Fortinet Document Library

Version:


Table of Contents

1.1.0
Copy Link

About the connector

Azure Sentinel is a cloud-native SIEM that you can use for intelligent security analytics across your entire enterprise. 

This document provides information about the Azure Sentinel connector, which facilitates automated interactions with Azure Sentinel using FortiSOAR™ playbooks. Add the Azure Sentinel connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving alerts, threat intelligence indicators, secure scores from Azure Sentinel, creating, updating, and deleting threat intelligence indicator in Azure Sentinel, etc.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts and their associated "events" from Azure Sentinel. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 1.1.0

Authored By: Community

Certified: No

Connector Authentication - Getting Authentication Tokens

You can get an authentication token to access the Microsoft Graph Security APIs, Azure Sentinel Management APIs, and Log Analytics APIs using Application Permission. For more information, see https://docs.microsoft.com/en-us/graph/auth-v2-service

Getting Access Tokens without a User - Application Permission

  1. Ensure that the required permissions are granted for the registration of the application.
    For example, for a Microsoft Graph User: API/Permission name that should be granted is:
    • SecurityEvents.Read.All,
    • SecurityEvents.ReadWrite.All,
    • ThreatIndicators.ReadWrite.OwnedBy, 
    • Data.Read of type 'Application'.
  2. Enter your client ID in the 'Client ID' parameter field.
  3. Enter your client secret in the 'Client Secret' parameter field.
  4. Enter your tenant ID in the 'Tenant ID' parameter field.

Following are the table permissions that you have to assign for operations in the Azure portal:

Action Delegate Permission Application Permission
Get Alert List SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
Get Alert SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
Update Alert SecurityEvents.Read.All SecurityEvents.Read.All
Get All Secure Scores SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
Get All Secure Score Control Profiles SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
Create Threat Intelligence Indicator ThreatIndicators.ReadWrite.OwnedBy ThreatIndicators.ReadWrite.OwnedBy
Get All Threat Intelligence Indicators ThreatIndicators.ReadWrite.OwnedBy ThreatIndicators.ReadWrite.OwnedBy
Get Threat Intelligence Indicator ThreatIndicators.ReadWrite.OwnedBy ThreatIndicators.ReadWrite.OwnedBy
Update Threat Intelligence Indicator ThreatIndicators.ReadWrite.OwnedBy ThreatIndicators.ReadWrite.OwnedBy
Delete Threat Intelligence Indicator ThreatIndicators.ReadWrite.OwnedBy ThreatIndicators.ReadWrite.OwnedBy
Get Alert Events Data.Read Data.Read
Fetch Alert Query Data.Read Data.Read

Important: For information on how to how to grant permissions in the azure portal see the following links:

Release Notes for version 1.1.0

Following enhancements have been made to the Azure Sentinel connector in version 1.1.0:

  • Added support to ingest data from Azure Sentinel into FortiSOAR™ using the "Data Ingestion Wizard."
  • Added the following actions and playbooks:
    • Get Alert List
    • Get Incident List
    • Get Alert Events
    • Fetch Alert Query
  • Removed the following actions and playbooks:
    • Get All Alerts
    • Azure Sentinel: API Trigger: Logs
  • Removed the following "Configuration Parameters":
    • Username
    • Password

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-azure-sentinel

Prerequisites to configuring the connector

  • To access Azure Sentinel and perform automated operations, you must have your Tenant ID, Client ID, and Client Secret, which are assigned to you by the Azure application registration portal.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on Azure Sentinel.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Azure Sentinel connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Tenant ID ID of the tenant that is assigned to you by the Azure application registration portal.
Client ID Unique Application ID of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on getting authentication tokens, see the Connector Authentication - Getting Authentication Tokens section.
Client Secret Unique Client Secret of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on how to get the secret key, see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get All Threat Intelligence Indicators Retrieves all threat intelligence indicators from Azure Sentinel using the Microsoft Graph Security API. get_all_threat_intelligence_indicators
Investigation
Get Threat Intelligence Indicator Retrieves a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the threat Intelligence Indicator ID you have specified. get_threat_intelligence_indicator
Investigation
Create Threat Intelligence Indicator Creates a threat intelligence indicator in Azure Sentinel using the Microsoft Graph Security API based on the threat type, indicator observables, and other input parameters you have specified. create_threat_intelligence_indicator
Investigation
Delete Threat Intelligence Indicator Deletes a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the threat Intelligence Indicator ID you have specified. delete_threat_intelligence_indicator
Investigation
Update Threat Intelligence Indicator Updates a specific threat intelligence indicator in Azure Sentinel using the Microsoft Graph Security API based on the threat intelligence indicator ID, and other input parameters you have specified. update_threat_intelligence_indicator
Investigation
Get Alert Retrieves a specific alert from Azure Sentinel using the Microsoft Graph Security API based on the Alert ID you have specified. get_alert
Investigation
Update Alert Updates a specific alert in Azure Sentinel using the Microsoft Graph Security API based on the alert ID, status, and other input parameters you have specified. update_alert
Investigation
Get All Secure Scores Retrieves all secure scores associated with a specific Azure Tenant from Azure Sentinel using the Microsoft Graph Security API based on the Azure Tenant ID you have specified. get_all_secure_scores
Investigation
Get All Secure Score Control Profiles Retrieves all secure score control profiles from Azure Sentinel using the Microsoft Graph Security API.  get_all_secure_score_control_profiles
Investigation
Get Incident Retrieves an incident associated with a specific alert from Azure Sentinel based on the incident ID, workspace name ID, and other input parameters you have specified. get_incident
Investigation
Get Incident List Retrieves all incidents from Azure Sentinel based on the workspace subscription ID, workspace name, and other input parameters that you have specified. get_incident_list
Investigation
Update Incident Updates an incident in Azure Sentinel based on the incident ID, workspace name ID, and other input parameters you have specified. update_incident
Investigation
Get Alert List Retrieves all alerts or alerts from Azure Sentinel based on the search query and other input parameters that you have specified. get_alert_list
Investigation
Get Alert Events Retrieves all events associated with a specific alert from Azure Sentinel based on the workspace ID and search query that you have specified. get_alert_events
Investigation
Fetch Alert Query Retrieves the query for a specific alert from Azure Sentinel based on the workspace ID and system alert ID that you have specified. fetch_alert_query
Investigation

operation: Get All Threat Intelligence Indicators

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "lastReportedDateTime": "",
     "networkIPv6": "",
     "externalId": "",
     "domainName": "",
     "emailSenderAddress": "",
     "networkDestinationCidrBlock": "",
     "fileCompileDateTime": "",
     "networkPort": "",
     "emailLanguage": "",
     "tlpLevel": "",
     "emailSourceDomain": "",
     "knownFalsePositives": "",
     "azureTenantId": "",
     "malwareFamilyNames": [],
     "networkDestinationPort": "",
     "fileSize": "",
     "networkDestinationIPv4": "",
     "emailSubject": "",
     "ingestedDateTime": "",
     "filePath": "",
     "expirationDateTime": "",
     "networkSourceAsn": "",
     "networkSourceCidrBlock": "",
     "networkDestinationAsn": "",
     "killChain": [],
     "networkProtocol": "",
     "diamondModel": "",
     "networkDestinationIPv6": "",
     "userAgent": "",
     "action": "",
     "emailRecipient": "",
     "tags": [],
     "fileCreatedDateTime": "",
     "networkIPv4": "",
     "fileHashType": "",
     "emailXMailer": "",
     "networkSourceIPv6": "",
     "emailEncoding": "",
     "additionalInformation": "",
     "networkSourceIPv4": "",
     "description": "",
     "fileMutexName": "",
     "networkCidrBlock": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "targetProduct": "",
     "emailSourceIpAddress": "",
     "threatType": "",
     "emailSenderName": "",
     "passiveOnly": "",
     "activityGroupNames": [],
     "confidence": "",
     "fileName": "",
     "networkSourcePort": "",
     "severity": "",
     "filePacker": "",
     "fileType": "",
     "fileHashValue": "",
     "isActive": "",
     "url": ""
}

