Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

Azure Sentinel is a cloud-native SIEM that you can use for intelligent security analytics across your entire enterprise. 

Azure Sentinel connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically investigating alerts, threat intelligence indicators, incidents, and secure scores.

Version information

Connector Version: 1.0.0 

FortiSOAR™ Version Tested on: 5.1.0-464

Authored By: Fortinet

Certified: Yes

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-azure-sentinel

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

  • To access Azure Sentinel perform automated operations, you must have your Tenant ID, Client ID, Client Secret, Username and Password.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Azure Sentinel connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Tenant ID ID of the tenant that is assigned to you by the Azure application registration portal.
Client ID ID of the client that is assigned to you by the Azure application registration portal.
Client Secret Client (application) Secret that has been assigned to you by the Azure application registration portal. The client secret can either be a password or a public/private key pair (certificate).
Username Username assigned to you by the Azure registration portal.
Password Password by the Azure registration portal.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get All Threat Intelligence Indicators Retrieves all threat intelligence indicators from Azure Sentinel using the Microsoft Graph Security API. get_all_threat_intelligence_indicators
Investigation
Get Threat Intelligence Indicator Retrieves a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the threat Intelligence Indicator ID you have specified. get_threat_intelligence_indicator
Investigation
Create Threat Intelligence Indicator Creates a threat intelligence indicator in Azure Sentinel using the Microsoft Graph Security API based on the Azure Tenant ID, threat type, and other input parameters you have specified. create_threat_intelligence_indicator
Investigation
Delete Threat Intelligence Indicator Deletes a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the threat Intelligence Indicator ID you have specified. delete_threat_intelligence_indicator
Investigation
Update Threat Intelligence Indicator Updates a specific threat intelligence indicator in Azure Sentinel using the Microsoft Graph Security API based on the threat intelligence indicator ID, and other input parameters you have specified. update_threat_intelligence_indicator
Investigation
Get All Alerts Retrieves all alerts from Azure Sentinel using the Microsoft Graph Security API.  get_all_alerts
Investigation
Get Alert Retrieves a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the Alert ID you have specified. get_alert
Investigation
Update Alert Updates a specific alert in Azure Sentinel using the Microsoft Graph Security API based on the alert ID, status, and other input parameters you have specified. update_alert
Investigation
Get All Secure Scores Retrieves all secure scores associated with a specific Azure Tenant from Azure Sentinel using the Microsoft Graph Security API based on the Azure Tenant ID you have specified. get_all_secure_scores
Investigation
Get All Secure Score Control Profiles Retrieves all secure score control profiles from Azure Sentinel using the Microsoft Graph Security API.  get_all_secure_score_control_profiles
Investigation
Update Incident Updates an incident in Azure Sentinel using the logic application based on the host, signature, and other input parameters you have specified. update_incident
Investigation
Get Incident Retrieves an incident associated with a specific alert from Azure Sentinel based on the host, signature, and other input parameters you have specified. get_incident
Investigation

operation: Get All Threat Intelligence Indicators

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "lastReportedDateTime": "",
     "networkIPv6": "",
     "externalId": "",
     "domainName": "",
     "emailSenderAddress": "",
     "networkDestinationCidrBlock": "",
     "fileCompileDateTime": "",
     "networkPort": "",
     "emailLanguage": "",
     "tlpLevel": "",
     "emailSourceDomain": "",
     "knownFalsePositives": "",
     "azureTenantId": "",
     "malwareFamilyNames": [],
     "networkDestinationPort": "",
     "fileSize": "",
     "networkDestinationIPv4": "",
     "emailSubject": "",
     "ingestedDateTime": "",
     "filePath": "",
     "expirationDateTime": "",
     "networkSourceAsn": "",
     "networkSourceCidrBlock": "",
     "networkDestinationAsn": "",
     "killChain": [],
     "networkProtocol": "",
     "diamondModel": "",
     "networkDestinationIPv6": "",
     "userAgent": "",
     "action": "",
     "emailRecipient": "",
     "tags": [],
     "fileCreatedDateTime": "",
     "networkIPv4": "",
     "fileHashType": "",
     "emailXMailer": "",
     "networkSourceIPv6": "",
     "emailEncoding": "",
     "additionalInformation": "",
     "networkSourceIPv4": "",
     "description": "",
     "fileMutexName": "",
     "networkCidrBlock": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "targetProduct": "",
     "emailSourceIpAddress": "",
     "threatType": "",
     "emailSenderName": "",
     "passiveOnly": "",
     "activityGroupNames": [],
     "confidence": "",
     "fileName": "",
     "networkSourcePort": "",
     "severity": "",
     "filePacker": "",
     "fileType": "",
     "fileHashValue": "",
     "isActive": "",
     "url": ""
}

operation: Get Threat Intelligence Indicator

Input parameters

Parameter Description
Threat Intelligence Indicator ID Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to retrieve a specific threat intelligence indicator from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "lastReportedDateTime": "",
     "networkIPv6": "",
     "externalId": "",
     "domainName": "",
     "emailSenderAddress": "",
     "networkDestinationCidrBlock": "",
     "fileCompileDateTime": "",
     "networkPort": "",
     "emailLanguage": "",
     "tlpLevel": "",
     "emailSourceDomain": "",
     "knownFalsePositives": "",
     "azureTenantId": "",
     "malwareFamilyNames": [],
     "networkDestinationPort": "",
     "fileSize": "",
     "networkDestinationIPv4": "",
     "emailSubject": "",
     "ingestedDateTime": "",
     "filePath": "",
     "expirationDateTime": "",
     "networkSourceAsn": "",
     "networkSourceCidrBlock": "",
     "networkDestinationAsn": "",
     "killChain": [],
     "networkProtocol": "",
     "diamondModel": "",
     "networkDestinationIPv6": "",
     "userAgent": "",
     "action": "",
     "emailRecipient": "",
     "tags": [],
     "fileCreatedDateTime": "",
     "networkIPv4": "",
     "fileHashType": "",
     "emailXMailer": "",
     "networkSourceIPv6": "",
     "emailEncoding": "",
     "additionalInformation": "",
     "networkSourceIPv4": "",
     "description": "",
     "fileMutexName": "",
     "networkCidrBlock": "",
     "@odata.context": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "targetProduct": "",
     "emailSourceIpAddress": "",
     "threatType": "",
     "emailSenderName": "",
     "passiveOnly": "",
     "activityGroupNames": [],
     "confidence": "",
     "fileName": "",
     "networkSourcePort": "",
     "severity": "",
     "filePacker": "",
     "fileType": "",
     "fileHashValue": "",
     "isActive": "",
     "url": ""
}

