Azure Sentinel

Use the Azure Sentinel integration to get and manage incidents and get related entity information for incidents. This integration was integrated and tested with API version 2019-01-01-preview of Azure Sentinel.

Authorize Cortex XSOAR for Azure Sentinel

You need to grant Cortex XSOAR authorization to access Azure Sentinel.

  1. Access the authorization flow.
  2. Click the Start Authorization Process button and you will be prompted to grant Cortex XSOAR permissions for your Azure Service Management.
  3. Click the Accept button and you will receive your ID, token, and key. You will need to enter these when you configure the Azure Sentinel integration instance in Cortex XSOAR.

Authorize Cortex XSOAR for Azure Sentinel (self-deployed configuration)

Follow these steps for a self-deployed configuration.

  1. To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal. To add the registration, refer to the following Microsoft article.
  2. Make sure the following permissions are granted for the app registration:
    • API/Permission name user_impersonation of type Delegated
  3. Copy the following URL and replace the CLIENT_ID and REDIRECT_URI with your own client ID and redirect URI, accordingly. https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&resource=https://management.core.windows.net&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI
  4. Enter the link and you will be prompted to grant Cortex XSOAR permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
  5. Copy the AUTH_CODE (without the “code=” prefix) and paste it in your instance configuration under the Authorization code parameter.
  6. Enter your client ID in the ID parameter.
  7. Enter your client secret in the Key parameter.
  8. Enter your tenant ID in the Token parameter.
  9. Enter your redirect URI in the Redirect URI parameter.

Get the additional instance parameters

To get the Subscription ID, Workspace Name and Resource Group parameters, navigate in the Azure Portal to Azure Sentinel > YOUR-WORKSPACE > Settings and click on Workspace Settings tab.

Configure Azure Sentinel on Demisto

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Azure Sentinel.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
auth_idID (received from the authorization step - see Detailed Instructions (?) section)True
refresh_tokenToken (received from the authorization step - see Detailed Instructions (?) section)True
enc_keyKey (received from the authorization step - see Detailed Instructions (?) section)True
self_deployedUse a self-deployed Azure applicationFalse
redirect_uriApplication redirect URI (for self-deployed mode)False
auth_codeAuthorization code (received from the authorization step - see Detailed Instructions (?) section)False
isFetchFetch incidentsFalse
fetch_timeFirst fetch timestamp ({number} {time unit}, e.g., 12 hours, 7 days)False
min_severityThe minimum severity of incidents to fetchFalse
incidentTypeIncident typeFalse
subscriptionIDSubscription IDTrue
resourceGroupNameResource Group NameTrue
workspaceNameWorkspace NameTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-sentinel-get-incident-by-id


Gets a single incident from Azure Sentinel.

Base Command

azure-sentinel-get-incident-by-id

Input
Argument NameDescriptionRequired
incident_idThe incident ID.Required
Context Output
PathTypeDescription
AzureSentinel.Incident.IDStringThe incident ID.
AzureSentinel.Incident.TitleStringThe incident title.
AzureSentinel.Incident.DescriptionStringDescription of the incident.
AzureSentinel.Incident.SeverityStringThe incident severity.
AzureSentinel.Incident.StatusStringThe incident status.
AzureSentinel.Incident.AssigneeNameStringThe name of the incident assignee.
AzureSentinel.Incident.AssigneeEmailStringThe email address of the incident assignee.
AzureSentinel.Incident.Label.NameStringThe name of the incident label.
AzureSentinel.Incident.Label.TypeStringThe incident label type.
AzureSentinel.Incident.FirstActivityTimeUTCDateThe date and time of the incident's first activity.
AzureSentinel.Incident.LastActivityTimeUTCDateThe date and time of the incident's last activity.
AzureSentinel.Incident.LastModifiedTimeUTCDateThe date and time the incident was last modified.
AzureSentinel.Incident.CreatedTimeUTCDateThe date and time the incident was created.
AzureSentinel.Incident.IncidentNumberNumberThe incident number.
AzureSentinel.Incident.AlertsCountNumberThe number of the alerts in the incident.
AzureSentinel.Incident.BookmarkCountNumberThe number of bookmarks in the incident.
AzureSentinel.Incident.CommentCountNumberThe number of comments in the incident.
AzureSentinel.Incident.AlertProductNamesStringThe alert product names of the incident.
AzureSentinel.Incident.TacticsStringThe incident's tactics.
AzureSentinel.Incident.FirstActivityTimeGeneratedDateThe incident's generated first activity time.
AzureSentinel.Incident.LastActivityTimeGeneratedDateThe incident's generated last activity time.
AzureSentinel.Incident.EtagStringThe Etag of the incident.
Command Example