operation: Get Threat Intelligence Indicator

Input parameters

Parameter Description
Threat Intelligence Indicator ID Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to retrieve a specific threat intelligence indicator from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "lastReportedDateTime": "",
     "networkIPv6": "",
     "externalId": "",
     "domainName": "",
     "emailSenderAddress": "",
     "networkDestinationCidrBlock": "",
     "fileCompileDateTime": "",
     "networkPort": "",
     "emailLanguage": "",
     "tlpLevel": "",
     "emailSourceDomain": "",
     "knownFalsePositives": "",
     "azureTenantId": "",
     "malwareFamilyNames": [],
     "networkDestinationPort": "",
     "fileSize": "",
     "networkDestinationIPv4": "",
     "emailSubject": "",
     "ingestedDateTime": "",
     "filePath": "",
     "expirationDateTime": "",
     "networkSourceAsn": "",
     "networkSourceCidrBlock": "",
     "networkDestinationAsn": "",
     "killChain": [],
     "networkProtocol": "",
     "diamondModel": "",
     "networkDestinationIPv6": "",
     "userAgent": "",
     "action": "",
     "emailRecipient": "",
     "tags": [],
     "fileCreatedDateTime": "",
     "networkIPv4": "",
     "fileHashType": "",
     "emailXMailer": "",
     "networkSourceIPv6": "",
     "emailEncoding": "",
     "additionalInformation": "",
     "networkSourceIPv4": "",
     "description": "",
     "fileMutexName": "",
     "networkCidrBlock": "",
     "@odata.context": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "targetProduct": "",
     "emailSourceIpAddress": "",
     "threatType": "",
     "emailSenderName": "",
     "passiveOnly": "",
     "activityGroupNames": [],
     "confidence": "",
     "fileName": "",
     "networkSourcePort": "",
     "severity": "",
     "filePacker": "",
     "fileType": "",
     "fileHashValue": "",
     "isActive": "",
     "url": ""
}

operation: Create Threat Intelligence Indicator

Input parameters

Parameter Description
Action Action that you want to perform if the indicator is matched in the target product security tool. You can choose from the following options: Unknown, Allow, Block, or Alert.
Description Brief description (100 characters or less) of the threat represented by the indicator that you want to create in Azure Sentinel.
Target Product Security product to which you want to apply the indicator that you are creating in Azure Sentinel.
Threat Type Type of threat that you want to assign to the indicator that you are creating in Azure Sentinel. You can choose from the following options: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, or WatchList.
Traffic Light Protocol Value of the traffic light protocol that you want to assign to the indicator that you are creating in Azure Sentinel. You can choose from the following options: Unknown, White, Green, Amber, or Red.
Object Indicator observables based on which you want to create the threat intelligence indicator in Azure Sentinel. You can choose from the following options: Email, File, or Network.
If you select Email, then you must specify the following parameters:
  • Email Encoding: Type of text encoding used in the email.
  • Email Language: Language of the email.
  • Email Recipient: Email address of the recipient.
  • Email Sender Address: Email address of the sender, who could be the attacker or the victim.
  • Email Sender Name: Sender (displayed) name of the sender, who could be the attacker or the victim.
  • Email Source Domain: Source Domain that is used in the email.
  • Email Source IP Address: Source IP address of the email.
  • Email Subject: Subject line of the email.
  • Email X-Mailer: X-Mailer value that is used in the email.
If you select File, then you must specify the following parameters:
  • File Compile Time: Datetime when the file was compiled. The Timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
  • File Created Date Time: Datetime when the file was created. The Timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
  • File Hash Type: Type of hash stored in the file. You can choose from the following options: Unknown, Sha1, Sha256, Md5, AuthenticodeHash256, LsHash, or Ctph.
  • File Hash Value: Value of file hash that will be used to create the threat intelligence indicator.
  • File Mutex Name: Mutex name that will be used in file-based detections.
  • File Name: Name of the file that contains the indicator. You can specify multiple filenames using comma-based separators.
  • File Packer: Packer that has been used to build the file that you want to create the threat intelligence indicator in Azure Sentinel.
  • File Path: Path of the file that contains the IOCs. You can specify the path as a 'Windows' path or 'nix-style' path.
  • File Size: Size of the file in bytes.
  • File Type: Type of file such as a Word Document or a Binary file.
If you select Network, then you must specify the following parameters:
  • Domain Name: Name of the domain associated with the indicator.
  • Network CIDR Block: CIDR Block notation representation of the network referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network Destination Autonomous: Destination autonomous system identifier of the network referenced in the indicator.
  • Network Destination CIDR Block: CIDR Block notation representation of the destination network in the indicator.
    • Network Destination IPV4: IPv4 IP network destination address referenced in the indicator.
    • Network Destination IPV6: IPv6 IP network destination address referenced in the indicator.
    • Network Destination Port: TCP port of the network destination referenced in the indicator.
  • Network IPV4: IPv4 IP network destination address referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network IPV6: IPv6 IP network destination address referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network Port: TCP port referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network Protocol: Decimal representation of the protocol field in the IPv4 header that is referenced in the indicator.
  • Network Source Autonomous: Source autonomous system identifier of the network referenced in the indicator.
  • Network Source CIDR Block: CIDR Block notation representation of the source network in the indicator
    • Network Source IPV4: IPv4 IP network destination address referenced in the indicator.
    • Network Source IPV6: IPv6 IP network destination address referenced in the indicator.
    • Network Source Port: TCP port of the network source referenced in the indicator.
  • URL: URL referenced in the indicator. Then entered URL must comply with RFC 1738.
  • User Agent: User-Agent string from a web request that could indicate a compromise.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "lastReportedDateTime": "",
     "networkIPv6": "",
     "externalId": "",
     "domainName": "",
     "emailSenderAddress": "",
     "networkDestinationCidrBlock": "",
     "fileCompileDateTime": "",
     "networkPort": "",
     "emailLanguage": "",
     "tlpLevel": "",
     "emailSourceDomain": "",
     "knownFalsePositives": "",
     "api_version": "",
     "azureTenantId": "",
     "malwareFamilyNames": [],
     "networkDestinationPort": "",
     "fileSize": "",
     "networkDestinationIPv4": "",
     "emailSubject": "",
     "ingestedDateTime": "",
     "filePath": "",
     "expirationDateTime": "",
     "networkSourceAsn": "",
     "networkSourceCidrBlock": "",
     "networkDestinationAsn": "",
     "killChain": [],
     "networkProtocol": "",
     "diamondModel": "",
     "networkDestinationIPv6": "",
     "userAgent": "",
     "action": "",
     "emailRecipient": "",
     "tags": [],
     "fileCreatedDateTime": "",
     "networkIPv4": "",
     "fileHashType": "",
     "emailXMailer": "",
     "networkSourceIPv6": "",
     "emailEncoding": "",
     "additionalInformation": "",
     "networkSourceIPv4": "",
     "description": "",
     "fileMutexName": "",
     "networkCidrBlock": "",
     "@odata.context": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "targetProduct": "",
     "emailSourceIpAddress": "",
     "threatType": "",
     "emailSenderName": "",
     "passiveOnly": "",
     "activityGroupNames": [],
     "confidence": "",
     "fileName": "",
     "networkSourcePort": "",
     "severity": "",
     "filePacker": "",
     "fileType": "",
     "fileHashValue": "",
     "isActive": "",
     "url": ""
}

operation: Delete Threat Intelligence Indicator

Input parameters

Parameter Description
ID Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to delete a specific threat intelligence indicator from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Update Threat Intelligence Indicator