operation: Create Threat Intelligence Indicator

Input parameters

Parameter Description
Action Action that you want to perform if the indicator is matched in the target product security tool. You can choose from the following options: Unknown, Allow, Block, or Alert.
Azure Tenant ID Azure tenant ID that is stamped by the system when an indicator is ingested. The ID of the tenant that is assigned to you by the Azure application registration portal (Azure Active Directory).
Description Brief description (100 characters or less) of the threat represented by the indicator that you want to create in Azure Sentinel.
Expiration Date Datetime that indicates when the indicator that you are creating will expire. All indicators must have an expiration date to avoid stale indicators persisting in the system. The Timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
Target Product Security product to which you want to apply the indicator that you are creating in Azure Sentinel.
Threat Type Type of threat that you want to assign to the indicator that you are creating in Azure Sentinel. You can choose from the following options: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, or WatchList.
Traffic Light Protocol Value of the traffic light protocol that you want to assign to the indicator that you are creating in Azure Sentinel. You can choose from the following options: Unknown, White, Green, Amber, or Red.
Object Indicator observables based on which you want to create the threat intelligence indicator in Azure Sentinel. You can choose from the following options: Email, File, or Network.
If you select Email, then you must specify the following parameters:
  • Email Encoding: Type of text encoding used in the email.
  • Email Language: Language of the email.
  • Email Recipient: Email address of the recipient.
  • Email Sender Address: Email address of the sender, who could be the attacker or the victim.
  • Email Sender Name: Sender (displayed) name of the sender, who could be the attacker or the victim.
  • Email Source Domain: Source Domain that is used in the email.
  • Email Source IP Address: Source IP address of the email.
  • Email Subject: Subject line of the email.
  • Email X-Mailer: X-Mailer value that is used in the email.
If you select File, then you must specify the following parameters:
  • File Compile Time: Datetime when the file was compiled. The Timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
  • File Created Date Time: Datetime when the file was created. The Timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
  • File Hash Type: Type of hash stored in the file. You can choose from the following options: Unknown, Sha1, Sha256, Md5, AuthenticodeHash256, LsHash, or Ctph.
  • File Hash Value: Value of file hash that will be used to create the threat intelligence indicator.
  • File Mutex Name: Mutex name that will be used in file-based detections.
  • File Name: Name of the file that contains the indicator. You can specify multiple filenames using comma-based separators.
  • File Packer: Packer that has been used to build the file that you want to create the threat intelligence indicator in Azure Sentinel.
  • File Path: Path of the file that contains the IOCs. You can specify the path as a 'Windows' path or 'nix-style' path.
  • File Size: Size of the file in bytes.
  • File Type: Type of file such as, a Word Document or a Binary file.
If you select Network, then you must specify the following parameters:
  • Domain Name: Name of the domain associated with the indicator.
  • Network CIDR Block: CIDR Block notation representation of the network referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network Destination Autonomous: Destination autonomous system identifier of the network referenced in the indicator.
  • Network Destination CIDR Block: CIDR Block notation representation of the destination network in the indicator.
    • Network Destination IPV4: IPv4 IP network destination address referenced in the indicator.
    • Network Destination IPV6: IPv6 IP network destination address referenced in the indicator.
    • Network Destination Port: TCP port of the network destination referenced in the indicator.
  • Network IPV4: IPv4 IP network destination address referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network IPV6: IPv6 IP network destination address referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network Port: TCP port referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network Protocol: Decimal representation of the protocol field in the IPv4 header that is referenced in the indicator.
  • Network Source Autonomous: Source autonomous system identifier of the network referenced in the indicator.
  • Network Source CIDR Block: CIDR Block notation representation of the source network in the indicator
    • Network Source IPV4: IPv4 IP network destination address referenced in the indicator.
    • Network Source IPV6: IPv6 IP network destination address referenced in the indicator.
    • Network Source Port: TCP port of the network source referenced in the indicator.
  • URL: URL referenced in the indicator. Then entered URL must comply with RFC 1738.
  • User Agent: User-Agent string from a web request that could indicate a compromise.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "lastReportedDateTime": "",
     "networkIPv6": "",
     "externalId": "",
     "domainName": "",
     "emailSenderAddress": "",
     "networkDestinationCidrBlock": "",
     "fileCompileDateTime": "",
     "networkPort": "",
     "emailLanguage": "",
     "tlpLevel": "",
     "emailSourceDomain": "",
     "knownFalsePositives": "",
     "api_version": "",
     "azureTenantId": "",
     "malwareFamilyNames": [],
     "networkDestinationPort": "",
     "fileSize": "",
     "networkDestinationIPv4": "",
     "emailSubject": "",
     "ingestedDateTime": "",
     "filePath": "",
     "expirationDateTime": "",
     "networkSourceAsn": "",
     "networkSourceCidrBlock": "",
     "networkDestinationAsn": "",
     "killChain": [],
     "networkProtocol": "",
     "diamondModel": "",
     "networkDestinationIPv6": "",
     "userAgent": "",
     "action": "",
     "emailRecipient": "",
     "tags": [],
     "fileCreatedDateTime": "",
     "networkIPv4": "",
     "fileHashType": "",
     "emailXMailer": "",
     "networkSourceIPv6": "",
     "emailEncoding": "",
     "additionalInformation": "",
     "networkSourceIPv4": "",
     "description": "",
     "fileMutexName": "",
     "networkCidrBlock": "",
     "@odata.context": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "targetProduct": "",
     "emailSourceIpAddress": "",
     "threatType": "",
     "emailSenderName": "",
     "passiveOnly": "",
     "activityGroupNames": [],
     "confidence": "",
     "fileName": "",
     "networkSourcePort": "",
     "severity": "",
     "filePacker": "",
     "fileType": "",
     "fileHashValue": "",
     "isActive": "",
     "url": ""
}

