Azure Sentinel is a cloud-native SIEM that you can use for intelligent security analytics across your entire enterprise.
Azure Sentinel connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically investigating alerts, threat intelligence indicators, incidents, and secure scores.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 5.1.0-464
Authored By: Fortinet
Certified: Yes
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-azure-sentinel
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Azure Sentinel connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Tenant ID | ID of the tenant that is assigned to you by the Azure application registration portal. |
Client ID | ID of the client that is assigned to you by the Azure application registration portal. |
Client Secret | Client (application) Secret that has been assigned to you by the Azure application registration portal. The client secret can either be a password or a public/private key pair (certificate). |
Username | Username assigned to you by the Azure registration portal. |
Password | Password by the Azure registration portal. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get All Threat Intelligence Indicators | Retrieves all threat intelligence indicators from Azure Sentinel using the Microsoft Graph Security API. | get_all_threat_intelligence_indicators Investigation |
Get Threat Intelligence Indicator | Retrieves a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the threat Intelligence Indicator ID you have specified. | get_threat_intelligence_indicator Investigation |
Create Threat Intelligence Indicator | Creates a threat intelligence indicator in Azure Sentinel using the Microsoft Graph Security API based on the Azure Tenant ID, threat type, and other input parameters you have specified. | create_threat_intelligence_indicator Investigation |
Delete Threat Intelligence Indicator | Deletes a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the threat Intelligence Indicator ID you have specified. | delete_threat_intelligence_indicator Investigation |
Update Threat Intelligence Indicator | Updates a specific threat intelligence indicator in Azure Sentinel using the Microsoft Graph Security API based on the threat intelligence indicator ID, and other input parameters you have specified. | update_threat_intelligence_indicator Investigation |
Get All Alerts | Retrieves all alerts from Azure Sentinel using the Microsoft Graph Security API. | get_all_alerts Investigation |
Get Alert | Retrieves a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the Alert ID you have specified. | get_alert Investigation |
Update Alert | Updates a specific alert in Azure Sentinel using the Microsoft Graph Security API based on the alert ID, status, and other input parameters you have specified. | update_alert Investigation |
Get All Secure Scores | Retrieves all secure scores associated with a specific Azure Tenant from Azure Sentinel using the Microsoft Graph Security API based on the Azure Tenant ID you have specified. | get_all_secure_scores Investigation |
Get All Secure Score Control Profiles | Retrieves all secure score control profiles from Azure Sentinel using the Microsoft Graph Security API. | get_all_secure_score_control_profiles Investigation |
Update Incident | Updates an incident in Azure Sentinel using the logic application based on the host, signature, and other input parameters you have specified. | update_incident Investigation |
Get Incident | Retrieves an incident associated with a specific alert from Azure Sentinel based on the host, signature, and other input parameters you have specified. | get_incident Investigation |
None.
The output contains the following populated JSON schema:
{
"id": "",
"lastReportedDateTime": "",
"networkIPv6": "",
"externalId": "",
"domainName": "",
"emailSenderAddress": "",
"networkDestinationCidrBlock": "",
"fileCompileDateTime": "",
"networkPort": "",
"emailLanguage": "",
"tlpLevel": "",
"emailSourceDomain": "",
"knownFalsePositives": "",
"azureTenantId": "",
"malwareFamilyNames": [],
"networkDestinationPort": "",
"fileSize": "",
"networkDestinationIPv4": "",
"emailSubject": "",
"ingestedDateTime": "",
"filePath": "",
"expirationDateTime": "",
"networkSourceAsn": "",
"networkSourceCidrBlock": "",
"networkDestinationAsn": "",
"killChain": [],
"networkProtocol": "",
"diamondModel": "",
"networkDestinationIPv6": "",
"userAgent": "",
"action": "",
"emailRecipient": "",
"tags": [],
"fileCreatedDateTime": "",
"networkIPv4": "",
"fileHashType": "",
"emailXMailer": "",
"networkSourceIPv6": "",
"emailEncoding": "",
"additionalInformation": "",
"networkSourceIPv4": "",
"description": "",
"fileMutexName": "",
"networkCidrBlock": "",
"vendorInformation": {
"vendor": "",
"provider": "",
"providerVersion": "",
"subProvider": ""
},
"targetProduct": "",
"emailSourceIpAddress": "",
"threatType": "",
"emailSenderName": "",
"passiveOnly": "",
"activityGroupNames": [],
"confidence": "",
"fileName": "",
"networkSourcePort": "",
"severity": "",
"filePacker": "",
"fileType": "",
"fileHashValue": "",
"isActive": "",
"url": ""
}
Parameter | Description |
---|---|
Threat Intelligence Indicator ID | Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to retrieve a specific threat intelligence indicator from Azure Sentinel. |