Input parameters

Parameter Description
ID Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to update a specific threat intelligence indicator from Azure Sentinel.
Target Product Security product to which you want to apply the indicator that you are updating in Azure Sentinel.
Action (Optional) Action that you want to perform if the indicator is matched in the target product security tool. You can choose from the following options: Unknown, Allow, Block, or Alert.
Description (Optional) Brief description (100 characters or less) of the threat represented by the indicator that you want to update in Azure Sentinel.
Severity (Optional) Integer value representing the severity of the malicious behavior identified by the data within the indicator that you want to update in Azure Sentinel. You can enter any value between 0-5, where 5 is most severe and 0 is not severe. The default value is set as 3.
Traffic Light Protocol (Optional) Value of the traffic light protocol that you want to assign to the indicator that you are updating in Azure Sentinel. You can choose from the following options: Unknown, White, Green, Amber, or Red.
Is Active (Optional) Clear this checkbox, i.e., set is as 'False', to deactivate indicators within the system. By default, this checkbox is selected, i.e., any indicator submitted is set as active. However, providers might submit existing indicators with this set to 'False' to deactivate indicators in the system.
Confidence (Optional) Integer value representing the confidence in the accuracy of the data within the indicator that identifies malicious behavior. You can enter any value between 0-100, where 100 is the highest.
Diamond Model (Optional) Area of the diamond model in which this indicator exists. You can choose from the following options: Unknown, Adversary, Capability, Infrastructure, or Victim.
Tag (Optional) JSON array of strings that stores arbitrary tags or keywords that you want to associate with the threat intelligence indicator in Azure Sentinel. You can specify multiple tags using comma-based separators.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Get Alert

Input parameters

Parameter Description
Alert ID Unique Alert ID that is generated by the provider when an alert is created in Azure Sentinel based on which you want to retrieve a specific alert from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "tags": "",
     "processes": "",
     "cloudAppStates": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "userStates": "",
     "closedDateTime": "",
     "vulnerabilityStates": "",
     "malwareStates": "",
     "assignedTo": "",
     "registryKeyStates": "",
     "networkConnections": "",
     "azureSubscriptionId": "",
     "azureTenantId": "",
     "activityGroupName": "",
     "lastModifiedDateTime": "",
     "description": "",
     "createdDateTime": "",
     "@odata.context": "",
     "title": "",
     "hostStates": "",
     "sourceMaterials": "",
     "riskScore": "",
     "detectionIds": "",
     "feedback": "",
     "category": "",
     "comments": "",
     "confidence": "",
     "eventDateTime": "",
     "historyStates": "",
     "recommendedActions": "",
     "fileStates": "",
     "triggers": "",
     "severity": "",
     "status": ""
}

operation: Update Alert

Input parameters

Parameter Description
Alert ID Unique Alert ID that is generated by the provider when an alert is created in Azure Sentinel that you want to update in Azure Sentinel.
Status Status (life cycle status) of the alert that you want to update in Azure Sentinel. You can choose from the following options: Unknown, NewAlert, InProgress, or Resolved.
Provider Specific provider of product or service in Azure Sentinel that you want to update in the alert in Azure Sentinel. For example, WindowsDefenderATP. 
Vendor Name of the vendor of the alert that you want to update in the alert in Azure Sentinel. For example, Microsoft. 
Assigned To (Optional) Name of the analyst to whom you want to assign the alert that you want to update in the alert in Azure Sentinel for triage, investigation, or remediation. 
Close Time Time at which the alert was closed in Azure Sentinel. The timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
Comments (Optional) Analyst comments that you want to update in the specific alert in Azure Sentinel.
Feedback (Optional) Analyst feedback on the alert that you want to update in Azure Sentinel. You can choose from the following options: Unknown, TruePositive, FalsePositive, or BenignPositive.
Tag (Optional) JSON array of strings that store user-definable labels that can be applied to the alert that you want to update in Azure Sentinel, and which can serve as filter conditions. You can specify multiple tags using comma-based separators.
Provider Version (Optional) Version of the provider or subprovider, if it exists, that generated the alert that you want to update in Azure Sentinel. 
Sub Provider (Optional) Specific sub-provider under the aggregating provider in Azure Sentinel for the alert that you want to update in Azure Sentinel. For example, WindowsDefenderATP.SmartScreen 

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Get All Secure Scores

Input parameters

Parameter Description
Azure Tenant ID ID of the tenant that is assigned to you by the Azure application registration portal (Azure Active Directory) whose secure scores you want to retrieve from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "value": [
         {
             "currentScore": "",
             "maxScore": "",
             "averageComparativeScores": [
                 {
                     "identityScore": "",
                     "seatSizeRangeLowerValue": "",
                     "basis": "",
                     "averageScore": "",
                     "seatSizeRangeUpperValue": "",
                     "dataScore": "",
                     "deviceScore": "",
                     "categoryValue": ""
                 }
             ],
             "controlScores": [
                 {
                     "score": "",
                     "controlName": "",
                     "count": "",
                     "total": "",
                     "controlCategory": "",
                     "description": ""
                 }
             ],
             "enabledServices": "",
             "activeUserCount": "",
             "id": "",
             "azureTenantId": "",
             "licensedUserCount": "",
             "createdDateTime": ""
         }
     ]
}

operation: Get All Secure Score Control Profiles

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "title": "",
     "remediationImpact": "",
     "actionUrl": "",
     "implementationCost": "",
     "threats": [
         ""
     ],
     "userImpact": "",
     "maxScore": "",
     "deprecated": "",
     "tier": "",
     "controlStateUpdates": [
         {
             "comment": "",
             "updatedDateTime": "",
             "updatedBy": "",
             "assignedTo": "",
             "state": ""
         }
     ],
     "remediation": "",
     "actionType": "",
     "controlCategory": "",
     "service": "",
     "complianceInformation": [
         {
             "certificationControls": [
                 {
                     "name": "",
                     "url": ""
                 }
             ],
             "certificationName": ""
         }
     ],
     "azureTenantId": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "lastModifiedDateTime": "",
     "rank": ""
}

operation: Get Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to retrieve from Azure Sentinel.
Workspace Subscription ID Azure active directory subscription ID from which you want to retrieve the incident from Azure Sentinel.
Workspace Resource Group Azure active directory resource group from which you want to retrieve the incident from Azure Sentinel.
Workspace Name Name of the workspace from which you want to retrieve the incident from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "name": "",
     "etag": "",
     "type": "",
     "properties": {
         "title": "",
         "description": "",
         "severity": "",
         "status": "",
         "owner": {
             "objectId": "",
             "email": "",
             "assignedTo": "",
             "userPrincipalName": ""
         },
         "labels": [],
         "firstActivityTimeUtc": "",
         "lastActivityTimeUtc": "",
         "lastModifiedTimeUtc": "",
         "createdTimeUtc": "",
         "incidentNumber": "",
         "additionalData": {
             "alertsCount": "",
             "bookmarksCount": "",
             "commentsCount": "",
             "alertProductNames": [],
             "tactics": []
         },
         "relatedAnalyticRuleIds": [],
         "incidentUrl": ""
     }
}

operation: Get Incident List

Input parameters

Parameter Description
Workspace Subscription ID Azure active directory subscription ID from which you want to retrieve the incident from Azure Sentinel.
Workspace Resource Group Azure active directory resource group from which you want to retrieve the incident from Azure Sentinel.
Workspace Name Name of the workspace from which you want to retrieve the incident from Azure Sentinel.
Search Query (Optional) Query using which you want to filter incidents to be retrieved from Azure Sentinel. The OData's Filter query is supported on: "Id", "CreatedDateTime", "Status", "Severity", and "Category".
For example [createdDateTime gt 2019-09-22T00:00:00Z] retrieves all the alerts that are created after 2019-09-22T00:00:00Z
Order By (Optional) Order in which you want to sort the results retrieved from Azure Sentinel. You can specify asc or desc.
By default, this is set to asc.
Number of Incidents to Fetch (Optional) Maximum number of incidents that this operation should return from Azure Sentinel.
Skip Token (Optional) Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls.