operation: Delete Threat Intelligence Indicator

Input parameters

Parameter Description
ID Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to delete a specific threat intelligence indicator from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Update Threat Intelligence Indicator

Input parameters

Parameter Description
ID Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to update a specific threat intelligence indicator from Azure Sentinel.
Action (Optional) Action that you want to perform if the indicator is matched in the target product security tool. You can choose from the following options: Unknown, Allow, Block, or Alert.
Description (Optional) Brief description (100 characters or less) of the threat represented by the indicator that you want to update in Azure Sentinel.
Severity (Optional) Integer value representing the severity of the malicious behavior identified by the data within the indicator that you want to update in Azure Sentinel. You can enter any value between 0-5, where 5 is most severe and 0 is not severe. The default value is set as 3.
Traffic Light Protocol (Optional) Value of the traffic light protocol that you want to assign to the indicator that you are updating in Azure Sentinel. You can choose from the following options: Unknown, White, Green, Amber, or Red.
Is Active (Optional) Clear this checkbox, i.e., set is as 'False', to deactivate indicators within the system. By default, this checkbox is selected, i.e., any indicator submitted is set as active. However, providers might submit existing indicators with this set to 'False' to deactivate indicators in the system.
Confidence (Optional) Integer value representing the confidence in the accuracy of the data within the indicator that identifies malicious behavior. You can enter any value between 0-100, where 100 is the highest.
Diamond Model (Optional) Area of the diamond model in which this indicator exists. You can choose from the following options: Unknown, Adversary, Capability, Infrastructure, or Victim.
Tag (Optional) JSON array of strings that stores arbitrary tags or keywords that you want to associate with the threat intelligence indicator in Azure Sentinel. You can specify multiple tags using comma-based separators.

Output

The output contains the following populated JSON schema:


{
     "result": ""
}

operation: Get All Alerts

Input parameters

None.

Output

The output contains the following populated JSON schema:


{
     "id": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "closedDateTime": "",
     "assignedTo": "",
     "azureSubscriptionId": "",
     "azureTenantId": "",
     "activityGroupName": "",
     "lastModifiedDateTime": "",
     "description": "",
     "createdDateTime": "",
     "tags": "",
     "title": "",
     "sourceMaterials": "",
     "riskScore": "",
     "detectionIds": "",
     "feedback": "",
     "category": "",
     "comments": "",
     "confidence": "",
     "eventDateTime": "",
     "recommendedActions": "",
     "severity": "",
     "status": ""
}

operation: Get Alert

Input parameters

Parameter Description
Alert ID Unique Alert ID that is generated by the provider when an alert is created in Azure Sentinel based on which you want to retrieve a specific alert from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "tags": "",
     "processes": "",
     "cloudAppStates": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "userStates": "",
     "closedDateTime": "",
     "vulnerabilityStates": "",
     "malwareStates": "",
     "assignedTo": "",
     "registryKeyStates": "",
     "networkConnections": "",
     "azureSubscriptionId": "",
     "azureTenantId": "",
     "activityGroupName": "",
     "lastModifiedDateTime": "",
     "description": "",
     "createdDateTime": "",
     "@odata.context": "",
     "title": "",
     "hostStates": "",
     "sourceMaterials": "",
     "riskScore": "",
     "detectionIds": "",
     "feedback": "",
     "category": "",
     "comments": "",
     "confidence": "",
     "eventDateTime": "",
     "historyStates": "",
     "recommendedActions": "",
     "fileStates": "",
     "triggers": "",
     "severity": "",
     "status": ""
}

operation: Update Alert

Input parameters

Parameter Description
Alert ID Unique Alert ID that is generated by the provider when an alert is created in Azure Sentinel that you want to update in Azure Sentinel.
Status Status (life cycle status) of the alert that you want to update in Azure Sentinel. You can choose from the following options: Unknown, NewAlert, InProgress, or Resolved.
Close Time Time at which the alert was closed in Azure Sentinel. The timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
Comments (Optional) Analyst comments that you want to update in the specific alert in Azure Sentinel.
Feedback (Optional) Analyst feedback on the alert that you want to update in Azure Sentinel. You can choose from the following options: Unknown, TruePositive, FalsePositive, or BenignPositive.
Tag (Optional) JSON array of strings that stores user-definable labels that can be applied to the alert that you want to update in Azure Sentinel, and which can serve as filter conditions. You can specify multiple tags using comma-based separators.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Get All Secure Scores

