Azure Sentinel

Version: 1.1.9

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

Connect Azure Sentinel with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Azure Sentinel.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Tenant ID: Tenant/directory ID for Azure Sentinel.
    • Client ID: Client id for Azure Sentinel.
    • Client Secret: Client secret for Azure Sentinel.
  4. After you've entered all the details, click Connect.

Actions for Azure Sentinel

Execute Query

Executes an analytics query for data.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Workspace IdColumn name from the parent table that contains the ID of the workspace.Required
QueryColumn name from the parent table that contains the query to execute. Example: Usage | take 10.Required
Start DateColumn name from the parent table that contains start date. Example: YYYY-MM-DD (default is last 30 Days).Optional
End DateColumn name from the parent table that contains end date. Example: YYYY-MM-DD (default is the last 30 days).Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • result: Query Result
33603360

List Alert Rules

List alert rules.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "value": [
    {
      "id": "/subscriptions/44a1188f-486a-40f3-b7b6-5basdfsadf/resourceGroups/integon/providers/Microsoft.OperationalInsights/workspaces/teseg/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion",
      "name": "BuiltInFusion",
      "etag": "\"25001913-0000-0100-0000-62asdfasdf00\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "MicrosoftSecurityIncidentCreation",
      "properties": {
        "productFilter": "Microsoft Cloud App Security",
        "severitiesFilter": null,
        "displayNamesFilter": null,
        "displayNamesExcludeFilter": null,
        "displayName": "testing displayname",
        "enabled": true,
        "description": null,
        "alertRuleTemplateName": null,
        "lastModifiedUtc": "2022-07-07T10:26:30.0222996Z"
      }
    }
  ],
  "error": null,
  "has_error": false
}

Get Alert Rule

Get alert rule by its ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert Rule IDJinja-templated text containing the alert rule ID for azure sentinelRequired
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "id": "/subscriptions/44a1188f-486a-40f3-b7b6-5asdfasd1d5b/resourceGroups/iation/providers/Microsoft.OperationalInsights/workspaces/tenteg/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion",
  "name": "BuiltInFusion",
  "etag": "\"25001913-0000-0100-0000-6asdfsad0000\"",
  "type": "Microsoft.SecurityInsights/alertRules",
  "kind": "MicrosoftSecurityIncidentCreation",
  "properties": {
    "productFilter": "Microsoft Cloud App Security",
    "severitiesFilter": null,
    "displayNamesFilter": null,
    "displayNamesExcludeFilter": null,
    "displayName": "testing displayname",
    "enabled": true,
    "description": null,
    "alertRuleTemplateName": null,
    "lastModifiedUtc": "2022-07-07T10:26:30.0222996Z"
  },
  "error": null,
  "has_error": false
}

Delete Alert Rule

Delete alert rule by its ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert Rule IDJinja-templated text containing the alert rule ID for azure sentinelRequired
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "msg": "Successfully deleted.",
  "error": null,
  "has_error": false
}

Create or Update Alert Rule

Create or update alert rule by its ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert Rule IDJinja-templated text containing the alert rule ID for azure sentinelRequired
Alert Rule ObjectJinja-templated text containing the alert rule object for azure sentinel. Example '{"kind": "Fusion","properties.alertRuleTemplateName": "f7asdfd-2ffb-45tb-b102-4asdf015c8","properties.enabled": true}'Required
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "id": "/subscriptions/44a1188f-486a-40f3-b7b6-5asdfasd1d5b/resourceGroups/iation/providers/Microsoft.OperationalInsights/workspaces/tenteg/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion",
  "name": "BuiltInFusion",
  "etag": "\"25001913-0000-0100-0000-6asdfsad0000\"",
  "type": "Microsoft.SecurityInsights/alertRules",
  "kind": "MicrosoftSecurityIncidentCreation",
  "properties": {
    "productFilter": "Microsoft Cloud App Security",
    "severitiesFilter": null,
    "displayNamesFilter": null,
    "displayNamesExcludeFilter": null,
    "displayName": "testing displayname",
    "enabled": true,
    "description": null,
    "alertRuleTemplateName": null,
    "lastModifiedUtc": "2022-07-07T10:26:30.0222996Z"
  },
  "error": null,
  "has_error": false
}