Output

The output contains the following populated JSON schema:
{
     "value": [
         {
             "id": "",
             "name": "",
             "etag": "",
             "type": "",
             "properties": {
                 "title": "",
                 "description": "",
                 "severity": "",
                 "status": "",
                 "owner": {
                     "objectId": "",
                     "email": "",
                     "assignedTo": "",
                     "userPrincipalName": ""
                 },
                 "labels": [],
                 "firstActivityTimeUtc": "",
                 "lastActivityTimeUtc": "",
                 "lastModifiedTimeUtc": "",
                 "createdTimeUtc": "",
                 "incidentNumber": "",
                 "additionalData": {
                     "alertsCount": "",
                     "bookmarksCount": "",
                     "commentsCount": "",
                     "alertProductNames": [],
                     "tactics": []
                 },
                 "relatedAnalyticRuleIds": [],
                 "incidentUrl": ""
             }
         }
     ]
}

operation: Update Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to update in Azure Sentinel.
Workspace Subscription ID Azure active directory subscription ID in which you want to update the incident in Azure Sentinel.
Workspace Resource Group Azure active directory resource group in which you want to update the incident in Azure Sentinel.
Workspace Name Name of the workspace based on which you want to update the incident in Azure Sentinel.
Etag (Optional) Etag in which you want to update the incident in Azure Sentinel.
Severity (Optional) Updates the severity of the specific incident in Azure Sentinel.  You can choose from the following options: Critical, High, Medium, Low, or Informational.
Status (Optional) Updates the status of the specific incident in Azure Sentinel.  You can choose from the following options: Active, New, or Closed.
Title (Optional) Title of the specified incident that you want to update Azure Sentinel. 
Description (Optional) Description of the specified incident that you want to update Azure Sentinel. 

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "name": "",
     "etag": "",
     "type": "",
     "properties": {
         "title": "",
         "severity": "",
         "status": "",
         "owner": {
             "objectId": "",
             "email": "",
             "assignedTo": "",
             "userPrincipalName": ""
         },
         "labels": [],
         "lastModifiedTimeUtc": "",
         "createdTimeUtc": "",
         "incidentNumber": "",
         "additionalData": {
             "alertsCount": "",
             "bookmarksCount": "",
             "commentsCount": "",
             "alertProductNames": [],
             "tactics": []
         },
         "relatedAnalyticRuleIds": [],
         "incidentUrl": ""
     }
}

operation: Get Alert List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Search Query Query using which you want to filter alerts to be retrieved from Azure Sentinel. The OData's Filter query is supported on: "Id", "CreatedDateTime", "Status", "Severity", and "Category".
For example [createdDateTime gt 2019-09-22T00:00:00Z] retrieves all the alerts that are created after 2019-09-22T00:00:00Z
Created Date Created Datetime based on which you want to retrieve alerts from Azure Sentinel. 
Order By Order in which you want to sort the results retrieved from Azure Sentinel. You can specify asc or desc.
By default, this is set to asc.
Number of Alerts to Fetch Maximum number of alerts that this operation should return from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "@odata.context": "",
     "value": [
         {
             "id": "",
             "azureTenantId": "",
             "azureSubscriptionId": "",
             "riskScore": "",
             "tags": [],
             "activityGroupName": "",
             "assignedTo": "",
             "category": "",
             "closedDateTime": "",
             "comments": [],
             "confidence": "",
             "createdDateTime": "",
             "description": "",
             "detectionIds": [],
             "eventDateTime": "",
             "feedback": "",
             "incidentIds": [],
             "lastEventDateTime": "",
             "lastModifiedDateTime": "",
             "recommendedActions": [],
             "severity": "",
             "sourceMaterials": [],
             "status": "",
             "title": "",
             "vendorInformation": {
                 "provider": "",
                 "providerVersion": "",
                 "subProvider": "",
                 "vendor": ""
             },
             "alertDetections": [],
             "cloudAppStates": [],
             "fileStates": [],
             "hostStates": [],
             "historyStates": [],
             "investigationSecurityStates": [],
             "malwareStates": [],
             "messageSecurityStates": [],
             "networkConnections": [],
             "processes": [],
             "registryKeyStates": [],
             "securityResources": [],
             "triggers": [],
             "userStates": [],
             "uriClickSecurityStates": [],
             "vulnerabilityStates": []
         }
     ]
}

operation: Get Alert Events

Input parameters

Parameter Description
Workspace ID Azure Sentinel's workspace ID from which you want to retrieve the events associated with specific alerts.
Search Query Query using which you want to filter events associated with a specific alert that you want to retrieve from Azure Sentinel.

Output

The output contains a non-dictionary value.

operation: Fetch Alert Query

Input parameters

Parameter Description
Workspace ID Azure Sentinel's workspace ID from which you want to retrieve the query associated with specific alerts.
System Alert ID Azure Sentinel's system alert ID from which you want to retrieve the query associated with specific alerts.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Azure Sentinel - 1.1.0 playbook collection comes bundled with the Azure Sentinel connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Azure Sentinel connector.

  • > AzureSentinel > Fetch
  • > AzureSentinel > Ingest
  • >> AzureSentinel > Init Macros
  • Azure Sentinel > Post Create Alert > Fetch Events
  • Create Threat Intelligence Indicator
  • Delete Threat Intelligence Indicator
  • Fetch Alert Query
  • Get Alert
  • Get Alert Events
  • Get Alert List
  • Get All Secure Score Control Profiles
  • Get All Secure Scores
  • Get All Threat Intelligence Indicators
  • Get Incident
  • Get Incident List
  • Get Threat Intelligence Indicator
  • Update Alert
  • Update Incident
  • Update Threat Intelligence Indicator

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts and their associated "events" from Azure Sentinel. Currently, "alerts" in Azure Sentinel are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Azure Sentinel "alerts" to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure scheduled pulling of data from Azure Sentinel into FortiSOAR™. It also lets you pull some sample data from Azure Sentinel using which you can define the mapping of data between Azure Sentinel and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the Azure Sentinel alert. 

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Azure Sentinel connector’s "Configurations" page. 
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between Azure Sentinel data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch Azure Sentinel data.
    Users can choose to pull data from Azure Sentinel by specifying a search query based on which you want to retrieve alerts from Azure Sentinel. You can also specify a limit of alerts that you want the query to retrieve from Azure Sentinel and also specify the last X minutes in which the alerts have been created or updated in Azure Sentinel.  
    The fetched data is used to create a mapping between the Azure Sentinel data and FortiSOAR™ alerts.

    Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of an Azure Sentinel alert to the fields of an alert present in FortiSOAR™. 
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the title parameter of an Azure Sentinel alert to the Name parameter of a FortiSOAR™ alert, click the Name field and then click the title field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping the fields, click Save Mapping & Continue.