Input parameters

Parameter Description
Azure Tenant ID ID of the tenant that is assigned to you by the Azure application registration portal (Azure Active Directory) whose secure scores you want to retrieve from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "value": [
         {
             "currentScore": "",
             "maxScore": "",
             "averageComparativeScores": [
                 {
                     "identityScore": "",
                     "seatSizeRangeLowerValue": "",
                     "basis": "",
                     "averageScore": "",
                     "seatSizeRangeUpperValue": "",
                     "dataScore": "",
                     "deviceScore": "",
                     "categoryValue": ""
                 }
             ],
             "controlScores": [
                 {
                     "score": "",
                     "controlName": "",
                     "count": "",
                     "total": "",
                     "controlCategory": "",
                     "description": ""
                 }
             ],
             "enabledServices": "",
             "activeUserCount": "",
             "id": "",
             "azureTenantId": "",
             "licensedUserCount": "",
             "createdDateTime": ""
         }
     ]
}

operation: Get All Secure Score Control Profiles

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "title": "",
     "remediationImpact": "",
     "actionUrl": "",
     "implementationCost": "",
     "threats": [
         ""
     ],
     "userImpact": "",
     "maxScore": "",
     "deprecated": "",
     "tier": "",
     "controlStateUpdates": [
         {
             "comment": "",
             "updatedDateTime": "",
             "updatedBy": "",
             "assignedTo": "",
             "state": ""
         }
     ],
     "remediation": "",
     "actionType": "",
     "controlCategory": "",
     "service": "",
     "complianceInformation": [
         {
             "certificationControls": [
                 {
                     "name": "",
                     "url": ""
                 }
             ],
             "certificationName": ""
         }
     ],
     "azureTenantId": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "lastModifiedDateTime": "",
     "rank": ""
}

operation: Update Incident

Input parameters

Parameter Description
Host Callback URL of the logic application (app) which is generated when logic app is created using which you want to update an incident in Azure Sentinel.
API Version API-version of the logic app when the callback URL is generated using which you want to update an incident in Azure Sentinel.
Specific Permissions Permissions required for the permitted HTTP methods to use to update an incident in Azure Sentinel.
Specific SAS Version SAS version to use for generating the signature.
Signature Signature to use for authenticating access to the trigger, which in turn will update the specific incident in Azure Sentinel.
This signature is generated by using the SHA256 algorithm with a secret access key on all the URL paths and properties. Never exposed or published, this key is kept encrypted and stored within the logic app. Your logic app authorizes only those triggers that contain a valid signature created with the secret key.
System Alert ID Alert ID related to the incident that you want to update in Azure Sentinel.
Workspace Subscription ID Azure active directory subscription ID in which you want to update the incident in Azure Sentinel.
Workspace Resource Group Azure active directory resource group in which you want to update the incident in Azure Sentinel.
Workspace ID Azure active directory workspace ID in which you want to update the incident in Azure Sentinel.
Identifier Choose the identifier that you will use to get the incident details from Azure Sentinel. You can choose between Incident or Alert.
Specify ID of the alert or Number of the incident based on which you will update the incident in Azure Sentinel. The ID you will add here will be based on the value you have chosen in the Identifier field, i.e., if you choose Alert, then enter an Alert ID, or if you choose Incident then enter the Incident Number.
Severity (Optional) Updates the severity of the specific incident in Azure Sentinel.  You can choose from the following options: Critical, High, Medium, Low, or Informational.
Comment (Optional) Comment that you want to associate with the specified incident that you want to update in Azure Sentinel. 
Description (Optional) Description of the specified incident that you want to update Azure Sentinel. 
Status (Optional) Status of the incident that you want to update in Azure Sentinel. You can choose from the following options: Draft, New, InProgress, or Closed.
Title (Optional) Title of the specified incident that you want to update Azure Sentinel. 

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Get Incident

Input parameters

Parameter Description
Host Callback URL of the logic application (app) which is generated when logic app is created using which you want to retrieve an incident from Azure Sentinel.
API Version API-version of the logic app when the callback URL is generated using which you want to retrieve an incident from Azure Sentinel.
Specific Permissions Permissions required for the permitted HTTP methods to use to retrieve an incident from Azure Sentinel.
Specific SAS Version SAS version to use for generating the signature.
Signature

Signature to use for authenticating access to the trigger, which in turn will retrieve the specific incident from Azure Sentinel.

This signature is generated by using the SHA256 algorithm with a secret access key on all the URL paths and properties. Never exposed or published, this key is kept encrypted and stored within the logic app. Your logic app authorizes only those triggers that contain a valid signature created with the secret key.

System Alert ID Alert ID related to the incident that you want to retrieve from Azure Sentinel.
Workspace Subscription ID Azure active directory subscription ID from which you want to retrieve the incident.
Workspace Resource Group Azure active directory resource group from which you want to retrieve the incident.
Workspace ID Azure active directory workspace ID from which you want to retrieve the incident.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "tags": "",
     "name": "",
     "properties": {
         "CreatedTimeUtc": "",
         "StartTimeUtc": "",
         "CloseReason": "",
         "Description": "",
         "AssignedTo": "",
         "Status": "",
         "EndTimeUtc": "",
         "LastAlertTimeGenerated": "",
         "Labels": [],
         "ClosedReasonText": "",
         "Title": "",
         "Severity": "",
         "CaseNumber": "",
         "Metrics": {
             "SecurityAlert": ""
         },
         "FirstAlertTimeGenerated": "",
         "RelatedAlertIds": [],
         "LastUpdatedTimeUtc": ""
     },
     "etag": "",
     "kind": "",
     "type": ""
}

Included playbooks

The Sample - Azure Sentinel - 1.0.0 playbook collection comes bundled with the Azure Sentinel connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Azure Sentinel connector.