!azure-sentinel-get-incident-by-id incident_id=f1670c58-43dc-4b82-a13a-c732325c41f5

Human Readable Output

Incident b3de6b49-0945-454e-bb59-98087573cfc2 details

Incident f1670c58-43dc-4b82-a13a-c732325c41f5 details

IDIncident NumberTitleSeverityStatusFirst Activity Time UTCLast Activity Time UTCLast Modified Time UTCCreated Time UTCAlerts CountBookmarks CountComments CountAlert Product NamesFirst Activity Time GeneratedLast Activity Time GeneratedEtag
f1670c58-43dc-4b82-a13a-c732325c41f5234Test IncidentHighNew2020-03-28T18:45:59Z2020-03-28T23:45:59Z2020-03-28T23:51:06Z2020-03-28T23:51:06Z100Azure Sentinel2020-03-28T23:51:06Z2020-03-28T23:51:06Z"49002835-0000-0100-0000-5e7fe2ea0000"

azure-sentinel-list-incidents


Gets a list of incidents from Azure Sentinel.

Base Command

azure-sentinel-list-incidents

Input
Argument NameDescriptionRequired
limitThe maximum number of incidents to return. The default and maximum value is 50.Optional
filterFilter results using OData syntax. For example: properties/createdTimeUtc gt 2020-02-02T14:00:00Z`). For more information see the Azure documentation: https://docs.microsoft.com/bs-latn-ba/azure/search/search-query-odata-filter.Optional
next_linkA link that specifies a starting point to use for subsequent calls. This argument overrides all of the other command arguments.Optional
Context Output
PathTypeDescription
AzureSentinel.Incident.IDStringThe incident ID.
AzureSentinel.Incident.TitleStringThe incident title.
AzureSentinel.Incident.DescriptionStringDescription of the incident.
AzureSentinel.Incident.SeverityStringThe incident severity.
AzureSentinel.Incident.StatusStringThe incident status.
AzureSentinel.Incident.AssigneeNameStringThe name of the incident assignee.
AzureSentinel.Incident.AssigneeEmailStringThe email address of the incident assignee.
AzureSentinel.Incident.Label.NameStringThe name of the incident label.
AzureSentinel.Incident.Label.TypeStringThe incident label type.
AzureSentinel.Incident.FirstActivityTimeUTCDateThe date and time of the incident's first activity.
AzureSentinel.Incident.LastActivityTimeUTCDateThe date and time of the incident's last activity.
AzureSentinel.Incident.LastModifiedTimeUTCDateThe date and time the incident was last modified.
AzureSentinel.Incident.CreatedTimeUTCDateThe date and time the incident was created.
AzureSentinel.Incident.IncidentNumberNumberThe incident number.
AzureSentinel.Incident.AlertsCountNumberThe number of the alerts in the incident.
AzureSentinel.Incident.BookmarkCountNumberThe number of bookmarks in the incident.
AzureSentinel.Incident.CommentCountNumberThe number of comments in the incident.
AzureSentinel.Incident.AlertProductNamesStringThe alert product names of the incident.
AzureSentinel.Incident.TacticsStringThe incident's tactics.
AzureSentinel.Incident.FirstActivityTimeGeneratedDateThe incident's generated first activity time.
AzureSentinel.Incident.LastActivityTimeGeneratedDateThe incident's generated last activity time.
AzureSentinel.NextLink.DescriptionStringDescription of NextLink.
AzureSentinel.NextLink.URLStringUsed if an operation returns partial results. If a response contains a NextLink element, its value specifies a starting point to use for subsequent calls.
AzureSentinel.Incident.EtagStringThe Etag of the incident.
Command Example