List Actions

List actions by alert rule ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert Rule IDJinja-templated text containing the alert rule ID for azure sentinelRequired
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "value": [
    {
      "id": "/subscriptions/44a1188f-486a-40f3-b7b6-5asdf1d5b/resourceGroups/integn/providers/Microsoft.OperationalInsights/workspaces/teteg/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_builtinfusiontest_ij_newaction_ij/actions/newAction_IJ",
      "name": "newAction_IJ",
      "etag": "\"a70255cc-0000-0300-0000-62c000\"",
      "type": "Microsoft.SecurityInsights/alertRules/actions",
      "properties": {
        "workflowId": "cd3765391efd4854asd1d48d7",
        "logicAppResourceId": "/subscriptions/44a1188f-486a-40f3-b7b6-asdfc911d5b/resourceGroups/inttion/providers/Microsoft.Logic/workflows/MyAlerts"
      }
    }
  ],
  "error": null,
  "has_error": false
}

Get Action

Get action by its ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert Rule IDJinja-templated text containing the alert rule ID for azure sentinelRequired
Action IDJinja-templated text containing the action ID for azure sentinelRequired
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "value":{
      "id": "/subscriptions/44a1188f-486a-40f3-b7b6-5asdf1d5b/resourceGroups/integn/providers/Microsoft.OperationalInsights/workspaces/teteg/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_builtinfusiontest_ij_newaction_ij/actions/newAction_IJ",
      "name": "newAction_IJ",
      "etag": "\"a70255cc-0000-0300-0000-62c000\"",
      "type": "Microsoft.SecurityInsights/alertRules/actions",
      "properties": {
        "workflowId": "cd3765391efd4854asd1d48d7",
        "logicAppResourceId": "/subscriptions/44a1188f-486a-40f3-b7b6-asdfc911d5b/resourceGroups/inttion/providers/Microsoft.Logic/workflows/MyAlerts"
      }
    },
  "error": null,
  "has_error": false
}

Delete Action

Delete action by its ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert Rule IDJinja-templated text containing the alert rule ID for azure sentinelRequired
Action IDJinja-templated text containing the action ID for azure sentinelRequired
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "msg": "Successfully deleted.",
  "error": null,
  "has_error": false
}

Create or Update Action

Create or update action.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert Rule IDJinja-templated text containing the alert rule ID for azure sentinelRequired
Action IDJinja-templated text containing the action ID for azure sentinelRequired
Action ObjectJinja-templated text containing the action object for azure sentinel. Example '{"kind": "Fusion","properties.alertRuleTemplateName": "f7asdfd-2ffb-45tb-b102-4asdf015c8","properties.enabled": true}'Required
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "value":{
      "id": "/subscriptions/44a1188f-486a-40f3-b7b6-5asdf1d5b/resourceGroups/integn/providers/Microsoft.OperationalInsights/workspaces/teteg/providers/Microsoft.SecurityInsights/alertRules/asicustomalertsv3_builtinfusiontest_ij_newaction_ij/actions/newAction_IJ",
      "name": "newAction_IJ",
      "etag": "\"a70255cc-0000-0300-0000-62c000\"",
      "type": "Microsoft.SecurityInsights/alertRules/actions",
      "properties": {
        "workflowId": "cd3765391efd4854asd1d48d7",
        "logicAppResourceId": "/subscriptions/44a1188f-486a-40f3-b7b6-asdfc911d5b/resourceGroups/inttion/providers/Microsoft.Logic/workflows/MyAlerts"
      }
    },
  "error": null,
  "has_error": false
}