  • Azure Sentinel: API Trigger: Create Alert
  • Azure Sentinel: API Trigger: Create Incident
  • Azure Sentinel: API Trigger: Logs
  • Azure Sentinel: API Trigger: Update Alert
  • Azure Sentinel: API Trigger: Update Incident
  • Azure Sentinel: Update_Incident: Logic App
    Important: The above playbooks (beginning with Azure Sentinel) are added for enabling support for configuring Azure Sentinel data ingestion using the FortiSOAR™ Data Ingestion Wizard, a new feature in FortiSOAR™ 5.0.0. For more information on the Data Ingestion Wizard, see the "Data Ingestion" chapter in the FortiSOAR™ product documentation.
  • Create Threat Intelligence Indicator
  • Delete Threat Intelligence Indicator
  • Get Alert
  • Get All Alerts
  • Get All Secure Score Control Profiles
  • Get All Secure Scores
  • Get All Threat Intelligence Indicators
  • Get Incident
  • Get Threat Intelligence Indicator
  • Update Alert
  • Update Incident
  • Update Threat Intelligence Indicator

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

Azure Sentinel is a cloud-native SIEM that you can use for intelligent security analytics across your entire enterprise. 

Azure Sentinel connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically investigating alerts, threat intelligence indicators, incidents, and secure scores.

Version information

Connector Version: 1.0.0 

FortiSOAR™ Version Tested on: 5.1.0-464

Authored By: Fortinet

Certified: Yes

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-azure-sentinel

For the detailed procedure to install a connector, click here

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Azure Sentinel connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Tenant ID ID of the tenant that is assigned to you by the Azure application registration portal.
Client ID ID of the client that is assigned to you by the Azure application registration portal.
Client Secret Client (application) Secret that has been assigned to you by the Azure application registration portal. The client secret can either be a password or a public/private key pair (certificate).
Username Username assigned to you by the Azure registration portal.
Password Password by the Azure registration portal.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function Description Annotation and Category
Get All Threat Intelligence Indicators Retrieves all threat intelligence indicators from Azure Sentinel using the Microsoft Graph Security API. get_all_threat_intelligence_indicators
Investigation
Get Threat Intelligence Indicator Retrieves a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the threat Intelligence Indicator ID you have specified. get_threat_intelligence_indicator
Investigation
Create Threat Intelligence Indicator Creates a threat intelligence indicator in Azure Sentinel using the Microsoft Graph Security API based on the Azure Tenant ID, threat type, and other input parameters you have specified. create_threat_intelligence_indicator
Investigation
Delete Threat Intelligence Indicator Deletes a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the threat Intelligence Indicator ID you have specified. delete_threat_intelligence_indicator
Investigation
Update Threat Intelligence Indicator Updates a specific threat intelligence indicator in Azure Sentinel using the Microsoft Graph Security API based on the threat intelligence indicator ID, and other input parameters you have specified. update_threat_intelligence_indicator
Investigation
Get All Alerts Retrieves all alerts from Azure Sentinel using the Microsoft Graph Security API.  get_all_alerts
Investigation
Get Alert Retrieves a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the Alert ID you have specified. get_alert
Investigation
Update Alert Updates a specific alert in Azure Sentinel using the Microsoft Graph Security API based on the alert ID, status, and other input parameters you have specified. update_alert
Investigation
Get All Secure Scores Retrieves all secure scores associated with a specific Azure Tenant from Azure Sentinel using the Microsoft Graph Security API based on the Azure Tenant ID you have specified. get_all_secure_scores
Investigation
Get All Secure Score Control Profiles Retrieves all secure score control profiles from Azure Sentinel using the Microsoft Graph Security API.  get_all_secure_score_control_profiles
Investigation
Update Incident Updates an incident in Azure Sentinel using the logic application based on the host, signature, and other input parameters you have specified. update_incident
Investigation
Get Incident Retrieves an incident associated with a specific alert from Azure Sentinel based on the host, signature, and other input parameters you have specified. get_incident
Investigation

operation: Get All Threat Intelligence Indicators

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "lastReportedDateTime": "",
     "networkIPv6": "",
     "externalId": "",
     "domainName": "",
     "emailSenderAddress": "",
     "networkDestinationCidrBlock": "",
     "fileCompileDateTime": "",
     "networkPort": "",
     "emailLanguage": "",
     "tlpLevel": "",
     "emailSourceDomain": "",
     "knownFalsePositives": "",
     "azureTenantId": "",
     "malwareFamilyNames": [],
     "networkDestinationPort": "",
     "fileSize": "",
     "networkDestinationIPv4": "",
     "emailSubject": "",
     "ingestedDateTime": "",
     "filePath": "",
     "expirationDateTime": "",
     "networkSourceAsn": "",
     "networkSourceCidrBlock": "",
     "networkDestinationAsn": "",
     "killChain": [],
     "networkProtocol": "",
     "diamondModel": "",
     "networkDestinationIPv6": "",
     "userAgent": "",
     "action": "",
     "emailRecipient": "",
     "tags": [],
     "fileCreatedDateTime": "",
     "networkIPv4": "",
     "fileHashType": "",
     "emailXMailer": "",
     "networkSourceIPv6": "",
     "emailEncoding": "",
     "additionalInformation": "",
     "networkSourceIPv4": "",
     "description": "",
     "fileMutexName": "",
     "networkCidrBlock": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "targetProduct": "",
     "emailSourceIpAddress": "",
     "threatType": "",
     "emailSenderName": "",
     "passiveOnly": "",
     "activityGroupNames": [],
     "confidence": "",
     "fileName": "",
     "networkSourcePort": "",
     "severity": "",
     "filePacker": "",
     "fileType": "",
     "fileHashValue": "",
     "isActive": "",
     "url": ""
}