  4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Azure Sentinel, so that the content gets pulled from the Azure Sentinel integration into FortiSOAR™. 
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.    
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Azure Sentinel every 5 minutes, click Every X Minute, and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., alerts will be pulled from Azure Sentinel every 5 minutes.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.

About the connector

Azure Sentinel is a cloud-native SIEM that you can use for intelligent security analytics across your entire enterprise. 

This document provides information about the Azure Sentinel connector, which facilitates automated interactions with Azure Sentinel using FortiSOAR™ playbooks. Add the Azure Sentinel connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically retrieving alerts, threat intelligence indicators, secure scores from Azure Sentinel, creating, updating, and deleting threat intelligence indicator in Azure Sentinel, etc.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts and their associated "events" from Azure Sentinel. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 1.1.0

Authored By: Community

Certified: No

Connector Authentication - Getting Authentication Tokens

You can get an authentication token to access the Microsoft Graph Security APIs, Azure Sentinel Management APIs, and Log Analytics APIs using Application Permission. For more information, see https://docs.microsoft.com/en-us/graph/auth-v2-service

Getting Access Tokens without a User - Application Permission

  1. Ensure that the required permissions are granted for the registration of the application.
    For example, for a Microsoft Graph User: API/Permission name that should be granted is:
    • SecurityEvents.Read.All,
    • SecurityEvents.ReadWrite.All,
    • ThreatIndicators.ReadWrite.OwnedBy, 
    • Data.Read of type 'Application'.
  2. Enter your client ID in the 'Client ID' parameter field.
  3. Enter your client secret in the 'Client Secret' parameter field.
  4. Enter your tenant ID in the 'Tenant ID' parameter field.

Following are the table permissions that you have to assign for operations in the Azure portal:

Action Delegate Permission Application Permission
Get Alert List SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
Get Alert SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
Update Alert SecurityEvents.Read.All SecurityEvents.Read.All
Get All Secure Scores SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
Get All Secure Score Control Profiles SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
SecurityEvents.Read.All,
SecurityEvents.ReadWrite.All
Create Threat Intelligence Indicator ThreatIndicators.ReadWrite.OwnedBy ThreatIndicators.ReadWrite.OwnedBy
Get All Threat Intelligence Indicators ThreatIndicators.ReadWrite.OwnedBy ThreatIndicators.ReadWrite.OwnedBy
Get Threat Intelligence Indicator ThreatIndicators.ReadWrite.OwnedBy ThreatIndicators.ReadWrite.OwnedBy
Update Threat Intelligence Indicator ThreatIndicators.ReadWrite.OwnedBy ThreatIndicators.ReadWrite.OwnedBy
Delete Threat Intelligence Indicator ThreatIndicators.ReadWrite.OwnedBy ThreatIndicators.ReadWrite.OwnedBy
Get Alert Events Data.Read Data.Read
Fetch Alert Query Data.Read Data.Read

Important: For information on how to how to grant permissions in the azure portal see the following links:

Release Notes for version 1.1.0

Following enhancements have been made to the Azure Sentinel connector in version 1.1.0:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-azure-sentinel

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Azure Sentinel connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Tenant ID ID of the tenant that is assigned to you by the Azure application registration portal.
Client ID Unique Application ID of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on getting authentication tokens, see the Connector Authentication - Getting Authentication Tokens section.
Client Secret Unique Client Secret of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on how to get the secret key, see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get All Threat Intelligence Indicators Retrieves all threat intelligence indicators from Azure Sentinel using the Microsoft Graph Security API. get_all_threat_intelligence_indicators
Investigation
Get Threat Intelligence Indicator Retrieves a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the threat Intelligence Indicator ID you have specified. get_threat_intelligence_indicator
Investigation
Create Threat Intelligence Indicator Creates a threat intelligence indicator in Azure Sentinel using the Microsoft Graph Security API based on the threat type, indicator observables, and other input parameters you have specified. create_threat_intelligence_indicator
Investigation
Delete Threat Intelligence Indicator Deletes a specific threat intelligence indicator from Azure Sentinel using the Microsoft Graph Security API based on the threat Intelligence Indicator ID you have specified. delete_threat_intelligence_indicator
Investigation
Update Threat Intelligence Indicator Updates a specific threat intelligence indicator in Azure Sentinel using the Microsoft Graph Security API based on the threat intelligence indicator ID, and other input parameters you have specified. update_threat_intelligence_indicator
Investigation
Get Alert Retrieves a specific alert from Azure Sentinel using the Microsoft Graph Security API based on the Alert ID you have specified. get_alert
Investigation
Update Alert Updates a specific alert in Azure Sentinel using the Microsoft Graph Security API based on the alert ID, status, and other input parameters you have specified. update_alert
Investigation
Get All Secure Scores Retrieves all secure scores associated with a specific Azure Tenant from Azure Sentinel using the Microsoft Graph Security API based on the Azure Tenant ID you have specified. get_all_secure_scores
Investigation
Get All Secure Score Control Profiles Retrieves all secure score control profiles from Azure Sentinel using the Microsoft Graph Security API.  get_all_secure_score_control_profiles
Investigation
Get Incident Retrieves an incident associated with a specific alert from Azure Sentinel based on the incident ID, workspace name ID, and other input parameters you have specified. get_incident
Investigation
Get Incident List Retrieves all incidents from Azure Sentinel based on the workspace subscription ID, workspace name, and other input parameters that you have specified. get_incident_list
Investigation
Update Incident Updates an incident in Azure Sentinel based on the incident ID, workspace name ID, and other input parameters you have specified. update_incident
Investigation
Get Alert List Retrieves all alerts or alerts from Azure Sentinel based on the search query and other input parameters that you have specified. get_alert_list
Investigation
Get Alert Events Retrieves all events associated with a specific alert from Azure Sentinel based on the workspace ID and search query that you have specified. get_alert_events
Investigation
Fetch Alert Query Retrieves the query for a specific alert from Azure Sentinel based on the workspace ID and system alert ID that you have specified. fetch_alert_query
Investigation

operation: Get All Threat Intelligence Indicators

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "lastReportedDateTime": "",
     "networkIPv6": "",
     "externalId": "",
     "domainName": "",
     "emailSenderAddress": "",
     "networkDestinationCidrBlock": "",
     "fileCompileDateTime": "",
     "networkPort": "",
     "emailLanguage": "",
     "tlpLevel": "",
     "emailSourceDomain": "",
     "knownFalsePositives": "",
     "azureTenantId": "",
     "malwareFamilyNames": [],
     "networkDestinationPort": "",
     "fileSize": "",
     "networkDestinationIPv4": "",
     "emailSubject": "",
     "ingestedDateTime": "",
     "filePath": "",
     "expirationDateTime": "",
     "networkSourceAsn": "",
     "networkSourceCidrBlock": "",
     "networkDestinationAsn": "",
     "killChain": [],
     "networkProtocol": "",
     "diamondModel": "",
     "networkDestinationIPv6": "",
     "userAgent": "",
     "action": "",
     "emailRecipient": "",
     "tags": [],
     "fileCreatedDateTime": "",
     "networkIPv4": "",
     "fileHashType": "",
     "emailXMailer": "",
     "networkSourceIPv6": "",
     "emailEncoding": "",
     "additionalInformation": "",
     "networkSourceIPv4": "",
     "description": "",
     "fileMutexName": "",
     "networkCidrBlock": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "targetProduct": "",
     "emailSourceIpAddress": "",
     "threatType": "",
     "emailSenderName": "",
     "passiveOnly": "",
     "activityGroupNames": [],
     "confidence": "",
     "fileName": "",
     "networkSourcePort": "",
     "severity": "",
     "filePacker": "",
     "fileType": "",
     "fileHashValue": "",
     "isActive": "",
     "url": ""
}