The output contains the following populated JSON schema:
{
"id": "",
"lastReportedDateTime": "",
"networkIPv6": "",
"externalId": "",
"domainName": "",
"emailSenderAddress": "",
"networkDestinationCidrBlock": "",
"fileCompileDateTime": "",
"networkPort": "",
"emailLanguage": "",
"tlpLevel": "",
"emailSourceDomain": "",
"knownFalsePositives": "",
"azureTenantId": "",
"malwareFamilyNames": [],
"networkDestinationPort": "",
"fileSize": "",
"networkDestinationIPv4": "",
"emailSubject": "",
"ingestedDateTime": "",
"filePath": "",
"expirationDateTime": "",
"networkSourceAsn": "",
"networkSourceCidrBlock": "",
"networkDestinationAsn": "",
"killChain": [],
"networkProtocol": "",
"diamondModel": "",
"networkDestinationIPv6": "",
"userAgent": "",
"action": "",
"emailRecipient": "",
"tags": [],
"fileCreatedDateTime": "",
"networkIPv4": "",
"fileHashType": "",
"emailXMailer": "",
"networkSourceIPv6": "",
"emailEncoding": "",
"additionalInformation": "",
"networkSourceIPv4": "",
"description": "",
"fileMutexName": "",
"networkCidrBlock": "",
"@odata.context": "",
"vendorInformation": {
"vendor": "",
"provider": "",
"providerVersion": "",
"subProvider": ""
},
"targetProduct": "",
"emailSourceIpAddress": "",
"threatType": "",
"emailSenderName": "",
"passiveOnly": "",
"activityGroupNames": [],
"confidence": "",
"fileName": "",
"networkSourcePort": "",
"severity": "",
"filePacker": "",
"fileType": "",
"fileHashValue": "",
"isActive": "",
"url": ""
}
Parameter | Description |
---|---|
Action | Action that you want to perform if the indicator is matched in the target product security tool. You can choose from the following options: Unknown, Allow, Block, or Alert. |
Azure Tenant ID | Azure tenant ID that is stamped by the system when an indicator is ingested. The ID of the tenant that is assigned to you by the Azure application registration portal (Azure Active Directory). |
Description | Brief description (100 characters or less) of the threat represented by the indicator that you want to create in Azure Sentinel. |
Expiration Date | Datetime that indicates when the indicator that you are creating will expire. All indicators must have an expiration date to avoid stale indicators persisting in the system. The Timestamp type represents date and time information using ISO 8601 format and is always in the UTC time. |
Target Product | Security product to which you want to apply the indicator that you are creating in Azure Sentinel. |
Threat Type | Type of threat that you want to assign to the indicator that you are creating in Azure Sentinel. You can choose from the following options: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, or WatchList. |
Traffic Light Protocol | Value of the traffic light protocol that you want to assign to the indicator that you are creating in Azure Sentinel. You can choose from the following options: Unknown, White, Green, Amber, or Red. |
Object | Indicator observables based on which you want to create the threat intelligence indicator in Azure Sentinel. You can choose from the following options: Email, File, or Network. If you select Email, then you must specify the following parameters:
|
The output contains the following populated JSON schema:
{
"id": "",
"lastReportedDateTime": "",
"networkIPv6": "",
"externalId": "",
"domainName": "",
"emailSenderAddress": "",
"networkDestinationCidrBlock": "",
"fileCompileDateTime": "",
"networkPort": "",
"emailLanguage": "",
"tlpLevel": "",
"emailSourceDomain": "",
"knownFalsePositives": "",
"api_version": "",
"azureTenantId": "",
"malwareFamilyNames": [],
"networkDestinationPort": "",
"fileSize": "",
"networkDestinationIPv4": "",
"emailSubject": "",
"ingestedDateTime": "",
"filePath": "",
"expirationDateTime": "",
"networkSourceAsn": "",
"networkSourceCidrBlock": "",
"networkDestinationAsn": "",
"killChain": [],
"networkProtocol": "",
"diamondModel": "",
"networkDestinationIPv6": "",
"userAgent": "",
"action": "",
"emailRecipient": "",
"tags": [],
"fileCreatedDateTime": "",
"networkIPv4": "",
"fileHashType": "",
"emailXMailer": "",
"networkSourceIPv6": "",
"emailEncoding": "",
"additionalInformation": "",
"networkSourceIPv4": "",
"description": "",
"fileMutexName": "",
"networkCidrBlock": "",
"@odata.context": "",
"vendorInformation": {
"vendor": "",
"provider": "",
"providerVersion": "",
"subProvider": ""
},
"targetProduct": "",
"emailSourceIpAddress": "",
"threatType": "",
"emailSenderName": "",
"passiveOnly": "",
"activityGroupNames": [],
"confidence": "",
"fileName": "",
"networkSourcePort": "",
"severity": "",
"filePacker": "",
"fileType": "",
"fileHashValue": "",
"isActive": "",
"url": ""
}
Parameter | Description |
---|---|
ID | Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to delete a specific threat intelligence indicator from Azure Sentinel. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
ID | Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to update a specific threat intelligence indicator from Azure Sentinel. |
Action | (Optional) Action that you want to perform if the indicator is matched in the target product security tool. You can choose from the following options: Unknown, Allow, Block, or Alert. |
Description | (Optional) Brief description (100 characters or less) of the threat represented by the indicator that you want to update in Azure Sentinel. |