!azure-sentinel-list-incidents limit=5

Human Readable Output

Incidents List (5 results)

IDIncident NumberTitleDescriptionSeverityStatusFirst Activity Time UTCLast Activity Time UTCLast Modified Time UTCCreated Time UTCAlerts CountBookmarks CountComments CountAlert Product NamesFirst Activity Time GeneratedLast Activity Time GeneratedEtag
35bc3532-494c-44c1-adb8-3d733d9664711SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
MediumNew2020-01-15T07:54:05Z2020-01-15T08:54:05Z2020-01-15T09:29:12Z2020-01-15T09:29:12Z100Azure Sentinel2020-01-15T09:29:12Z2020-01-15T09:29:12Z"19008ba5-0000-0100-0000-5e1edb680000"
8a44b7bb-c8ae-4941-9fa0-3aecc8ef17422SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
MediumNew2020-01-15T08:24:05Z2020-01-15T09:24:05Z2020-01-15T09:29:14Z2020-01-15T09:29:14Z100Azure Sentinel2020-01-15T09:29:14Z2020-01-15T09:29:14Z"190093a5-0000-0100-0000-5e1edb6a0000"
e0b06d71-b5a3-43a9-997f-f25b45085cb74SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
MediumNew2020-01-15T07:59:05Z2020-01-15T08:59:05Z2020-01-15T09:34:12Z2020-01-15T09:34:12Z100Azure Sentinel2020-01-15T09:34:12Z2020-01-15T09:34:12Z"1900fda9-0000-0100-0000-5e1edc940000"
0c16e64d-3bf5-4f7f-a965-cbab1e5ffcc45SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
MediumNew2020-01-15T08:34:06Z2020-01-15T09:34:06Z2020-01-15T09:39:13Z2020-01-15T09:39:13Z100Azure Sentinel2020-01-15T09:39:12Z2020-01-15T09:39:12Z"190094ae-0000-0100-0000-5e1eddc10000"
a7977be7-1008-419b-877b-6793b7402a806SharePointFileOperation via previously unseen IPsIdentifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses
exceeds a threshold (default is 100).
MediumNew2020-01-15T08:04:05Z2020-01-15T09:04:05Z2020-01-15T09:40:09Z2020-01-15T09:40:09Z100Azure Sentinel2020-01-15T09:40:09Z2020-01-15T09:40:09Z"19007eaf-0000-0100-0000-5e1eddf90000"

azure-sentinel-update-incident


Updates a single incident in Azure Sentinel.

Base Command

azure-sentinel-update-incident

Input
Argument NameDescriptionRequired
incident_idThe incident ID.Required
titleThe incident's title.Optional
descriptionDescription of the incident.Optional
severityThe incident severity.Optional
statusThe incident status.Optional
Context Output
PathTypeDescription
AzureSentinel.Incident.IDStringThe incident ID.
AzureSentinel.Incident.TitleStringThe incident's title.
AzureSentinel.Incident.DescriptionStringDescription of the incident.
AzureSentinel.Incident.SeverityStringThe incident severity.
AzureSentinel.Incident.StatusStringThe incident status.
AzureSentinel.Incident.AssigneeNameStringThe name of the incident assignee.
AzureSentinel.Incident.AssigneeEmailStringThe email address of the incident assignee.
AzureSentinel.Incident.Label.NameStringThe name of the incident label.
AzureSentinel.Incident.Label.TypeStringThe incident label type.
AzureSentinel.Incident.FirstActivityTimeUTCDateThe date and time of the incident's first activity.
AzureSentinel.Incident.LastActivityTimeUTCDateThe date and time of the incident's last activity.
AzureSentinel.Incident.LastModifiedTimeUTCDateThe date and time the incident was last modified.
AzureSentinel.Incident.CreatedTimeUTCDateThe date and time the incident was created.
AzureSentinel.Incident.IncidentNumberNumberThe incident number.
AzureSentinel.Incident.AlertsCountNumberThe number of the alerts in the incident.
AzureSentinel.Incident.BookmarkCountNumberThe number of bookmarks in the incident.
AzureSentinel.Incident.CommentCountNumberThe number of comments in the incident.
AzureSentinel.Incident.AlertProductNamesStringThe alert product names of the incident.
AzureSentinel.Incident.TacticsStringThe incident's tactics.
AzureSentinel.Incident.FirstActivityTimeGeneratedDateThe incident's generated first activity time.
AzureSentinel.Incident.LastActivityTimeGeneratedDateThe incident's generated last activity time.
AzureSentinel.Incident.EtagStringThe Etag of the incident.
Command Example

