Action: Get Incident Relation
This action retrieves an incident relation.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the ID of the incident. Example: 9876ab54-3c21-98de-7ab6-5cde4ab32c19 | Text | Required | You can retrieve the incident ID using the action List Incidents. |
Relation Name | Enter the name of the relation. Example: 5db924e9-dc95-4c86-bc1b-ab0e3f1bd342_96e92a40-cecb-2964-6c56-7e693d84d51d | Text | Required | You can retrieve the relation name using the action List Incident Relations. |
Example Request
[
{
"incident_id": "9876ab54-3c21-98de-7ab6-5cde4ab32c19",
"relation_name": "5db924e9-dc95-4c86-bc1b-ab0e3f1bd342_96e92a40-cecb-2964-6c56-7e693d84d51d"
}
]Action: Get Threat Intelligence Indicator
This action retrieves the details of the specified threat intelligence indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the name of the threat intelligence indicator to retrieve its details. Example: e16ef847-962e-d7b6-9c8b-a33e4bd30e47 | Text | Required | You can retrieve the name using the action List Threat Intelligence Indicators. |
Example Request
[
{
"name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47"
}
]Action: Get Watchlist
This action retrieves the specified watchlist without its items.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist Alias | Enter the watchlist alias to retrieve. Example: highValueAsset | Text | Required | You can retrieve the watchlist alias using the action List Watchlist. |
Example Request
[
{
"watchlist_alias": "highValueAsset"
}
]Action: Get Watchlist Item
This action retrieves a watchlist item.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist Alias | Enter the watchlist alias to retrieve. Example: highValueAsset | Text | Required | You can retrieve the watchlist alias using the action List Watchlist. |
Watchlist Item ID | Enter the watchlist item ID to retrieve. Example: 3f8901fe-63d9-4875-9ad5-9fb3b8105797 | Text | Required | You can retrieve the watchlist item ID using the action List Watchlist Items. |
Example Request
[
{
"watchlist_alias": "highValueAsset",
"watch_list_item_id": "e0987832-df01-11ef-a30f-02420a000121"
}
]Action: List Alert Rules
This action lists all the alert rules.
Action Input Parameters
No input parameters are required for this action.
Action: List Alert Rule Templates
This action lists all the alert rule templates.
Action Input Parameters
No input parameters are required for this action.
Action: List Incident Comments
This action retrieves all incident comments.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID. Example: 25c17d89-c02a-4b02-9a1d-a761047f081b | Text | Required | You can retrieve the incident ID using the action List Incidents. |
Additional Parameters | Enter the additional parameters to filter the response. | Key Value | Optional | Allowed keys: $filter, $orderby, $skipToken, $top |
Example Request
[
{
"params": {},
"incident_id": "25c17d89-c02a-4b02-9a1d-a761047f081b"
}
]Action: List Incident Entities
This action lists all the entities of an incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID to retrieve associated entities. Example: 25c17d89-c02a-4b02-9a1d-a761047f081b | Text | Required | You can retrieve the incident ID using the action List Incidents. |
Example Request
[
{
"incident_id": "25c17d89-c02a-4b02-9a1d-a761047f081b"
}
]Action: List Incident Relations
This action retrieves all the relations for a given incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the ID of the incident. Example: 5db924e9-dc95-4c86-bc1b-ab0e3f1bd342 | Text | Required | You can retrieve the incident ID using the action List Incidents. |
Skip Token | Enter skip token value. Example: 190057d0-0000-0d00-0000-5c6f5adb0000 | Text | Optional | Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, then the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. |
Top | Enter if you want to return only the first n results. Example: 1 | Integer | Optional | |
Order by | Enter your preference to sort the results. Example: Name | Text | Optional | |
Filter | Enter your preference to filter the results, based on a boolean condition. Example: SecurityAlert | Text | Optional |
Example Request
[
{
"incident_id": "5db924e9-dc95-4c86-bc1b-ab0e3f1bd342"
}
]Action: List Incidents
This action lists all the incidents.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional Parameters | Enter the additional parameters used for filtering. Example: {"$top" : "1", "$filter": "properties/additionalData/alertsCount gt 1 AND properties/lastModifiedTimeUtc gt 2021-01-01T00:00:00Z " } | Key Value | Optional | Allowed keys: $filter, $orderby, $skipToken, $top |
Example Request
[
{
"params": {}
}
]Action: List Subscriptions
This action lists all subscriptions for your tenant.
Action Input Parameters
No input parameters are required for this action.