operation: Get Threat Intelligence Indicator

Input parameters

Parameter Description
Threat Intelligence Indicator ID Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to retrieve a specific threat intelligence indicator from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "lastReportedDateTime": "",
     "networkIPv6": "",
     "externalId": "",
     "domainName": "",
     "emailSenderAddress": "",
     "networkDestinationCidrBlock": "",
     "fileCompileDateTime": "",
     "networkPort": "",
     "emailLanguage": "",
     "tlpLevel": "",
     "emailSourceDomain": "",
     "knownFalsePositives": "",
     "azureTenantId": "",
     "malwareFamilyNames": [],
     "networkDestinationPort": "",
     "fileSize": "",
     "networkDestinationIPv4": "",
     "emailSubject": "",
     "ingestedDateTime": "",
     "filePath": "",
     "expirationDateTime": "",
     "networkSourceAsn": "",
     "networkSourceCidrBlock": "",
     "networkDestinationAsn": "",
     "killChain": [],
     "networkProtocol": "",
     "diamondModel": "",
     "networkDestinationIPv6": "",
     "userAgent": "",
     "action": "",
     "emailRecipient": "",
     "tags": [],
     "fileCreatedDateTime": "",
     "networkIPv4": "",
     "fileHashType": "",
     "emailXMailer": "",
     "networkSourceIPv6": "",
     "emailEncoding": "",
     "additionalInformation": "",
     "networkSourceIPv4": "",
     "description": "",
     "fileMutexName": "",
     "networkCidrBlock": "",
     "@odata.context": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "targetProduct": "",
     "emailSourceIpAddress": "",
     "threatType": "",
     "emailSenderName": "",
     "passiveOnly": "",
     "activityGroupNames": [],
     "confidence": "",
     "fileName": "",
     "networkSourcePort": "",
     "severity": "",
     "filePacker": "",
     "fileType": "",
     "fileHashValue": "",
     "isActive": "",
     "url": ""
}

operation: Create Threat Intelligence Indicator

Input parameters

Parameter Description
Action Action that you want to perform if the indicator is matched in the target product security tool. You can choose from the following options: Unknown, Allow, Block, or Alert.
Description Brief description (100 characters or less) of the threat represented by the indicator that you want to create in Azure Sentinel.
Target Product Security product to which you want to apply the indicator that you are creating in Azure Sentinel.
Threat Type Type of threat that you want to assign to the indicator that you are creating in Azure Sentinel. You can choose from the following options: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, or WatchList.
Traffic Light Protocol Value of the traffic light protocol that you want to assign to the indicator that you are creating in Azure Sentinel. You can choose from the following options: Unknown, White, Green, Amber, or Red.
Object Indicator observables based on which you want to create the threat intelligence indicator in Azure Sentinel. You can choose from the following options: Email, File, or Network.
If you select Email, then you must specify the following parameters:
  • Email Encoding: Type of text encoding used in the email.
  • Email Language: Language of the email.
  • Email Recipient: Email address of the recipient.
  • Email Sender Address: Email address of the sender, who could be the attacker or the victim.
  • Email Sender Name: Sender (displayed) name of the sender, who could be the attacker or the victim.
  • Email Source Domain: Source Domain that is used in the email.
  • Email Source IP Address: Source IP address of the email.
  • Email Subject: Subject line of the email.
  • Email X-Mailer: X-Mailer value that is used in the email.
If you select File, then you must specify the following parameters:
  • File Compile Time: Datetime when the file was compiled. The Timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
  • File Created Date Time: Datetime when the file was created. The Timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
  • File Hash Type: Type of hash stored in the file. You can choose from the following options: Unknown, Sha1, Sha256, Md5, AuthenticodeHash256, LsHash, or Ctph.
  • File Hash Value: Value of file hash that will be used to create the threat intelligence indicator.
  • File Mutex Name: Mutex name that will be used in file-based detections.
  • File Name: Name of the file that contains the indicator. You can specify multiple filenames using comma-based separators.
  • File Packer: Packer that has been used to build the file that you want to create the threat intelligence indicator in Azure Sentinel.
  • File Path: Path of the file that contains the IOCs. You can specify the path as a 'Windows' path or 'nix-style' path.
  • File Size: Size of the file in bytes.
  • File Type: Type of file such as a Word Document or a Binary file.
If you select Network, then you must specify the following parameters:
  • Domain Name: Name of the domain associated with the indicator.
  • Network CIDR Block: CIDR Block notation representation of the network referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network Destination Autonomous: Destination autonomous system identifier of the network referenced in the indicator.
  • Network Destination CIDR Block: CIDR Block notation representation of the destination network in the indicator.
    • Network Destination IPV4: IPv4 IP network destination address referenced in the indicator.
    • Network Destination IPV6: IPv6 IP network destination address referenced in the indicator.
    • Network Destination Port: TCP port of the network destination referenced in the indicator.
  • Network IPV4: IPv4 IP network destination address referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network IPV6: IPv6 IP network destination address referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network Port: TCP port referenced in the indicator. Use the field only if you cannot identify the network source and network destination.
  • Network Protocol: Decimal representation of the protocol field in the IPv4 header that is referenced in the indicator.
  • Network Source Autonomous: Source autonomous system identifier of the network referenced in the indicator.
  • Network Source CIDR Block: CIDR Block notation representation of the source network in the indicator
    • Network Source IPV4: IPv4 IP network destination address referenced in the indicator.
    • Network Source IPV6: IPv6 IP network destination address referenced in the indicator.
    • Network Source Port: TCP port of the network source referenced in the indicator.
  • URL: URL referenced in the indicator. Then entered URL must comply with RFC 1738.
  • User Agent: User-Agent string from a web request that could indicate a compromise.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "lastReportedDateTime": "",
     "networkIPv6": "",
     "externalId": "",
     "domainName": "",
     "emailSenderAddress": "",
     "networkDestinationCidrBlock": "",
     "fileCompileDateTime": "",
     "networkPort": "",
     "emailLanguage": "",
     "tlpLevel": "",
     "emailSourceDomain": "",
     "knownFalsePositives": "",
     "api_version": "",
     "azureTenantId": "",
     "malwareFamilyNames": [],
     "networkDestinationPort": "",
     "fileSize": "",
     "networkDestinationIPv4": "",
     "emailSubject": "",
     "ingestedDateTime": "",
     "filePath": "",
     "expirationDateTime": "",
     "networkSourceAsn": "",
     "networkSourceCidrBlock": "",
     "networkDestinationAsn": "",
     "killChain": [],
     "networkProtocol": "",
     "diamondModel": "",
     "networkDestinationIPv6": "",
     "userAgent": "",
     "action": "",
     "emailRecipient": "",
     "tags": [],
     "fileCreatedDateTime": "",
     "networkIPv4": "",
     "fileHashType": "",
     "emailXMailer": "",
     "networkSourceIPv6": "",
     "emailEncoding": "",
     "additionalInformation": "",
     "networkSourceIPv4": "",
     "description": "",
     "fileMutexName": "",
     "networkCidrBlock": "",
     "@odata.context": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "targetProduct": "",
     "emailSourceIpAddress": "",
     "threatType": "",
     "emailSenderName": "",
     "passiveOnly": "",
     "activityGroupNames": [],
     "confidence": "",
     "fileName": "",
     "networkSourcePort": "",
     "severity": "",
     "filePacker": "",
     "fileType": "",
     "fileHashValue": "",
     "isActive": "",
     "url": ""
}

operation: Delete Threat Intelligence Indicator

Input parameters

Parameter Description
ID Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to delete a specific threat intelligence indicator from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Update Threat Intelligence Indicator