operation: Get Threat Intelligence Indicator

Input parameters

Parameter Description
Threat Intelligence Indicator ID Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to retrieve a specific threat intelligence indicator from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "lastReportedDateTime": "",
     "networkIPv6": "",
     "externalId": "",
     "domainName": "",
     "emailSenderAddress": "",
     "networkDestinationCidrBlock": "",
     "fileCompileDateTime": "",
     "networkPort": "",
     "emailLanguage": "",
     "tlpLevel": "",
     "emailSourceDomain": "",
     "knownFalsePositives": "",
     "azureTenantId": "",
     "malwareFamilyNames": [],
     "networkDestinationPort": "",
     "fileSize": "",
     "networkDestinationIPv4": "",
     "emailSubject": "",
     "ingestedDateTime": "",
     "filePath": "",
     "expirationDateTime": "",
     "networkSourceAsn": "",
     "networkSourceCidrBlock": "",
     "networkDestinationAsn": "",
     "killChain": [],
     "networkProtocol": "",
     "diamondModel": "",
     "networkDestinationIPv6": "",
     "userAgent": "",
     "action": "",
     "emailRecipient": "",
     "tags": [],
     "fileCreatedDateTime": "",
     "networkIPv4": "",
     "fileHashType": "",
     "emailXMailer": "",
     "networkSourceIPv6": "",
     "emailEncoding": "",
     "additionalInformation": "",
     "networkSourceIPv4": "",
     "description": "",
     "fileMutexName": "",
     "networkCidrBlock": "",
     "@odata.context": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "targetProduct": "",
     "emailSourceIpAddress": "",
     "threatType": "",
     "emailSenderName": "",
     "passiveOnly": "",
     "activityGroupNames": [],
     "confidence": "",
     "fileName": "",
     "networkSourcePort": "",
     "severity": "",
     "filePacker": "",
     "fileType": "",
     "fileHashValue": "",
     "isActive": "",
     "url": ""
}

operation: Create Threat Intelligence Indicator

Input parameters

Parameter Description
Action Action that you want to perform if the indicator is matched in the target product security tool. You can choose from the following options: Unknown, Allow, Block, or Alert.
Azure Tenant ID Azure tenant ID that is stamped by the system when an indicator is ingested. The ID of the tenant that is assigned to you by the Azure application registration portal (Azure Active Directory).
Description Brief description (100 characters or less) of the threat represented by the indicator that you want to create in Azure Sentinel.
Expiration Date Datetime that indicates when the indicator that you are creating will expire. All indicators must have an expiration date to avoid stale indicators persisting in the system. The Timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
Target Product Security product to which you want to apply the indicator that you are creating in Azure Sentinel.
Threat Type Type of threat that you want to assign to the indicator that you are creating in Azure Sentinel. You can choose from the following options: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, or WatchList.
Traffic Light Protocol Value of the traffic light protocol that you want to assign to the indicator that you are creating in Azure Sentinel. You can choose from the following options: Unknown, White, Green, Amber, or Red.
Object Indicator observables based on which you want to create the threat intelligence indicator in Azure Sentinel. You can choose from the following options: Email, File, or Network.
If you select Email, then you must specify the following parameters:
  • Email Encoding: Type of text encoding used in the email.
  • Email Language: Language of the email.
  • Email Recipient: Email address of the recipient.
  • Email Sender Address: Email address of the sender, who could be the attacker or the victim.
  • Email Sender Name: Sender (displayed) name of the sender, who could be the attacker or the victim.
  • Email Source Domain: Source Domain that is used in the email.
  • Email Source IP Address: Source IP address of the email.
  • Email Subject: Subject line of the email.
  • Email X-Mailer: X-Mailer value that is used in the email.
If you select File, then you must specify the following parameters:
  • File Compile Time: Datetime when the file was compiled. The Timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
  • File Created Date Time: Datetime when the file was created. The Timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
  • File Hash Type: Type of hash stored in the file. You can choose from the following options: Unknown, Sha1, Sha256, Md5, AuthenticodeHash256, LsHash, or Ctph.
  • File Hash Value: Value of file hash that will be used to create the threat intelligence indicator.
  • File Mutex Name: Mutex name that will be used in file-based detections.
  • File Name: Name of the file that contains the indicator. You can specify multiple filenames using comma-based separators.
  • File Packer: Packer that has been used to build the file that you want to create the threat intelligence indicator in Azure Sentinel.
  • File Path: Path of the file that contains the IOCs. You can specify the path as a 'Windows' path or 'nix-style' path.
  • File Size: Size of the file in bytes.
  • File Type: Type of file such as, a Word Document or a Binary file.
If you select Network, then you must specify the following parameters:
  • Domain Name: Name of the domain associated with the indicator.
  • Network CIDR Block: CIDR Block notation representation of the network referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network Destination Autonomous: Destination autonomous system identifier of the network referenced in the indicator.
  • Network Destination CIDR Block: CIDR Block notation representation of the destination network in the indicator.
    • Network Destination IPV4: IPv4 IP network destination address referenced in the indicator.
    • Network Destination IPV6: IPv6 IP network destination address referenced in the indicator.
    • Network Destination Port: TCP port of the network destination referenced in the indicator.
  • Network IPV4: IPv4 IP network destination address referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network IPV6: IPv6 IP network destination address referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network Port: TCP port referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network Protocol: Decimal representation of the protocol field in the IPv4 header that is referenced in the indicator.
  • Network Source Autonomous: Source autonomous system identifier of the network referenced in the indicator.
  • Network Source CIDR Block: CIDR Block notation representation of the source network in the indicator
    • Network Source IPV4: IPv4 IP network destination address referenced in the indicator.
    • Network Source IPV6: IPv6 IP network destination address referenced in the indicator.
    • Network Source Port: TCP port of the network source referenced in the indicator.
  • URL: URL referenced in the indicator. Then entered URL must comply with RFC 1738.
  • User Agent: User-Agent string from a web request that could indicate a compromise.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "lastReportedDateTime": "",
     "networkIPv6": "",
     "externalId": "",
     "domainName": "",
     "emailSenderAddress": "",
     "networkDestinationCidrBlock": "",
     "fileCompileDateTime": "",
     "networkPort": "",
     "emailLanguage": "",
     "tlpLevel": "",
     "emailSourceDomain": "",
     "knownFalsePositives": "",
     "api_version": "",
     "azureTenantId": "",
     "malwareFamilyNames": [],
     "networkDestinationPort": "",
     "fileSize": "",
     "networkDestinationIPv4": "",
     "emailSubject": "",
     "ingestedDateTime": "",
     "filePath": "",
     "expirationDateTime": "",
     "networkSourceAsn": "",
     "networkSourceCidrBlock": "",
     "networkDestinationAsn": "",
     "killChain": [],
     "networkProtocol": "",
     "diamondModel": "",
     "networkDestinationIPv6": "",
     "userAgent": "",
     "action": "",
     "emailRecipient": "",
     "tags": [],
     "fileCreatedDateTime": "",
     "networkIPv4": "",
     "fileHashType": "",
     "emailXMailer": "",
     "networkSourceIPv6": "",
     "emailEncoding": "",
     "additionalInformation": "",
     "networkSourceIPv4": "",
     "description": "",
     "fileMutexName": "",
     "networkCidrBlock": "",
     "@odata.context": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "targetProduct": "",
     "emailSourceIpAddress": "",
     "threatType": "",
     "emailSenderName": "",
     "passiveOnly": "",
     "activityGroupNames": [],
     "confidence": "",
     "fileName": "",
     "networkSourcePort": "",
     "severity": "",
     "filePacker": "",
     "fileType": "",
     "fileHashValue": "",
     "isActive": "",
     "url": ""
}