Action: List Threat Intelligence Indicators (Beta)
This action lists all the threat intelligence indicators.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Params | Enter the extra parameters to list threat intelligence indicators. | Key Value | Optional | Allowed keys: filter, orderby, skiptoken, top |
Action: List Watchlist
This action retrieves all watchlists, without watchlist items.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Skip Token | Enter the skip token value. Example: 190057d0-0000-0d00-0000-5c6f5adb0000 | Text | Optional | Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. |
Example Request
[
{
"skipToken": "190057d0-0000-0d00-0000-5c6f5adb0000"
}
]Action: List Watchlist Items
This action retrieves all watchlist items.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist Alias | Enter the alias of the watchlist. SampleAlias | Text | Required | |
Skip Token | Enter the skip token value. Example: 190057d0-0000-0d00-0000-5c6f5adb0000 | Text | Optional | Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. |
Example Request
[
{
"watch_list_alias": "SampleAlias"
}
]Action: Query Threat Intelligence Indicators
This action queries threat intelligence indicators.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Min Confidence | Enter the minimum confidence score to query indicators. Example: 25 | Integer | Optional | |
Max Confidence | Enter the maximum confidence score to query indicators. Example: 80 | Integer | Optional | |
Sort by | Enter the sorting criteria to sort the response. Example: $JSON[{"itemkey": "lastupdatedtimeutc","sortorder": "descending"}] | Any | Optional | Allowed keys: itemkey and sortorder. |
Page Size | Enter the number of results to retrieve on each page. Example: 100 | Integer | Optional | |
Extra Params | Enter the extra parameters to query threat intelligence indicators. | Key Value | Optional | Allowed keys: ids, includeDisabled, keywords, maxValidUntil, minValidUntil, patternTypes, skipToken, sources, threatTypes |
Example Request
[
{
"extra_fields": {
"skipToken": "190057d0-0000-0d00-0000-5c6f5adb0000"
}
}
]Action: Replace Threat Intelligence Indicator Tags
This action replaces tags added to a threat intelligence indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the name of the threat intelligence indicator. Example: 30b1da69-2085-e9ad-12de-b29e15d4120c | Text | Required | You can retrieve the name using the action List Threat Intelligence Indicators. |
Threat Intelligence Tags | Enter the threat intelligence tags to replace. Example: "threatintelligencetags": [ "patching tags" ] | List | Required | |
Kind | Enter the kind of entity. Example: indicator | Text | Optional | |
Extra Params | Enter the extra parameters to replace tags added to a threat intelligence indicator. | Key Value | Optional | Allowed keys: confidence, created, createdByRef, defanged, description, displayName, extensions, externalId, externalLastUpdatedTimeUtc, externalReferences, granularMarkings, indicatorTypes, killChainPhases, labels, language, lastUpdatedTimeUtc, modified, objectMarkingRefs, parsedPattern, pattern, patternType, patternVersion, revoked, source, threatTypes, validFrom, validUntil |
Example Request
[
{
"name": "30b1da69-2085-e9ad-12de-b29e15d4120c",
"extra_params": {},
"threat_intelligence_tags": "$LIST["patching tags"]"
}
]Action: Update Alert Rule
This action updates an alert rule.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Rule ID | Enter the ID of the rule to be updated. Example: 532c1811-79ee-4d9f-8d4d-6304c840daa1 | Text | Required | You can retrieve the rule ID using the action List Alert Rules. |
Kind | Enter the kind of alert rule to update. | Text | Required | Allowed values: Fusion, MicrosoftSecurityIncidentCreation, Scheduled |
Properties | Enter the properties of the alert rule to update. | Key Value | Required | Allowed keys when Kind is Fusion: alertRuleTemplateName, enabled Allowed keys when Kind is MicrosoftSecurityIncidentCreation: displayName, enabled, productFilter, alertRuleTemplateName, description, displayNamesExcludeFilter, displayNamesFilter, severitiesFilter Allowed keys when Kind is Scheduled: displayName, enabled, query, queryFrequency, queryPeriod, severity, suppressionDuration, suppressionEnabled, triggerOperator, triggerThreshold, alertDetailsOverride, alertRuleTemplateName, customDetails, description, entityMappings, eventGroupingSettings, incidentConfiguration, tactics, techniques, templateVersion |
Example Request
[
{
"kind": "MicrosoftSecurityIncidentCreation",
"rule_id": "532c1811-79ee-4d9f-8d4d-6304c840daa1",
"properties": {
"enabled": "true",
"displayName": "Sample Name"
"productFilter": "Microsoft Cloud App Security"
}
}
]Action: Update Incident
This action updates the incident.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident ID | Enter the incident ID to update. Example: 25c17d89-c02a-4b02-9a1d-a761047f081b | Text | Required | You can retrieve the incident ID using the action List Incidents. |
Severity | Enter the severity of the incident. | Text | Required | Allowed values: Low, High, Medium, Informational |
Status | Enter the status of the incident. | Text | Required | Allowed values: New, Active, Closed |
Title | Enter the title of the incident. Example: Sample Incident Title | Text | Required | |
Additional Parameters | Enter additional incident variables. | Key Value | Optional | Allowed keys: etag, classification, classificationComment, classificationReason, description, firstActivityTimeUtc, labels, lastActivityTimeUtc, owner |
Example Request
[
{
"title": "Sample Incident Title",
"params": {
"description": "This is a sample description."