!azure-sentinel-update-incident incident_id=f1670c58-43dc-4b82-a13a-c732325c41f5 severity=Medium

Human Readable Output

Updated incidents b3de6b49-0945-454e-bb59-98087573cfc2 details

IDIncident NumberTitleSeverityStatusFirst Activity Time UTCLast Activity Time UTCLast Modified Time UTCCreated Time UTCAlerts CountBookmarks CountComments CountAlert Product NamesFirst Activity Time GeneratedLast Activity Time GeneratedEtag
f1670c58-43dc-4b82-a13a-c732325c41f5234Test IncidentMediumNew2020-03-28T18:45:59Z2020-03-28T23:47:10Z2020-03-28T23:51:06Z2020-03-28T23:51:06Z100Azure Sentinel2020-03-28T23:51:06Z2020-03-28T23:51:06Z"49002835-0000-0100-0000-5e7fe2ea0000"

azure-sentinel-delete-incident


Deletes a single incident in Azure Sentinel.

Base Command

azure-sentinel-delete-incident

Input
Argument NameDescriptionRequired
incident_idThe incident ID.Required
Context Output

There is no context output for this command.

Command Example

!azure-sentinel-delete-incident incident_id=ca5ffab9-25ff-413d-8000-12d3894b8468

Human Readable Output

Incident ca5ffab9-25ff-413d-8000-12d3894b8468 was deleted successfully.

azure-sentinel-list-incident-comments


Gets the comments of an incident from Azure Sentinel.

Base Command

azure-sentinel-list-incident-comments

Input
Argument NameDescriptionRequired
incident_idThe incident ID.Required
limitThe maximum number of incident comments to return. The default and maximum value is 50.Optional
next_linkA link that specifies a starting point to use for subsequent calls. Using this argument overrides all of the other command arguments.Optional
Context Output
PathTypeDescription
AzureSentinel.IncidentComment.IDStringThe ID of the incident comment.
AzureSentinel.IncidentComment.IncidentIDStringThe incident ID.
AzureSentinel.IncidentComment.MessageStringThe incident comment.
AzureSentinel.IncidentComment.AuthorNameStringThe name of the author of the incident comment.
AzureSentinel.IncidentComment.AuthorEmailStringThe email address of the author of the incident comment.
AzureSentinel.IncidentComment.CreatedTimeUTCDateThe date and time that the incident comment was created.
AzureSentinel.NextLink.DescriptionStringDescription of NextLink.
AzureSentinel.NextLink.URLStringUsed if an operation returns a partial result. If a response contains a NextLink element, its value specifies a starting point to use for subsequent calls.
Command Example

!azure-sentinel-list-incident-comments incident_id=b3de6b49-0945-454e-bb59-98087573cfc2

Human Readable Output

Incident b3de6b49-0945-454e-bb59-98087573cfc2 Comments (4 results)