operation: Delete Threat Intelligence Indicator

Input parameters

Parameter Description
ID Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to delete a specific threat intelligence indicator from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Update Threat Intelligence Indicator

Input parameters

Parameter Description
ID Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to update a specific threat intelligence indicator from Azure Sentinel.
Action (Optional) Action that you want to perform if the indicator is matched in the target product security tool. You can choose from the following options: Unknown, Allow, Block, or Alert.
Description (Optional) Brief description (100 characters or less) of the threat represented by the indicator that you want to update in Azure Sentinel.
Severity (Optional) Integer value representing the severity of the malicious behavior identified by the data within the indicator that you want to update in Azure Sentinel. You can enter any value between 0-5, where 5 is most severe and 0 is not severe. The default value is set as 3.
Traffic Light Protocol (Optional) Value of the traffic light protocol that you want to assign to the indicator that you are updating in Azure Sentinel. You can choose from the following options: Unknown, White, Green, Amber, or Red.
Is Active (Optional) Clear this checkbox, i.e., set is as 'False', to deactivate indicators within the system. By default, this checkbox is selected, i.e., any indicator submitted is set as active. However, providers might submit existing indicators with this set to 'False' to deactivate indicators in the system.
Confidence (Optional) Integer value representing the confidence in the accuracy of the data within the indicator that identifies malicious behavior. You can enter any value between 0-100, where 100 is the highest.
Diamond Model (Optional) Area of the diamond model in which this indicator exists. You can choose from the following options: Unknown, Adversary, Capability, Infrastructure, or Victim.
Tag (Optional) JSON array of strings that stores arbitrary tags or keywords that you want to associate with the threat intelligence indicator in Azure Sentinel. You can specify multiple tags using comma-based separators.

Output

The output contains the following populated JSON schema:


{
     "result": ""
}

operation: Get All Alerts

Input parameters

None.

Output

The output contains the following populated JSON schema:


{
     "id": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "closedDateTime": "",
     "assignedTo": "",
     "azureSubscriptionId": "",
     "azureTenantId": "",
     "activityGroupName": "",
     "lastModifiedDateTime": "",
     "description": "",
     "createdDateTime": "",
     "tags": "",
     "title": "",
     "sourceMaterials": "",
     "riskScore": "",
     "detectionIds": "",
     "feedback": "",
     "category": "",
     "comments": "",
     "confidence": "",
     "eventDateTime": "",
     "recommendedActions": "",
     "severity": "",
     "status": ""
}

operation: Get Alert

Input parameters

Parameter Description
Alert ID Unique Alert ID that is generated by the provider when an alert is created in Azure Sentinel based on which you want to retrieve a specific alert from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "tags": "",
     "processes": "",
     "cloudAppStates": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "userStates": "",
     "closedDateTime": "",
     "vulnerabilityStates": "",
     "malwareStates": "",
     "assignedTo": "",
     "registryKeyStates": "",
     "networkConnections": "",
     "azureSubscriptionId": "",
     "azureTenantId": "",
     "activityGroupName": "",
     "lastModifiedDateTime": "",
     "description": "",
     "createdDateTime": "",
     "@odata.context": "",
     "title": "",
     "hostStates": "",
     "sourceMaterials": "",
     "riskScore": "",
     "detectionIds": "",
     "feedback": "",
     "category": "",
     "comments": "",
     "confidence": "",
     "eventDateTime": "",
     "historyStates": "",
     "recommendedActions": "",
     "fileStates": "",
     "triggers": "",
     "severity": "",
     "status": ""
}

operation: Update Alert

Input parameters

Parameter Description
Alert ID Unique Alert ID that is generated by the provider when an alert is created in Azure Sentinel that you want to update in Azure Sentinel.
Status Status (life cycle status) of the alert that you want to update in Azure Sentinel. You can choose from the following options: Unknown, NewAlert, InProgress, or Resolved.
Close Time Time at which the alert was closed in Azure Sentinel. The timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
Comments (Optional) Analyst comments that you want to update in the specific alert in Azure Sentinel.
Feedback (Optional) Analyst feedback on the alert that you want to update in Azure Sentinel. You can choose from the following options: Unknown, TruePositive, FalsePositive, or BenignPositive.
Tag (Optional) JSON array of strings that stores user-definable labels that can be applied to the alert that you want to update in Azure Sentinel, and which can serve as filter conditions. You can specify multiple tags using comma-based separators.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Get All Secure Scores