Severity | (Optional) Integer value representing the severity of the malicious behavior identified by the data within the indicator that you want to update in Azure Sentinel. You can enter any value between 0-5, where 5 is most severe and 0 is not severe. The default value is set as 3. |
Traffic Light Protocol | (Optional) Value of the traffic light protocol that you want to assign to the indicator that you are updating in Azure Sentinel. You can choose from the following options: Unknown, White, Green, Amber, or Red. |
Is Active | (Optional) Clear this checkbox, i.e., set is as 'False', to deactivate indicators within the system. By default, this checkbox is selected, i.e., any indicator submitted is set as active. However, providers might submit existing indicators with this set to 'False' to deactivate indicators in the system. |
Confidence | (Optional) Integer value representing the confidence in the accuracy of the data within the indicator that identifies malicious behavior. You can enter any value between 0-100, where 100 is the highest. |
Diamond Model | (Optional) Area of the diamond model in which this indicator exists. You can choose from the following options: Unknown, Adversary, Capability, Infrastructure, or Victim. |
Tag | (Optional) JSON array of strings that stores arbitrary tags or keywords that you want to associate with the threat intelligence indicator in Azure Sentinel. You can specify multiple tags using comma-based separators. |
The output contains the following populated JSON schema:
{
"result": ""
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"vendorInformation": {
"vendor": "",
"provider": "",
"providerVersion": "",
"subProvider": ""
},
"closedDateTime": "",
"assignedTo": "",
"azureSubscriptionId": "",
"azureTenantId": "",
"activityGroupName": "",
"lastModifiedDateTime": "",
"description": "",
"createdDateTime": "",
"tags": "",
"title": "",
"sourceMaterials": "",
"riskScore": "",
"detectionIds": "",
"feedback": "",
"category": "",
"comments": "",
"confidence": "",
"eventDateTime": "",
"recommendedActions": "",
"severity": "",
"status": ""
}
Parameter | Description |
---|---|
Alert ID | Unique Alert ID that is generated by the provider when an alert is created in Azure Sentinel based on which you want to retrieve a specific alert from Azure Sentinel. |
The output contains the following populated JSON schema:
{
"id": "",
"tags": "",
"processes": "",
"cloudAppStates": "",
"vendorInformation": {
"vendor": "",
"provider": "",
"providerVersion": "",
"subProvider": ""
},
"userStates": "",
"closedDateTime": "",
"vulnerabilityStates": "",
"malwareStates": "",
"assignedTo": "",
"registryKeyStates": "",
"networkConnections": "",
"azureSubscriptionId": "",
"azureTenantId": "",
"activityGroupName": "",
"lastModifiedDateTime": "",
"description": "",
"createdDateTime": "",
"@odata.context": "",
"title": "",
"hostStates": "",
"sourceMaterials": "",
"riskScore": "",
"detectionIds": "",
"feedback": "",
"category": "",
"comments": "",
"confidence": "",
"eventDateTime": "",
"historyStates": "",
"recommendedActions": "",
"fileStates": "",
"triggers": "",
"severity": "",
"status": ""
}
Parameter | Description |
---|---|
Alert ID | Unique Alert ID that is generated by the provider when an alert is created in Azure Sentinel that you want to update in Azure Sentinel. |
Status | Status (life cycle status) of the alert that you want to update in Azure Sentinel. You can choose from the following options: Unknown, NewAlert, InProgress, or Resolved. |
Close Time | Time at which the alert was closed in Azure Sentinel. The timestamp type represents date and time information using ISO 8601 format and is always in the UTC time. |
Comments | (Optional) Analyst comments that you want to update in the specific alert in Azure Sentinel. |
Feedback | (Optional) Analyst feedback on the alert that you want to update in Azure Sentinel. You can choose from the following options: Unknown, TruePositive, FalsePositive, or BenignPositive. |
Tag | (Optional) JSON array of strings that stores user-definable labels that can be applied to the alert that you want to update in Azure Sentinel, and which can serve as filter conditions. You can specify multiple tags using comma-based separators. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Azure Tenant ID | ID of the tenant that is assigned to you by the Azure application registration portal (Azure Active Directory) whose secure scores you want to retrieve from Azure Sentinel. |
The output contains the following populated JSON schema:
{
"value": [
{
"currentScore": "",
"maxScore": "",
"averageComparativeScores": [
{
"identityScore": "",
"seatSizeRangeLowerValue": "",
"basis": "",
"averageScore": "",
"seatSizeRangeUpperValue": "",
"dataScore": "",
"deviceScore": "",
"categoryValue": ""
}
],
"controlScores": [
{
"score": "",
"controlName": "",
"count": "",
"total": "",
"controlCategory": "",
"description": ""
}
],
"enabledServices": "",
"activeUserCount": "",
"id": "",
"azureTenantId": "",
"licensedUserCount": "",
"createdDateTime": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"title": "",
"remediationImpact": "",
"actionUrl": "",
"implementationCost": "",
"threats": [
""
],
"userImpact": "",
"maxScore": "",
"deprecated": "",
"tier": "",
"controlStateUpdates": [
{
"comment": "",