IDIncident IDMessageAuthor EmailCreated Time UTC
295553115212022172880571041415135580062b3de6b49-0945-454e-bb59-98087573cfc2This is a messagetest@demisto.com2020-03-25T14:05:22Z
68963242547946961037852832278311632312b3de6b49-0945-454e-bb59-98087573cfc2hello 123test@demisto.com2020-03-25T11:54:44Z
129016399225162631970999636732817548146b3de6b49-0945-454e-bb59-98087573cfc2Test messagetest@demisto.com2020-03-05T10:31:05Z
205343125729153100039024461040878407049b3de6b49-0945-454e-bb59-98087573cfc2This is testtest@demisto.com2020-03-05T10:29:42Z

azure-sentinel-incident-add-comment


Adds a comment to an incident in Azure Sentinel.

Base Command

azure-sentinel-incident-add-comment

Input
Argument NameDescriptionRequired
incident_idThe incident ID.Required
messageThe comment message.Required
Context Output
PathTypeDescription
AzureSentinel.IncidentComment.IDStringThe ID of the incident comment.
AzureSentinel.IncidentComment.IncidentIDStringThe incident ID.
AzureSentinel.IncidentComment.MessageStringThe incident comment.
AzureSentinel.IncidentComment.AuthorNameStringThe name of the author of the incident comment.
AzureSentinel.IncidentComment.AuthorEmailStringThe email address of the author of the incident comment.
AzureSentinel.IncidentComment.CreatedTimeUTCDateThe date and time that the incident comment was created.
Command Example

!azure-sentinel-incident-add-comment incident_id=b3de6b49-0945-454e-bb59-98087573cfc2 message="hello"

Human Readable Output

Incident b3de6b49-0945-454e-bb59-98087573cfc2 new comment details

IDIncident IDMessageAuthor EmailCreated Time UTC
22830063555802832669755633455570921192b3de6b49-0945-454e-bb59-98087573cfc2hellotest@demisto.com2020-03-26T13:25:20Z

azure-sentinel-list-incident-relations


Gets a list of an incident's related entities from Azure Sentinel.

Base Command

azure-sentinel-list-incident-relations

Input
Argument NameDescriptionRequired
incident_idThe incident ID.Required
limitThe maximum number of related entities to return.Optional
next_linkA link that specifies a starting point to use for subsequent calls. Using this argument overrides all of the other command arguments.Optional
entity_kindsA comma-separated list of entity kinds to filter by. By default, the results won't be filtered by kind.
The optional kinds are: Account, Host, File, AzureResource, CloudApplication, DnsResolution, FileHash, Ip, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, Url, IoTDevice, SecurityAlert, Bookmark.
Optional
filterFilter results using OData syntax. For example: properties/createdTimeUtc gt 2020-02-02T14:00:00Z`). For more information see the Azure documentation: https://docs.microsoft.com/bs-latn-ba/azure/search/search-query-odata-filter.Optional
Context Output
PathTypeDescription
AzureSentinel.IncidentRelatedResource.IDStringThe ID of the incident's related resource.
AzureSentinel.IncidentRelatedResource.KindStringThe kind of the incident's related resource.
AzureSentinel.NextLink.DescriptionStringThe description about NextLink.
AzureSentinel.NextLink.URLStringUsed if an operation returns a partial result. If a response contains a NextLink element, its value specifies a starting point to use for subsequent calls.
AzureSentinel.IncidentRelatedResource.IncidentIDStringThe incident ID.
Command Example

!azure-sentinel-list-incident-relations incident_id=f1670c58-43dc-4b82-a13a-c732325c41f5

Human Readable Output

Incident f1670c58-43dc-4b82-a13a-c732325c41f5 Relations (1 results)

IDIncident IDKind
7ff48076-37b9-4bb5-83b1-db21618a282af1670c58-43dc-4b82-a13a-c732325c41f5SecurityAlert

azure-sentinel-get-entity-by-id


Gets a single entity from Azure Sentinel. Use the azure-sentinel-list-incident-relations command, and get an entity ID to apply this command on. In the current Azure Sentinel API version the retention period for GetEntityByID is 30 days.