},
"status": "Active",
"severity": "Medium",
"incident_id": "25c17d89-c02a-4b02-9a1d-a761047f081b"
}
]Action: Update Threat Intelligence Indicator
This action updates a threat intelligence indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the name of the threat intelligence indicator to update. Example: d9cd6f0b-96b9-3984-17cd-a779d1e15a93 | Text | Required | You can retrieve the name using the action List Threat Intelligence Indicators. |
Kind | Enter the kind of entity. Example: indicator | Text | Required | |
Source | Enter the source of the threat intelligence entity. Example: Sentinel | Text | Required | |
Pattern | Enter the pattern of the threat intelligence entity. Example: [ip:value = '1.1.1.1'] | Text | Required | |
Pattern Type | Enter the pattern type of the threat intelligence entity. Example: ip | Text | Required | |
Extra Params | Enter the extra parameters to update the threat intelligence indicator. | Key Value | Optional | Allowed keys: confidence, created, createdByRef, defanged, description, displayName, extensions, externalId, externalLastUpdatedTimeUtc, externalReferences, granularMarkings, indicatorTypes, killChainPhases, labels, language, lastUpdatedTimeUtc, modified, objectMarkingRefs, parsedPattern, patternVersion, revoked, threatIntelligenceTags, threatTypes, validFrom, validUntil |
Example Request
[
{
"kind": "indicator",
"name": "d9cd6f0b-96b9-3984-17cd-a779d1e15a93",
"source": "Sentinel",
"pattern": "[ip:value = '1.1.1.1']",
"patternType": "ip",
"extra_params": {
"displayName": "Sample display name"
}
}
]Action: Update Watchlist
This action updates a watchlist.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist Alias | Enter the alias of the watchlist. Example: highValueAsset | Text | Required | You can retrieve the watchlist alias using the action List Watchlist. |
Display Name | Enter the display name of the watchlist. Example: High Value Assets Watchlist | Text | Required | |
Items Search Key | Enter the search key to optimize query performance when joining watchlists with other data. Example: header1 | Text | Required | |
Provider | Enter the provider of the watchlist. Example: Microsoft | Text | Required | |
Extra Fields | Enter the extra fields to update the watchlist. | Key Value | Optional | Allowed keys: contentType, created, createdBy, defaultDuration, description, isDeleted, labels, numberOfLinesToSkip, rawContent, source, sourceType, tenantId, updated, updatedBy, uploadStatus, watchlistId, watchlistType |
Example Request
[
{
"provider": "Microsoft",
"display_name": "High Value Assets Watchlist",
"extra_fields": {},
"watchlist_alias": "highValueAsse",
"items_search_key": "header1"
}
]Action: Update Watchlist Items
This action updates a watchlist item.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watch List Alias | Enter the alias of the watchlist. Example: HighValueAssets | Text | Required | |
Watch List Item ID | Enter the watchlist item ID. | Text | Required | You can retrieve watchlist item ID using the action List Watchlist Items. |
Items Keys and Values | Enter key-value pairs while updating watchlist items. | Key Value | Required | Allowed keys: Gateway subnet, Web Tier, Business tier, Data tier, Private DMZ in, Public DMZ out |
Example Request
[
{
"watch_list_alias": "HighValueAssets",
"watch_list_item_id": "f0fc6c90-a874-11ec-8f7d-4e2ce4127dc5",
"items_keys_and_values": {
"indicator": "10.0.255.224/28"
}
}
]Action: Generic Action
This is a generic action used to make requests to any Microsoft Sentinel endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Endpoint | Enter the endpoint to make the request. Example: subscriptions/{subscriptionid}/resourcegroups/{resourcegroupname}/providers/microsoft.operationalinsights/workspaces/{workspacename}/providers/microsoft.securityinsights/incidents/{incidentid}/entities | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: payload_json, custom_output, download, filename, files, retry_wait, retry_count, response_type |