"updatedDateTime": "",
"updatedBy": "",
"assignedTo": "",
"state": ""
}
],
"remediation": "",
"actionType": "",
"controlCategory": "",
"service": "",
"complianceInformation": [
{
"certificationControls": [
{
"name": "",
"url": ""
}
],
"certificationName": ""
}
],
"azureTenantId": "",
"vendorInformation": {
"vendor": "",
"provider": "",
"providerVersion": "",
"subProvider": ""
},
"lastModifiedDateTime": "",
"rank": ""
}
Parameter | Description |
---|---|
Host | Callback URL of the logic application (app) which is generated when logic app is created using which you want to update an incident in Azure Sentinel. |
API Version | API-version of the logic app when the callback URL is generated using which you want to update an incident in Azure Sentinel. |
Specific Permissions | Permissions required for the permitted HTTP methods to use to update an incident in Azure Sentinel. |
Specific SAS Version | SAS version to use for generating the signature. |
Signature | Signature to use for authenticating access to the trigger, which in turn will update the specific incident in Azure Sentinel. This signature is generated by using the SHA256 algorithm with a secret access key on all the URL paths and properties. Never exposed or published, this key is kept encrypted and stored within the logic app. Your logic app authorizes only those triggers that contain a valid signature created with the secret key. |
System Alert ID | Alert ID related to the incident that you want to update in Azure Sentinel. |
Workspace Subscription ID | Azure active directory subscription ID in which you want to update the incident in Azure Sentinel. |
Workspace Resource Group | Azure active directory resource group in which you want to update the incident in Azure Sentinel. |
Workspace ID | Azure active directory workspace ID in which you want to update the incident in Azure Sentinel. |
Identifier | Choose the identifier that you will use to get the incident details from Azure Sentinel. You can choose between Incident or Alert. |
Specify | ID of the alert or Number of the incident based on which you will update the incident in Azure Sentinel. The ID you will add here will be based on the value you have chosen in the Identifier field, i.e., if you choose Alert, then enter an Alert ID, or if you choose Incident then enter the Incident Number. |
Severity | (Optional) Updates the severity of the specific incident in Azure Sentinel. You can choose from the following options: Critical, High, Medium, Low, or Informational. |
Comment | (Optional) Comment that you want to associate with the specified incident that you want to update in Azure Sentinel. |
Description | (Optional) Description of the specified incident that you want to update Azure Sentinel. |
Status | (Optional) Status of the incident that you want to update in Azure Sentinel. You can choose from the following options: Draft, New, InProgress, or Closed. |
Title | (Optional) Title of the specified incident that you want to update Azure Sentinel. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Host | Callback URL of the logic application (app) which is generated when logic app is created using which you want to retrieve an incident from Azure Sentinel. |
API Version | API-version of the logic app when the callback URL is generated using which you want to retrieve an incident from Azure Sentinel. |
Specific Permissions | Permissions required for the permitted HTTP methods to use to retrieve an incident from Azure Sentinel. |
Specific SAS Version | SAS version to use for generating the signature. |
Signature |
Signature to use for authenticating access to the trigger, which in turn will retrieve the specific incident from Azure Sentinel. This signature is generated by using the SHA256 algorithm with a secret access key on all the URL paths and properties. Never exposed or published, this key is kept encrypted and stored within the logic app. Your logic app authorizes only those triggers that contain a valid signature created with the secret key. |
System Alert ID | Alert ID related to the incident that you want to retrieve from Azure Sentinel. |
Workspace Subscription ID | Azure active directory subscription ID from which you want to retrieve the incident. |
Workspace Resource Group | Azure active directory resource group from which you want to retrieve the incident. |
Workspace ID | Azure active directory workspace ID from which you want to retrieve the incident. |
The output contains the following populated JSON schema:
{
"id": "",
"tags": "",
"name": "",
"properties": {
"CreatedTimeUtc": "",
"StartTimeUtc": "",
"CloseReason": "",
"Description": "",
"AssignedTo": "",
"Status": "",
"EndTimeUtc": "",
"LastAlertTimeGenerated": "",
"Labels": [],
"ClosedReasonText": "",
"Title": "",
"Severity": "",
"CaseNumber": "",
"Metrics": {
"SecurityAlert": ""
},
"FirstAlertTimeGenerated": "",
"RelatedAlertIds": [],
"LastUpdatedTimeUtc": ""
},
"etag": "",
"kind": "",
"type": ""
}
The Sample - Azure Sentinel - 1.0.0
playbook collection comes bundled with the Azure Sentinel connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Azure Sentinel connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Azure Sentinel is a cloud-native SIEM that you can use for intelligent security analytics across your entire enterprise.