List Alert Rule Templates

List alert rule templates.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "value": [
    {
      "id": "/subscriptions/44a1188f-486a-40f3-b7b6-5basdfasdfd5b/resourceGroups/intion/providers/Microsoft.OperationalInsights/workspaces/testeg/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion",
      "name": "BuiltInFusion",
      "etag": "\"240035cc-0000-0100-0000-6asdfs950000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "Fusion",
      "properties": {
        "displayName": "Advanced Multistage Attack Detection",
        "description": "Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\n\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\n- Fusion for emerging threats\n- Fusion for ransomware\n- Scenario-based Fusion detections (122 scenarios)\n\nTo enable these detections, we recommend you configure the following data connectors for best results:\n- Out-of-the-box anomaly detections\n- Azure Active Directory Identity Protection\n- Azure Defender\n- Azure Defender for IoT\n- Microsoft 365 Defender\n- Microsoft Cloud App Security    \n- Microsoft Defender for Endpoint\n- Microsoft Defender for Identity\n- Microsoft Defender for Office 365\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\n\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.",
        "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4easdf015c8",
        "tactics": [
          "Collection",
          "CommandAndControl",
          "PrivilegeEscalation"
        ],
        "severity": "High",
        "enabled": true,
        "lastModifiedUtc": "2022-07-07T04:35:33.2698249Z"
      }
    },
    {
      "id": "/subscriptions/44a1188f-486a-40f3-b7b6-5bfasdfasd5b/resourceGroups/intion/providers/Microsoft.OperationalInsights/workspaces/teseg/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion",
      "name": "BuiltInFusionTest_IJ",
      "etag": "\"25001913-0000-0100-0000-62asdf0000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "MicrosoftSecurityIncidentCreation",
      "properties": {
        "productFilter": "Microsoft Cloud App Security",
        "severitiesFilter": null,
        "displayNamesFilter": null,
        "displayNamesExcludeFilter": null,
        "displayName": "testing displayname",
        "enabled": true,
        "description": null,
        "alertRuleTemplateName": null,
        "lastModifiedUtc": "2022-07-07T10:26:30.0222996Z"
      }
    }
  ],
  "error": null,
  "has_error": false
}

Get Alert Rule Template

Get alert rule template.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert Rule Template IDJinja-templated text containing the alert rule template ID for azure sentinelRequired
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "value": {
      "id": "/subscriptions/44a1188f-486a-40f3-b7b6-5basdfasdfd5b/resourceGroups/intion/providers/Microsoft.OperationalInsights/workspaces/testeg/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion",
      "name": "BuiltInFusion",
      "etag": "\"240035cc-0000-0100-0000-6asdfs950000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "Fusion",
      "properties": {
        "displayName": "Advanced Multistage Attack Detection",
        "description": "Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\n\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\n- Fusion for emerging threats\n- Fusion for ransomware\n- Scenario-based Fusion detections (122 scenarios)\n\nTo enable these detections, we recommend you configure the following data connectors for best results:\n- Out-of-the-box anomaly detections\n- Azure Active Directory Identity Protection\n- Azure Defender\n- Azure Defender for IoT\n- Microsoft 365 Defender\n- Microsoft Cloud App Security    \n- Microsoft Defender for Endpoint\n- Microsoft Defender for Identity\n- Microsoft Defender for Office 365\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\n\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.",
        "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4easdf015c8",
        "tactics": [
          "Collection",
          "CommandAndControl",
          "PrivilegeEscalation"
        ],
        "severity": "High",
        "enabled": true,
        "lastModifiedUtc": "2022-07-07T04:35:33.2698249Z"
      }
    }
  "error": null,
  "has_error": false
}