Input parameters

Parameter Description
ID Unique GUID or ID that is generated by the system when an indicator is ingested based on which you want to update a specific threat intelligence indicator from Azure Sentinel.
Target Product Security product to which you want to apply the indicator that you are updating in Azure Sentinel.
Action (Optional) Action that you want to perform if the indicator is matched in the target product security tool. You can choose from the following options: Unknown, Allow, Block, or Alert.
Description (Optional) Brief description (100 characters or less) of the threat represented by the indicator that you want to update in Azure Sentinel.
Severity (Optional) Integer value representing the severity of the malicious behavior identified by the data within the indicator that you want to update in Azure Sentinel. You can enter any value between 0-5, where 5 is most severe and 0 is not severe. The default value is set as 3.
Traffic Light Protocol (Optional) Value of the traffic light protocol that you want to assign to the indicator that you are updating in Azure Sentinel. You can choose from the following options: Unknown, White, Green, Amber, or Red.
Is Active (Optional) Clear this checkbox, i.e., set is as 'False', to deactivate indicators within the system. By default, this checkbox is selected, i.e., any indicator submitted is set as active. However, providers might submit existing indicators with this set to 'False' to deactivate indicators in the system.
Confidence (Optional) Integer value representing the confidence in the accuracy of the data within the indicator that identifies malicious behavior. You can enter any value between 0-100, where 100 is the highest.
Diamond Model (Optional) Area of the diamond model in which this indicator exists. You can choose from the following options: Unknown, Adversary, Capability, Infrastructure, or Victim.
Tag (Optional) JSON array of strings that stores arbitrary tags or keywords that you want to associate with the threat intelligence indicator in Azure Sentinel. You can specify multiple tags using comma-based separators.

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Get Alert

Input parameters

Parameter Description
Alert ID Unique Alert ID that is generated by the provider when an alert is created in Azure Sentinel based on which you want to retrieve a specific alert from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "tags": "",
     "processes": "",
     "cloudAppStates": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "userStates": "",
     "closedDateTime": "",
     "vulnerabilityStates": "",
     "malwareStates": "",
     "assignedTo": "",
     "registryKeyStates": "",
     "networkConnections": "",
     "azureSubscriptionId": "",
     "azureTenantId": "",
     "activityGroupName": "",
     "lastModifiedDateTime": "",
     "description": "",
     "createdDateTime": "",
     "@odata.context": "",
     "title": "",
     "hostStates": "",
     "sourceMaterials": "",
     "riskScore": "",
     "detectionIds": "",
     "feedback": "",
     "category": "",
     "comments": "",
     "confidence": "",
     "eventDateTime": "",
     "historyStates": "",
     "recommendedActions": "",
     "fileStates": "",
     "triggers": "",
     "severity": "",
     "status": ""
}

operation: Update Alert

Input parameters

Parameter Description
Alert ID Unique Alert ID that is generated by the provider when an alert is created in Azure Sentinel that you want to update in Azure Sentinel.
Status Status (life cycle status) of the alert that you want to update in Azure Sentinel. You can choose from the following options: Unknown, NewAlert, InProgress, or Resolved.
Provider Specific provider of product or service in Azure Sentinel that you want to update in the alert in Azure Sentinel. For example, WindowsDefenderATP. 
Vendor Name of the vendor of the alert that you want to update in the alert in Azure Sentinel. For example, Microsoft. 
Assigned To (Optional) Name of the analyst to whom you want to assign the alert that you want to update in the alert in Azure Sentinel for triage, investigation, or remediation. 
Close Time Time at which the alert was closed in Azure Sentinel. The timestamp type represents date and time information using ISO 8601 format and is always in the UTC time.
Comments (Optional) Analyst comments that you want to update in the specific alert in Azure Sentinel.
Feedback (Optional) Analyst feedback on the alert that you want to update in Azure Sentinel. You can choose from the following options: Unknown, TruePositive, FalsePositive, or BenignPositive.
Tag (Optional) JSON array of strings that store user-definable labels that can be applied to the alert that you want to update in Azure Sentinel, and which can serve as filter conditions. You can specify multiple tags using comma-based separators.
Provider Version (Optional) Version of the provider or subprovider, if it exists, that generated the alert that you want to update in Azure Sentinel. 
Sub Provider (Optional) Specific sub-provider under the aggregating provider in Azure Sentinel for the alert that you want to update in Azure Sentinel. For example, WindowsDefenderATP.SmartScreen 

Output

The output contains the following populated JSON schema:
{
     "result": ""
}

operation: Get All Secure Scores

Input parameters

Parameter Description
Azure Tenant ID ID of the tenant that is assigned to you by the Azure application registration portal (Azure Active Directory) whose secure scores you want to retrieve from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "value": [
         {
             "currentScore": "",
             "maxScore": "",
             "averageComparativeScores": [
                 {
                     "identityScore": "",
                     "seatSizeRangeLowerValue": "",
                     "basis": "",
                     "averageScore": "",
                     "seatSizeRangeUpperValue": "",
                     "dataScore": "",
                     "deviceScore": "",
                     "categoryValue": ""
                 }
             ],
             "controlScores": [
                 {
                     "score": "",
                     "controlName": "",
                     "count": "",
                     "total": "",
                     "controlCategory": "",
                     "description": ""
                 }
             ],
             "enabledServices": "",
             "activeUserCount": "",
             "id": "",
             "azureTenantId": "",
             "licensedUserCount": "",
             "createdDateTime": ""
         }
     ]
}

operation: Get All Secure Score Control Profiles

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "title": "",
     "remediationImpact": "",
     "actionUrl": "",
     "implementationCost": "",
     "threats": [
         ""
     ],
     "userImpact": "",
     "maxScore": "",
     "deprecated": "",
     "tier": "",
     "controlStateUpdates": [
         {
             "comment": "",
             "updatedDateTime": "",
             "updatedBy": "",
             "assignedTo": "",
             "state": ""
         }
     ],
     "remediation": "",
     "actionType": "",
     "controlCategory": "",
     "service": "",
     "complianceInformation": [
         {
             "certificationControls": [
                 {
                     "name": "",
                     "url": ""
                 }
             ],
             "certificationName": ""
         }
     ],
     "azureTenantId": "",
     "vendorInformation": {
         "vendor": "",
         "provider": "",
         "providerVersion": "",
         "subProvider": ""
     },
     "lastModifiedDateTime": "",
     "rank": ""
}

operation: Get Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to retrieve from Azure Sentinel.
Workspace Subscription ID Azure active directory subscription ID from which you want to retrieve the incident from Azure Sentinel.
Workspace Resource Group Azure active directory resource group from which you want to retrieve the incident from Azure Sentinel.
Workspace Name Name of the workspace from which you want to retrieve the incident from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "name": "",
     "etag": "",
     "type": "",
     "properties": {
         "title": "",
         "description": "",
         "severity": "",
         "status": "",
         "owner": {
             "objectId": "",
             "email": "",
             "assignedTo": "",
             "userPrincipalName": ""
         },
         "labels": [],
         "firstActivityTimeUtc": "",
         "lastActivityTimeUtc": "",
         "lastModifiedTimeUtc": "",
         "createdTimeUtc": "",
         "incidentNumber": "",
         "additionalData": {
             "alertsCount": "",
             "bookmarksCount": "",
             "commentsCount": "",
             "alertProductNames": [],
             "tactics": []
         },
         "relatedAnalyticRuleIds": [],
         "incidentUrl": ""
     }
}

operation: Get Incident List

Input parameters

Parameter Description
Workspace Subscription ID Azure active directory subscription ID from which you want to retrieve the incident from Azure Sentinel.
Workspace Resource Group Azure active directory resource group from which you want to retrieve the incident from Azure Sentinel.
Workspace Name Name of the workspace from which you want to retrieve the incident from Azure Sentinel.
Search Query (Optional) Query using which you want to filter incidents to be retrieved from Azure Sentinel. The OData's Filter query is supported on: "Id", "CreatedDateTime", "Status", "Severity", and "Category".
For example [createdDateTime gt 2019-09-22T00:00:00Z] retrieves all the alerts that are created after 2019-09-22T00:00:00Z
Order By (Optional) Order in which you want to sort the results retrieved from Azure Sentinel. You can specify asc or desc.
By default, this is set to asc.
Number of Incidents to Fetch (Optional) Maximum number of incidents that this operation should return from Azure Sentinel.
Skip Token (Optional) Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls.