Azure Sentinel connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically investigating alerts, threat intelligence indicators, incidents, and secure scores.
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 5.1.0-464
Authored By: Fortinet
Certified: Yes
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-azure-sentinel
For the detailed procedure to install a connector, click here
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Azure Sentinel connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Tenant ID | ID of the tenant that is assigned to you by the Azure application registration portal. |
Client ID | ID of the client that is assigned to you by the Azure application registration portal. |
Client Secret | Client (application) Secret that has been assigned to you by the Azure application registration portal. The client secret can either be a password or a public/private key pair (certificate). |
Username | Username assigned to you by the Azure registration portal. |
Password | Password by the Azure registration portal. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Get All Threat Intelligence Indicators | Retrieves all threat intelligence indicators from Azure Sentinel using the Microsoft Graph Security API. | get_all_threat_intelligence_indicators Investigation |
Get Threat Intelligence Indicator | Retrieves a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the threat Intelligence Indicator ID you have specified. | get_threat_intelligence_indicator Investigation |
Create Threat Intelligence Indicator | Creates a threat intelligence indicator in Azure Sentinel using the Microsoft Graph Security API based on the Azure Tenant ID, threat type, and other input parameters you have specified. | create_threat_intelligence_indicator Investigation |
Delete Threat Intelligence Indicator | Deletes a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the threat Intelligence Indicator ID you have specified. | delete_threat_intelligence_indicator Investigation |
Update Threat Intelligence Indicator | Updates a specific threat intelligence indicator in Azure Sentinel using the Microsoft Graph Security API based on the threat intelligence indicator ID, and other input parameters you have specified. | update_threat_intelligence_indicator Investigation |
Get All Alerts | Retrieves all alerts from Azure Sentinel using the Microsoft Graph Security API. | get_all_alerts Investigation |
Get Alert | Retrieves a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the Alert ID you have specified. | get_alert Investigation |
Update Alert | Updates a specific alert in Azure Sentinel using the Microsoft Graph Security API based on the alert ID, status, and other input parameters you have specified. | update_alert Investigation |
Get All Secure Scores | Retrieves all secure scores associated with a specific Azure Tenant from Azure Sentinel using the Microsoft Graph Security API based on the Azure Tenant ID you have specified. | get_all_secure_scores Investigation |
Get All Secure Score Control Profiles | Retrieves all secure score control profiles from Azure Sentinel using the Microsoft Graph Security API. | get_all_secure_score_control_profiles Investigation |
Update Incident | Updates an incident in Azure Sentinel using the logic application based on the host, signature, and other input parameters you have specified. | update_incident Investigation |
Get Incident | Retrieves an incident associated with a specific alert from Azure Sentinel based on the host, signature, and other input parameters you have specified. | get_incident Investigation |
None.
The output contains the following populated JSON schema:
{
"id": "",
"lastReportedDateTime": "",
"networkIPv6": "",
"externalId": "",
"domainName": "",
"emailSenderAddress": "",
"networkDestinationCidrBlock": "",
"fileCompileDateTime": "",
"networkPort": "",
"emailLanguage": "",
"tlpLevel": "",
"emailSourceDomain": "",
"knownFalsePositives": "",
"azureTenantId": "",
"malwareFamilyNames": [],
"networkDestinationPort": "",
"fileSize": "",
"networkDestinationIPv4": "",
"emailSubject": "",
"ingestedDateTime": "",
"filePath": "",
"expirationDateTime": "",
"networkSourceAsn": "",
"networkSourceCidrBlock": "",
"networkDestinationAsn": "",
"killChain": [],
"networkProtocol": "",
"diamondModel": "",
"networkDestinationIPv6": "",
"userAgent": "",
"action": "",
"emailRecipient": "",
"tags": [],
"fileCreatedDateTime": "",
"networkIPv4": "",
"fileHashType": "",
"emailXMailer": "",
"networkSourceIPv6": "",
"emailEncoding": "",
"additionalInformation": "",
"networkSourceIPv4": "",
"description": "",
"fileMutexName": "",
"networkCidrBlock": "",
"vendorInformation": {
"vendor": "",
"provider": "",
"providerVersion": "",
"subProvider": ""
},
"targetProduct": "",
"emailSourceIpAddress": "",
"threatType": "",
"emailSenderName": "",
"passiveOnly": "",
"activityGroupNames": [],
"confidence": "",
"fileName": "",
"networkSourcePort": "",
"severity": "",
"filePacker": "",
"fileType": "",
"fileHashValue": "",
"isActive": "",
"url": ""
}
Parameter | Description |
---|---|
Threat Intelligence Indicator ID | Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to retrieve a specific threat intelligence indicator from Azure Sentinel. |
The output contains the following populated JSON schema:
