incidents
Creates, updates, deletes, gets or lists an incidents resource.
Overview
| Name | incidents |
| Type | Resource |
| Id | azure.sentinel.incidents |
Fields
The following fields are returned by SELECT queries:
- get
- list
OK, Operation successfully completed
| Name | Datatype | Description |
|---|---|---|
etag | string | Etag of the azure resource |
properties | object | Incident properties |
OK, Operation successfully completed
| Name | Datatype | Description |
|---|---|---|
etag | string | Etag of the azure resource |
properties | object | Incident properties |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | subscriptionId, resourceGroupName, workspaceName, incidentId | Gets a given incident. | |
list | select | subscriptionId, resourceGroupName, workspaceName | $filter, $orderby, $top, $skipToken | Gets all incidents. |
create_or_update | insert | subscriptionId, resourceGroupName, workspaceName, incidentId | Creates or updates an incident. | |
delete | delete | subscriptionId, resourceGroupName, workspaceName, incidentId | Deletes a given incident. | |
run_playbook | exec | subscriptionId, resourceGroupName, workspaceName, incidentIdentifier, logicAppsResourceId | Triggers playbook on a specific incident |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
incidentId | string | Incident ID |
incidentIdentifier | string | Incident ID |
resourceGroupName | string | The name of the resource group. The name is case insensitive. |
subscriptionId | string | The ID of the target subscription. |
workspaceName | string | The name of the workspace. |
$filter | string | Filters the results, based on a Boolean condition. Optional. |
$orderby | string | Sorts the results. Optional. |
$skipToken | string | Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. |
$top | integer (int32) | Returns only the first n results. Optional. |
SELECT examples
- get
- list
Gets a given incident.
SELECT
etag,
properties
FROM azure.sentinel.incidents
WHERE subscriptionId = '{{ subscriptionId }}' -- required
AND resourceGroupName = '{{ resourceGroupName }}' -- required
AND workspaceName = '{{ workspaceName }}' -- required
AND incidentId = '{{ incidentId }}' -- required
;
Gets all incidents.
SELECT
etag,
properties
FROM azure.sentinel.incidents
WHERE subscriptionId = '{{ subscriptionId }}' -- required
AND resourceGroupName = '{{ resourceGroupName }}' -- required
AND workspaceName = '{{ workspaceName }}' -- required
AND $filter = '{{ $filter }}'
AND $orderby = '{{ $orderby }}'
AND $top = '{{ $top }}'
AND $skipToken = '{{ $skipToken }}'
;
INSERT examples
- create_or_update
- Manifest
Creates or updates an incident.
INSERT INTO azure.sentinel.incidents (
data__etag,
data__properties,
subscriptionId,
resourceGroupName,
workspaceName,
incidentId
)
SELECT
'{{ etag }}',
'{{ properties }}',
'{{ subscriptionId }}',
'{{ resourceGroupName }}',
'{{ workspaceName }}',
'{{ incidentId }}'
RETURNING
etag,
properties
;
# Description fields are for documentation purposes
- name: incidents
props:
- name: subscriptionId
value: string
description: Required parameter for the incidents resource.
- name: resourceGroupName
value: string
description: Required parameter for the incidents resource.
- name: workspaceName
value: string
description: Required parameter for the incidents resource.
- name: incidentId
value: string
description: Required parameter for the incidents resource.
- name: etag
value: string
description: |
Etag of the azure resource
- name: properties
value: object
description: |
Incident properties
DELETE examples
- delete
Deletes a given incident.
DELETE FROM azure.sentinel.incidents
WHERE subscriptionId = '{{ subscriptionId }}' --required
AND resourceGroupName = '{{ resourceGroupName }}' --required
AND workspaceName = '{{ workspaceName }}' --required
AND incidentId = '{{ incidentId }}' --required
;
Lifecycle Methods
- run_playbook
Triggers playbook on a specific incident
EXEC azure.sentinel.incidents.run_playbook
@subscriptionId='{{ subscriptionId }}' --required,
@resourceGroupName='{{ resourceGroupName }}' --required,
@workspaceName='{{ workspaceName }}' --required,
@incidentIdentifier='{{ incidentIdentifier }}' --required
@@json=
'{
"tenantId": "{{ tenantId }}",
"logicAppsResourceId": "{{ logicAppsResourceId }}"
}'
;