Input parameters

Parameter Description
Azure Tenant ID ID of the tenant that is assigned to you by the Azure application registration portal (Azure Active Directory) whose secure scores you want to retrieve from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "value": [
         {
             "currentScore": "",
             "maxScore": "",
             "averageComparativeScores": [
                 {
                     "identityScore": "",
                     "seatSizeRangeLowerValue": "",
                     "basis": "",
                     "averageScore": "",
                     "seatSizeRangeUpperValue": "",
                     "dataScore": "",
                     "deviceScore": "",
                     "categoryValue": ""
                 }
             ],
             "controlScores": [
                 {
                     "score": "",
                     "controlName": "",
                     "count": "",
                     "total": "",
                     "controlCategory": "",
                     "description": ""
                 }
             ],
             "enabledServices": "",
             "activeUserCount": "",
             "id": "",
             "azureTenantId": "",
             "licensedUserCount": "",
             "createdDateTime": ""
         }
     ]
}

operation: Get All Secure Score Control Profiles

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "title": "",
     "remediationImpact": "",
     "actionUrl": "",
     "implementationCost": "",
     "threats": [
         ""
     ],
     "userImpact": "",
     "maxScore": "",
     "deprecated": "",
     "tier": "",
     "controlStateUpdates": [
         {
             "comment": "",
             "updatedDateTime": "",
             "updatedBy": "",
             "assignedTo": "",
             "state": ""
         }
     ],
     "remediation": "",
     "actionType": "",
     "controlCategory": "",
     "service": "",
     "complianceInformation": [
         {
             "certificationControls": [
                 {
                     "name": "",
                     "url": ""
                 }
             ],
             "certificationName": ""
         }
     ],
     "azureTenantId": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "lastModifiedDateTime": "",
     "rank": ""
}

operation: Update Incident

Input parameters

Parameter Description
Host Callback URL of the logic application (app) which is generated when logic app is created using which you want to update an incident in Azure Sentinel.
API Version API-version of the logic app when the callback URL is generated using which you want to update an incident in Azure Sentinel.
Specific Permissions Permissions required for the permitted HTTP methods to use to update an incident in Azure Sentinel.
Specific SAS Version SAS version to use for generating the signature.
Signature Signature to use for authenticating access to the trigger, which in turn will update the specific incident in Azure Sentinel.
This signature is generated by using the SHA256 algorithm with a secret access key on all the URL paths and properties. Never exposed or published, this key is kept encrypted and stored within the logic app. Your logic app authorizes only those triggers that contain a valid signature created with the secret key.
System Alert ID Alert ID related to the incident that you want to update in Azure Sentinel.
Workspace Subscription ID Azure active directory subscription ID in which you want to update the incident in Azure Sentinel.
Workspace Resource Group Azure active directory resource group in which you want to update the incident in Azure Sentinel.
Workspace ID Azure active directory workspace ID in which you want to update the incident in Azure Sentinel.
Identifier Choose the identifier that you will use to get the incident details from Azure Sentinel. You can choose between Incident or Alert.
Specify ID of the alert or Number of the incident based on which you will update the incident in Azure Sentinel. The ID you will add here will be based on the value you have chosen in the Identifier field, i.e., if you choose Alert, then enter an Alert ID, or if you choose Incident then enter the Incident Number.
Severity (Optional) Updates the severity of the specific incident in Azure Sentinel.  You can choose from the following options: Critical, High, Medium, Low, or Informational.
Comment (Optional) Comment that you want to associate with the specified incident that you want to update in Azure Sentinel. 
Description (Optional) Description of the specified incident that you want to update Azure Sentinel. 
Status (Optional) Status of the incident that you want to update in Azure Sentinel. You can choose from the following options: Draft, New, InProgress, or Closed.
Title (Optional) Title of the specified incident that you want to update Azure Sentinel. 

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Get Incident

Input parameters

Parameter Description
Host Callback URL of the logic application (app) which is generated when logic app is created using which you want to retrieve an incident from Azure Sentinel.
API Version API-version of the logic app when the callback URL is generated using which you want to retrieve an incident from Azure Sentinel.
Specific Permissions Permissions required for the permitted HTTP methods to use to retrieve an incident from Azure Sentinel.
Specific SAS Version SAS version to use for generating the signature.
Signature

Signature to use for authenticating access to the trigger, which in turn will retrieve the specific incident from Azure Sentinel.

This signature is generated by using the SHA256 algorithm with a secret access key on all the URL paths and properties. Never exposed or published, this key is kept encrypted and stored within the logic app. Your logic app authorizes only those triggers that contain a valid signature created with the secret key.

System Alert ID Alert ID related to the incident that you want to retrieve from Azure Sentinel.
Workspace Subscription ID Azure active directory subscription ID from which you want to retrieve the incident.
Workspace Resource Group Azure active directory resource group from which you want to retrieve the incident.
Workspace ID Azure active directory workspace ID from which you want to retrieve the incident.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "tags": "",
     "name": "",
     "properties": {
         "CreatedTimeUtc": "",
         "StartTimeUtc": "",
         "CloseReason": "",
         "Description": "",
         "AssignedTo": "",
         "Status": "",
         "EndTimeUtc": "",
         "LastAlertTimeGenerated": "",
         "Labels": [],
         "ClosedReasonText": "",
         "Title": "",
         "Severity": "",
         "CaseNumber": "",
         "Metrics": {
             "SecurityAlert": ""
         },
         "FirstAlertTimeGenerated": "",
         "RelatedAlertIds": [],
         "LastUpdatedTimeUtc": ""
     },
     "etag": "",
     "kind": "",
     "type": ""
}

Included playbooks

The Sample - Azure Sentinel - 1.0.0 playbook collection comes bundled with the Azure Sentinel connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in CyOPsTM after importing the Azure Sentinel connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.