{
"id": "",
"lastReportedDateTime": "",
"networkIPv6": "",
"externalId": "",
"domainName": "",
"emailSenderAddress": "",
"networkDestinationCidrBlock": "",
"fileCompileDateTime": "",
"networkPort": "",
"emailLanguage": "",
"tlpLevel": "",
"emailSourceDomain": "",
"knownFalsePositives": "",
"azureTenantId": "",
"malwareFamilyNames": [],
"networkDestinationPort": "",
"fileSize": "",
"networkDestinationIPv4": "",
"emailSubject": "",
"ingestedDateTime": "",
"filePath": "",
"expirationDateTime": "",
"networkSourceAsn": "",
"networkSourceCidrBlock": "",
"networkDestinationAsn": "",
"killChain": [],
"networkProtocol": "",
"diamondModel": "",
"networkDestinationIPv6": "",
"userAgent": "",
"action": "",
"emailRecipient": "",
"tags": [],
"fileCreatedDateTime": "",
"networkIPv4": "",
"fileHashType": "",
"emailXMailer": "",
"networkSourceIPv6": "",
"emailEncoding": "",
"additionalInformation": "",
"networkSourceIPv4": "",
"description": "",
"fileMutexName": "",
"networkCidrBlock": "",
"@odata.context": "",
"vendorInformation": {
"vendor": "",
"provider": "",
"providerVersion": "",
"subProvider": ""
},
"targetProduct": "",
"emailSourceIpAddress": "",
"threatType": "",
"emailSenderName": "",
"passiveOnly": "",
"activityGroupNames": [],
"confidence": "",
"fileName": "",
"networkSourcePort": "",
"severity": "",
"filePacker": "",
"fileType": "",
"fileHashValue": "",
"isActive": "",
"url": ""
}
Parameter | Description |
---|---|
Action | Action that you want to perform if the indicator is matched in the target product security tool. You can choose from the following options: Unknown, Allow, Block, or Alert. |
Azure Tenant ID | Azure tenant ID that is stamped by the system when an indicator is ingested. The ID of the tenant that is assigned to you by the Azure application registration portal (Azure Active Directory). |
Description | Brief description (100 characters or less) of the threat represented by the indicator that you want to create in Azure Sentinel. |
Expiration Date | Datetime that indicates when the indicator that you are creating will expire. All indicators must have an expiration date to avoid stale indicators persisting in the system. The Timestamp type represents date and time information using ISO 8601 format and is always in the UTC time. |
Target Product | Security product to which you want to apply the indicator that you are creating in Azure Sentinel. |
Threat Type | Type of threat that you want to assign to the indicator that you are creating in Azure Sentinel. You can choose from the following options: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, or WatchList. |
Traffic Light Protocol | Value of the traffic light protocol that you want to assign to the indicator that you are creating in Azure Sentinel. You can choose from the following options: Unknown, White, Green, Amber, or Red. |
Object | Indicator observables based on which you want to create the threat intelligence indicator in Azure Sentinel. You can choose from the following options: Email, File, or Network. If you select Email, then you must specify the following parameters:
|
The output contains the following populated JSON schema:
{
"id": "",
"lastReportedDateTime": "",
"networkIPv6": "",
"externalId": "",
"domainName": "",
"emailSenderAddress": "",
"networkDestinationCidrBlock": "",
"fileCompileDateTime": "",
"networkPort": "",
"emailLanguage": "",
"tlpLevel": "",
"emailSourceDomain": "",
"knownFalsePositives": "",
"api_version": "",
"azureTenantId": "",
"malwareFamilyNames": [],
"networkDestinationPort": "",
"fileSize": "",
"networkDestinationIPv4": "",
"emailSubject": "",
"ingestedDateTime": "",
"filePath": "",
"expirationDateTime": "",
"networkSourceAsn": "",
"networkSourceCidrBlock": "",
"networkDestinationAsn": "",
"killChain": [],
"networkProtocol": "",
"diamondModel": "",
"networkDestinationIPv6": "",
"userAgent": "",
"action": "",
"emailRecipient": "",
"tags": [],
"fileCreatedDateTime": "",
"networkIPv4": "",
"fileHashType": "",
"emailXMailer": "",
"networkSourceIPv6": "",
"emailEncoding": "",
"additionalInformation": "",
"networkSourceIPv4": "",
"description": "",
"fileMutexName": "",
"networkCidrBlock": "",
"@odata.context": "",
"vendorInformation": {
"vendor": "",
"provider": "",
"providerVersion": "",
"subProvider": ""
},
"targetProduct": "",
"emailSourceIpAddress": "",
"threatType": "",
"emailSenderName": "",
"passiveOnly": "",
"activityGroupNames": [],
"confidence": "",
"fileName": "",
"networkSourcePort": "",
"severity": "",
"filePacker": "",
"fileType": "",
"fileHashValue": "",
"isActive": "",
"url": ""
}
Parameter | Description |
---|---|
ID | Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to delete a specific threat intelligence indicator from Azure Sentinel. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
ID | Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to update a specific threat intelligence indicator from Azure Sentinel. |
Action | (Optional) Action that you want to perform if the indicator is matched in the target product security tool. You can choose from the following options: Unknown, Allow, Block, or Alert. |
Description | (Optional) Brief description (100 characters or less) of the threat represented by the indicator that you want to update in Azure Sentinel. |