List Automation Rules

List automation rules.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "value": [
    {
      "id": "/subscriptions/44a1188f-486a-40f3-b7b6asdfc911d5b/resourceGroups/inrion/providers/Microsoft.OperationalInsights/workspaces/teteg/providers/Microsoft.SecurityInsights/AutomationRules/newone",
      "name": "newone",
      "etag": "\"1f00cd3b-0000-0100-0000-62casdf000\"",
      "type": "Microsoft.SecurityInsights/AutomationRules",
      "properties": {
        "displayName": "hello",
        "order": 1,
        "triggeringLogic": {
          "isEnabled": true,
          "triggersOn": "Incidents",
          "triggersWhen": "Created",
          "conditions": []
        },
        "actions": [
          {
            "order": 1,
            "actionType": "ModifyProperties",
            "actionConfiguration": {
              "severity": "High",
              "status": null,
              "classification": null,
              "classificationReason": null,
              "classificationComment": null,
              "owner": null,
              "labels": null
            }
          }
        ],
        "lastModifiedTimeUtc": "2022-07-07T06:59:20Z",
        "createdTimeUtc": "2022-07-07T06:59:20Z",
        "lastModifiedBy": {
          "objectId": "8792fc6e-1ddd-407f-b522-8asdfe2c68ff",
          "email": null,
          "name": "External application - Sentinel",
          "userPrincipalName": null
        },
        "createdBy": {
          "objectId": "8792fc6e-1ddd-407f-b522-8b8d5asdf",
          "email": null,
          "name": "External application - Sentinel",
          "userPrincipalName": null
        }
      }
    },
    {
      "id": "/subscriptions/44a1188f-486a-40f3-b7b6-5basdfd5b/resourceGroups/intion/providers/Microsoft.OperationalInsights/workspaces/teseg/providers/Microsoft.SecurityInsights/AutomationRules/testij",
      "name": "testij",
      "etag": "\"1f005462-0000-0100-0000-62c7asdf00\"",
      "type": "Microsoft.SecurityInsights/AutomationRules",
      "properties": {
        "displayName": "hello IJ",
        "order": 1,
        "triggeringLogic": {
          "isEnabled": true,
          "triggersOn": "Incidents",
          "triggersWhen": "Created",
          "conditions": []
        },
        "actions": [
          {
            "order": 1,
            "actionType": "ModifyProperties",
            "actionConfiguration": {
              "severity": "High",
              "status": null,
              "classification": null,
              "classificationReason": null,
              "classificationComment": null,
              "owner": null,
              "labels": null
            }
          }
        ],
        "lastModifiedTimeUtc": "2022-07-08T04:34:20Z",
        "createdTimeUtc": "2022-07-08T04:34:20Z",
        "lastModifiedBy": {
          "objectId": "8792fc6e-1ddd-407f-b522-8basdf68ff",
          "email": null,
          "name": "External application - Sentinel",
          "userPrincipalName": null
        },
        "createdBy": {
          "objectId": "8792fc6e-1ddd-407f-b522-8basdfc68ff",
          "email": null,
          "name": "External application - Sentinel",
          "userPrincipalName": null
        }
      }
    }
  ],
  "error": null,
  "has_error": false
}

Get Automation Rule

Get automation rule by its ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Automation Rule IDJinja-templated text containing the automation rule ID for azure sentinelRequired
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "value":{
      "id": "/subscriptions/44a1188f-486a-40f3-b7b6-5basdfd5b/resourceGroups/intion/providers/Microsoft.OperationalInsights/workspaces/teseg/providers/Microsoft.SecurityInsights/AutomationRules/testij",
      "name": "testij",
      "etag": "\"1f005462-0000-0100-0000-62c7asdf00\"",
      "type": "Microsoft.SecurityInsights/AutomationRules",
      "properties": {
        "displayName": "hello IJ",
        "order": 1,
        "triggeringLogic": {
          "isEnabled": true,
          "triggersOn": "Incidents",
          "triggersWhen": "Created",
          "conditions": []
        },
        "actions": [
          {
            "order": 1,
            "actionType": "ModifyProperties",
            "actionConfiguration": {
              "severity": "High",
              "status": null,
              "classification": null,
              "classificationReason": null,
              "classificationComment": null,
              "owner": null,
              "labels": null
            }
          }
        ],
        "lastModifiedTimeUtc": "2022-07-08T04:34:20Z",
        "createdTimeUtc": "2022-07-08T04:34:20Z",
        "lastModifiedBy": {
          "objectId": "8792fc6e-1ddd-407f-b522-8basdf68ff",
          "email": null,
          "name": "External application - Sentinel",
          "userPrincipalName": null
        },
        "createdBy": {
          "objectId": "8792fc6e-1ddd-407f-b522-8basdfc68ff",
          "email": null,
          "name": "External application - Sentinel",
          "userPrincipalName": null
        }
      }
    },
  "error": null,
  "has_error": false
}