Base Command

azure-sentinel-get-entity-by-id

Input
Argument NameDescriptionRequired
entity_idThe entity ID.Required
Context Output

There is no context output for this command.

Command Example

!azure-sentinel-get-entity-by-id entity_id=7ff48076-37b9-4bb5-83b1-db21618a282a

Human Readable Output

Entity 7ff48076-37b9-4bb5-83b1-db21618a282a details

IDKindAdditional DataAlert Display NameAlert TypeConfidence LevelEnd Time UtcFriendly NameProcessing End TimeProduct Component NameProduct NameProvider Alert IdSeverityStart Time UtcStatusSystem Alert IdTacticsTime GeneratedVendor Name
7ff48076-37b9-4bb5-83b1-db21618a282aSecurityAlertQuery: SecurityAlert
Query Period: 05:00:00
Query Start Time UTC: 2020-03-28 18:45:59Z
Query End Time UTC: 2020-03-28 23:45:59Z
Trigger Operator: Equal
Trigger Threshold: 0
Query Results Aggregation Kind: SingleAlert
Search Query Results Overall Count: 0
Test rule275b61c7-26ae-4008-a739-1b61b78e7cef_f5b76ab9-a1ff-416e-a706-b3a3e102d68fUnknown2020-03-28T23:45:59.7720057ZTest rule2020-03-28T23:51:06.0937297ZScheduled AlertsAzure Sentinele80525d0-1ef0-4f29-92bb-e19bd0894139Medium2020-03-28T18:45:59.7720057ZNew7ff48076-37b9-4bb5-83b1-db21618a282aInitialAccess,
Persistence,
PrivilegeEscalation,
DefenseEvasion,
CredentialAccess,
Discovery,
LateralMovement,
Execution,
Collection,
Exfiltration,
CommandAndControl,
Impact
2020-03-28T23:51:06.0937297ZMicrosoft

azure-sentinel-list-entity-relations


Gets a list of an entity's relations from Azure Sentinel.

Base Command

azure-sentinel-list-entity-relations

Input
Argument NameDescriptionRequired
entity_idThe entity ID.Required
limitThe maximum number of relations to return. The default value is 50.Optional
next_linkA link that specifies a starting point to use for subsequent calls. Using this argument overrides all of the other command arguments.Optional
entity_kindsA comma-separated list of entity kinds to filter by. By default, the result won't be filtered by kind.
The optional kinds are: Account, Host, File, AzureResource, CloudApplication, DnsResolution, FileHash, Ip, Malware, Process, RegistryKey, RegistryValue, SecurityGroup, Url, IoTDevice, SecurityAlert, Bookmark.
Optional
filterFilter results using OData syntax. For example: properties/createdTimeUtc gt 2020-02-02T14:00:00Z`). For more information see the Azure documentation: https://docs.microsoft.com/bs-latn-ba/azure/search/search-query-odata-filter.Optional
Context Output
PathTypeDescription
AzureSentinel.EntityRelatedResource.IDStringThe ID of the entity's related resource.
AzureSentinel.EntityRelatedResource.KindStringThe kind of the entity's related resource.
AzureSentinel.NextLink.DescriptionStringDescription about NextLink.
AzureSentinel.NextLink.URLStringUsed if an operation returns a partial result. If a response contains a NextLink element, its value specifies a starting point to use for subsequent calls.
AzureSentinel.EntityRelatedResource.EntityIDStringThe entity ID.
Command Example

!azure-sentinel-list-entity-relations entity_id=7ff48076-37b9-4bb5-83b1-db21618a282a

Human Readable Output

Entity 7ff48076-37b9-4bb5-83b1-db21618a282a Relations (1 results)

IDIncident ID
f1670c58-43dc-4b82-a13a-c732325c41f57ff48076-37b9-4bb5-83b1-db21618a282a

azure-sentinel-test


Tests connectivity to Azure Sentinel.

Base Command

azure-sentinel-test

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!azure-sentinel-test

Human Readable Output

✅ Success!