Severity | (Optional) Integer value representing the severity of the malicious behavior identified by the data within the indicator that you want to update in Azure Sentinel. You can enter any value between 0-5, where 5 is most severe and 0 is not severe. The default value is set as 3. |
Traffic Light Protocol | (Optional) Value of the traffic light protocol that you want to assign to the indicator that you are updating in Azure Sentinel. You can choose from the following options: Unknown, White, Green, Amber, or Red. |
Is Active | (Optional) Clear this checkbox, i.e., set is as 'False', to deactivate indicators within the system. By default, this checkbox is selected, i.e., any indicator submitted is set as active. However, providers might submit existing indicators with this set to 'False' to deactivate indicators in the system. |
Confidence | (Optional) Integer value representing the confidence in the accuracy of the data within the indicator that identifies malicious behavior. You can enter any value between 0-100, where 100 is the highest. |
Diamond Model | (Optional) Area of the diamond model in which this indicator exists. You can choose from the following options: Unknown, Adversary, Capability, Infrastructure, or Victim. |
Tag | (Optional) JSON array of strings that stores arbitrary tags or keywords that you want to associate with the threat intelligence indicator in Azure Sentinel. You can specify multiple tags using comma-based separators. |
The output contains the following populated JSON schema:
{
"result": ""
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"vendorInformation": {
"vendor": "",
"provider": "",
"providerVersion": "",
"subProvider": ""
},
"closedDateTime": "",
"assignedTo": "",
"azureSubscriptionId": "",
"azureTenantId": "",
"activityGroupName": "",
"lastModifiedDateTime": "",
"description": "",
"createdDateTime": "",
"tags": "",
"title": "",
"sourceMaterials": "",
"riskScore": "",
"detectionIds": "",
"feedback": "",
"category": "",
"comments": "",
"confidence": "",
"eventDateTime": "",
"recommendedActions": "",
"severity": "",
"status": ""
}
Parameter | Description |
---|---|
Alert ID | Unique Alert ID that is generated by the provider when an alert is created in Azure Sentinel based on which you want to retrieve a specific alert from Azure Sentinel. |
The output contains the following populated JSON schema:
{
"id": "",
"tags": "",
"processes": "",
"cloudAppStates": "",
"vendorInformation": {
"vendor": "",
"provider": "",
"providerVersion": "",
"subProvider": ""
},
"userStates": "",
"closedDateTime": "",
"vulnerabilityStates": "",
"malwareStates": "",
"assignedTo": "",
"registryKeyStates": "",
"networkConnections": "",
"azureSubscriptionId": "",
"azureTenantId": "",
"activityGroupName": "",
"lastModifiedDateTime": "",
"description": "",
"createdDateTime": "",
"@odata.context": "",
"title": "",
"hostStates": "",
"sourceMaterials": "",
"riskScore": "",
"detectionIds": "",
"feedback": "",
"category": "",
"comments": "",
"confidence": "",
"eventDateTime": "",
"historyStates": "",
"recommendedActions": "",
"fileStates": "",
"triggers": "",
"severity": "",
"status": ""
}
Parameter | Description |
---|---|
Alert ID | Unique Alert ID that is generated by the provider when an alert is created in Azure Sentinel that you want to update in Azure Sentinel. |
Status | Status (life cycle status) of the alert that you want to update in Azure Sentinel. You can choose from the following options: Unknown, NewAlert, InProgress, or Resolved. |
Close Time | Time at which the alert was closed in Azure Sentinel. The timestamp type represents date and time information using ISO 8601 format and is always in the UTC time. |
Comments | (Optional) Analyst comments that you want to update in the specific alert in Azure Sentinel. |
Feedback | (Optional) Analyst feedback on the alert that you want to update in Azure Sentinel. You can choose from the following options: Unknown, TruePositive, FalsePositive, or BenignPositive. |
Tag | (Optional) JSON array of strings that stores user-definable labels that can be applied to the alert that you want to update in Azure Sentinel, and which can serve as filter conditions. You can specify multiple tags using comma-based separators. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Azure Tenant ID | ID of the tenant that is assigned to you by the Azure application registration portal (Azure Active Directory) whose secure scores you want to retrieve from Azure Sentinel. |
The output contains the following populated JSON schema:
{
"value": [
{
"currentScore": "",
"maxScore": "",
"averageComparativeScores": [
{
"identityScore": "",
"seatSizeRangeLowerValue": "",
"basis": "",
"averageScore": "",
"seatSizeRangeUpperValue": "",
"dataScore": "",
"deviceScore": "",
"categoryValue": ""
}
],
"controlScores": [
{
"score": "",
"controlName": "",
"count": "",
"total": "",
"controlCategory": "",
"description": ""
}
],
"enabledServices": "",
"activeUserCount": "",
"id": "",
"azureTenantId": "",
"licensedUserCount": "",
"createdDateTime": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"title": "",
"remediationImpact": "",
"actionUrl": "",
"implementationCost": "",
"threats": [
""
],
"userImpact": "",
"maxScore": "",
"deprecated": "",
"tier": "",