Output

The output contains the following populated JSON schema:
{
     "value": [
         {
             "id": "",
             "name": "",
             "etag": "",
             "type": "",
             "properties": {
                 "title": "",
                 "description": "",
                 "severity": "",
                 "status": "",
                 "owner": {
                     "objectId": "",
                     "email": "",
                     "assignedTo": "",
                     "userPrincipalName": ""
                 },
                 "labels": [],
                 "firstActivityTimeUtc": "",
                 "lastActivityTimeUtc": "",
                 "lastModifiedTimeUtc": "",
                 "createdTimeUtc": "",
                 "incidentNumber": "",
                 "additionalData": {
                     "alertsCount": "",
                     "bookmarksCount": "",
                     "commentsCount": "",
                     "alertProductNames": [],
                     "tactics": []
                 },
                 "relatedAnalyticRuleIds": [],
                 "incidentUrl": ""
             }
         }
     ]
}

operation: Update Incident

Input parameters

Parameter Description
Incident ID ID of the incident that you want to update in Azure Sentinel.
Workspace Subscription ID Azure active directory subscription ID in which you want to update the incident in Azure Sentinel.
Workspace Resource Group Azure active directory resource group in which you want to update the incident in Azure Sentinel.
Workspace Name Name of the workspace based on which you want to update the incident in Azure Sentinel.
Etag (Optional) Etag in which you want to update the incident in Azure Sentinel.
Severity (Optional) Updates the severity of the specific incident in Azure Sentinel.  You can choose from the following options: Critical, High, Medium, Low, or Informational.
Status (Optional) Updates the status of the specific incident in Azure Sentinel.  You can choose from the following options: Active, New, or Closed.
Title (Optional) Title of the specified incident that you want to update Azure Sentinel. 
Description (Optional) Description of the specified incident that you want to update Azure Sentinel. 

Output

The output contains the following populated JSON schema:
{
     "id": "",
     "name": "",
     "etag": "",
     "type": "",
     "properties": {
         "title": "",
         "severity": "",
         "status": "",
         "owner": {
             "objectId": "",
             "email": "",
             "assignedTo": "",
             "userPrincipalName": ""
         },
         "labels": [],
         "lastModifiedTimeUtc": "",
         "createdTimeUtc": "",
         "incidentNumber": "",
         "additionalData": {
             "alertsCount": "",
             "bookmarksCount": "",
             "commentsCount": "",
             "alertProductNames": [],
             "tactics": []
         },
         "relatedAnalyticRuleIds": [],
         "incidentUrl": ""
     }
}

operation: Get Alert List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Search Query Query using which you want to filter alerts to be retrieved from Azure Sentinel. The OData's Filter query is supported on: "Id", "CreatedDateTime", "Status", "Severity", and "Category".
For example [createdDateTime gt 2019-09-22T00:00:00Z] retrieves all the alerts that are created after 2019-09-22T00:00:00Z
Created Date Created Datetime based on which you want to retrieve alerts from Azure Sentinel. 
Order By Order in which you want to sort the results retrieved from Azure Sentinel. You can specify asc or desc.
By default, this is set to asc.
Number of Alerts to Fetch Maximum number of alerts that this operation should return from Azure Sentinel.

Output

The output contains the following populated JSON schema:
{
     "@odata.context": "",
     "value": [
         {
             "id": "",
             "azureTenantId": "",
             "azureSubscriptionId": "",
             "riskScore": "",
             "tags": [],
             "activityGroupName": "",
             "assignedTo": "",
             "category": "",
             "closedDateTime": "",
             "comments": [],
             "confidence": "",
             "createdDateTime": "",
             "description": "",
             "detectionIds": [],
             "eventDateTime": "",
             "feedback": "",
             "incidentIds": [],
             "lastEventDateTime": "",
             "lastModifiedDateTime": "",
             "recommendedActions": [],
             "severity": "",
             "sourceMaterials": [],
             "status": "",
             "title": "",
             "vendorInformation": {
                 "provider": "",
                 "providerVersion": "",
                 "subProvider": "",
                 "vendor": ""
             },
             "alertDetections": [],
             "cloudAppStates": [],
             "fileStates": [],
             "hostStates": [],
             "historyStates": [],
             "investigationSecurityStates": [],
             "malwareStates": [],
             "messageSecurityStates": [],
             "networkConnections": [],
             "processes": [],
             "registryKeyStates": [],
             "securityResources": [],
             "triggers": [],
             "userStates": [],
             "uriClickSecurityStates": [],
             "vulnerabilityStates": []
         }
     ]
}

operation: Get Alert Events

Input parameters

Parameter Description
Workspace ID Azure Sentinel's workspace ID from which you want to retrieve the events associated with specific alerts.
Search Query Query using which you want to filter events associated with a specific alert that you want to retrieve from Azure Sentinel.

Output

The output contains a non-dictionary value.

operation: Fetch Alert Query

Input parameters

Parameter Description
Workspace ID Azure Sentinel's workspace ID from which you want to retrieve the query associated with specific alerts.
System Alert ID Azure Sentinel's system alert ID from which you want to retrieve the query associated with specific alerts.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Azure Sentinel - 1.1.0 playbook collection comes bundled with the Azure Sentinel connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Azure Sentinel connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts and their associated "events" from Azure Sentinel. Currently, "alerts" in Azure Sentinel are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Azure Sentinel "alerts" to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure scheduled pulling of data from Azure Sentinel into FortiSOAR™. It also lets you pull some sample data from Azure Sentinel using which you can define the mapping of data between Azure Sentinel and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to the Azure Sentinel alert. 

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Azure Sentinel connector’s "Configurations" page. 
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between Azure Sentinel data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch Azure Sentinel data.
    Users can choose to pull data from Azure Sentinel by specifying a search query based on which you want to retrieve alerts from Azure Sentinel. You can also specify a limit of alerts that you want the query to retrieve from Azure Sentinel and also specify the last X minutes in which the alerts have been created or updated in Azure Sentinel.  
    The fetched data is used to create a mapping between the Azure Sentinel data and FortiSOAR™ alerts.

    Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of an Azure Sentinel alert to the fields of an alert present in FortiSOAR™. 
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the title parameter of an Azure Sentinel alert to the Name parameter of a FortiSOAR™ alert, click the Name field and then click the title field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping the fields, click Save Mapping & Continue.

  4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Azure Sentinel, so that the content gets pulled from the Azure Sentinel integration into FortiSOAR™. 
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.    
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Azure Sentinel every 5 minutes, click Every X Minute, and in the minute box enter */5. This would mean that based on the configuration you have set up, data, i.e., alerts will be pulled from Azure Sentinel every 5 minutes.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.