Delete Automation Rule

Delete automation rule by its ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Automation Rule IDJinja-templated text containing the automation rule ID for azure sentinelRequired
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "msg": "Successfully deleted.",
  "error": null,
  "has_error": false
}

Create or Update Automation Rule

Create or update automation rule.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Automation Rule IDJinja-templated text containing the automation rule ID for azure sentinelRequired
Automation Rule ObjectJinja-templated text containing the automation object for azure sentinel. Example '{"kind": "Fusion","properties.alertRuleTemplateName": "f7asdfd-2ffb-45tb-b102-4asdf015c8","properties.enabled": true}'Required
Subscription IDJinja-templated text containing the subscription ID for azure sentinelOptional
Resource Group NameJinja-templated text containing the resource group name for azure sentinelOptional
WorkspaceJinja-templated text containing the workspace for azure sentinelOptional
API VersionJinja-templated text containing the API version for azure sentinel (Default is '2021-10-01')Optional

Output

JSON containing the following items:

{
  "value":{
      "id": "/subscriptions/44a1188f-486a-40f3-b7b6-5basdfd5b/resourceGroups/intion/providers/Microsoft.OperationalInsights/workspaces/teseg/providers/Microsoft.SecurityInsights/AutomationRules/testij",
      "name": "testij",
      "etag": "\"1f005462-0000-0100-0000-62c7asdf00\"",
      "type": "Microsoft.SecurityInsights/AutomationRules",
      "properties": {
        "displayName": "hello IJ",
        "order": 1,
        "triggeringLogic": {
          "isEnabled": true,
          "triggersOn": "Incidents",
          "triggersWhen": "Created",
          "conditions": []
        },
        "actions": [
          {
            "order": 1,
            "actionType": "ModifyProperties",
            "actionConfiguration": {
              "severity": "High",
              "status": null,
              "classification": null,
              "classificationReason": null,
              "classificationComment": null,
              "owner": null,
              "labels": null
            }
          }
        ],
        "lastModifiedTimeUtc": "2022-07-08T04:34:20Z",
        "createdTimeUtc": "2022-07-08T04:34:20Z",
        "lastModifiedBy": {
          "objectId": "8792fc6e-1ddd-407f-b522-8basdf68ff",
          "email": null,
          "name": "External application - Sentinel",
          "userPrincipalName": null
        },
        "createdBy": {
          "objectId": "8792fc6e-1ddd-407f-b522-8basdfc68ff",
          "email": null,
          "name": "External application - Sentinel",
          "userPrincipalName": null
        }
      }
    },
  "error": null,
  "has_error": false
}

Release Notes

  • v1.1.9 - Bug fix for Execute query action throwing error when there are double quotes in the query.
  • v1.1.4 - Added 14 new actions - List Alert Rules, Get Alert Rule, Delete Alert Rule, Create Or Update Alert Rule, List Actions, Get Action, Delete Action, Create Or Update Action, List Alert Rule Templates, Get Alert Rule Template, List Automation Rules, Get Automation Rules, Delete Automation Rule and Create Or Update Automation Rule