"controlStateUpdates": [
{
"comment": "",
"updatedDateTime": "",
"updatedBy": "",
"assignedTo": "",
"state": ""
}
],
"remediation": "",
"actionType": "",
"controlCategory": "",
"service": "",
"complianceInformation": [
{
"certificationControls": [
{
"name": "",
"url": ""
}
],
"certificationName": ""
}
],
"azureTenantId": "",
"vendorInformation": {
"vendor": "",
"provider": "",
"providerVersion": "",
"subProvider": ""
},
"lastModifiedDateTime": "",
"rank": ""
}
Parameter | Description |
---|---|
Host | Callback URL of the logic application (app) which is generated when logic app is created using which you want to update an incident in Azure Sentinel. |
API Version | API-version of the logic app when the callback URL is generated using which you want to update an incident in Azure Sentinel. |
Specific Permissions | Permissions required for the permitted HTTP methods to use to update an incident in Azure Sentinel. |
Specific SAS Version | SAS version to use for generating the signature. |
Signature | Signature to use for authenticating access to the trigger, which in turn will update the specific incident in Azure Sentinel. This signature is generated by using the SHA256 algorithm with a secret access key on all the URL paths and properties. Never exposed or published, this key is kept encrypted and stored within the logic app. Your logic app authorizes only those triggers that contain a valid signature created with the secret key. |
System Alert ID | Alert ID related to the incident that you want to update in Azure Sentinel. |
Workspace Subscription ID | Azure active directory subscription ID in which you want to update the incident in Azure Sentinel. |
Workspace Resource Group | Azure active directory resource group in which you want to update the incident in Azure Sentinel. |
Workspace ID | Azure active directory workspace ID in which you want to update the incident in Azure Sentinel. |
Identifier | Choose the identifier that you will use to get the incident details from Azure Sentinel. You can choose between Incident or Alert. |
Specify | ID of the alert or Number of the incident based on which you will update the incident in Azure Sentinel. The ID you will add here will be based on the value you have chosen in the Identifier field, i.e., if you choose Alert, then enter an Alert ID, or if you choose Incident then enter the Incident Number. |
Severity | (Optional) Updates the severity of the specific incident in Azure Sentinel. You can choose from the following options: Critical, High, Medium, Low, or Informational. |
Comment | (Optional) Comment that you want to associate with the specified incident that you want to update in Azure Sentinel. |
Description | (Optional) Description of the specified incident that you want to update Azure Sentinel. |
Status | (Optional) Status of the incident that you want to update in Azure Sentinel. You can choose from the following options: Draft, New, InProgress, or Closed. |
Title | (Optional) Title of the specified incident that you want to update Azure Sentinel. |
The output contains the following populated JSON schema:
{
"result": ""
}
Parameter | Description |
---|---|
Host | Callback URL of the logic application (app) which is generated when logic app is created using which you want to retrieve an incident from Azure Sentinel. |
API Version | API-version of the logic app when the callback URL is generated using which you want to retrieve an incident from Azure Sentinel. |
Specific Permissions | Permissions required for the permitted HTTP methods to use to retrieve an incident from Azure Sentinel. |
Specific SAS Version | SAS version to use for generating the signature. |
Signature |
Signature to use for authenticating access to the trigger, which in turn will retrieve the specific incident from Azure Sentinel. This signature is generated by using the SHA256 algorithm with a secret access key on all the URL paths and properties. Never exposed or published, this key is kept encrypted and stored within the logic app. Your logic app authorizes only those triggers that contain a valid signature created with the secret key. |
System Alert ID | Alert ID related to the incident that you want to retrieve from Azure Sentinel. |
Workspace Subscription ID | Azure active directory subscription ID from which you want to retrieve the incident. |
Workspace Resource Group | Azure active directory resource group from which you want to retrieve the incident. |
Workspace ID | Azure active directory workspace ID from which you want to retrieve the incident. |
The output contains the following populated JSON schema:
{
"id": "",
"tags": "",
"name": "",
"properties": {
"CreatedTimeUtc": "",
"StartTimeUtc": "",
"CloseReason": "",
"Description": "",
"AssignedTo": "",
"Status": "",
"EndTimeUtc": "",
"LastAlertTimeGenerated": "",
"Labels": [],
"ClosedReasonText": "",
"Title": "",
"Severity": "",
"CaseNumber": "",
"Metrics": {
"SecurityAlert": ""
},
"FirstAlertTimeGenerated": "",
"RelatedAlertIds": [],
"LastUpdatedTimeUtc": ""
},
"etag": "",
"kind": "",
"type": ""
}
The Sample - Azure Sentinel - 1.0.0
playbook collection comes bundled with the Azure Sentinel connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Azure Sentinel connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.