Create incident comment
Action ID:tools.microsoft_sentinel.create_incident_comment
Create a comment on an incident in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/create-or-update
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Comment ID (GUID).
Incident ID.
Comment message text.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Create or update alert rule
Action ID:tools.microsoft_sentinel.create_or_update_alert_rule
Create or update an alert rule in Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/create-or-update
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Alert rule properties including kind, displayName, enabled, query, etc.
Azure resource group name.
Alert rule ID.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Create or update bookmark
Action ID:tools.microsoft_sentinel.create_or_update_bookmark
Create or update a bookmark in Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/create-or-update
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Bookmark ID.
Bookmark properties including displayName, notes, query, labels, etc.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Create or update incident
Action ID:tools.microsoft_sentinel.create_or_update_incident
Create or update an incident in Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/create-or-update
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Incident ID.
Incident properties including title, severity, status, description, etc.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Create or update incident relation
Action ID:tools.microsoft_sentinel.create_or_update_incident_relation
Create or update a relation for an incident in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/create-or-update
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Incident ID.
Relation properties including relatedResourceId.
Relation name (GUID).
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Create or update watchlist
Action ID:tools.microsoft_sentinel.create_or_update_watchlist
Create or update a watchlist in Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/create-or-update
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Watchlist properties including displayName, provider, source, itemsSearchKey, etc.
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Create or update watchlist item
Action ID:tools.microsoft_sentinel.create_or_update_watchlist_item
Create or update an item in a watchlist in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/create-or-update
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Watchlist item properties including itemsKeyValue.
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Watchlist item ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Create threat intelligence indicator
Action ID:tools.microsoft_sentinel.create_threat_intelligence_indicator
Create a threat intelligence indicator in Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/create
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Threat intelligence indicator name (GUID).
Indicator properties including kind, pattern, patternType, source, displayName, etc.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Delete alert rule
Action ID:tools.microsoft_sentinel.delete_alert_rule
Delete an alert rule from Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/delete
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Azure resource group name.
Alert rule ID.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Delete bookmark
Action ID:tools.microsoft_sentinel.delete_bookmark
Delete a bookmark from Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/delete
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Bookmark ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Delete incident
Action ID:tools.microsoft_sentinel.delete_incident
Delete an incident from Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/delete
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Delete incident comment
Action ID:tools.microsoft_sentinel.delete_incident_comment
Delete a comment from an incident in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/delete
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Comment ID.
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Delete incident relation
Action ID:tools.microsoft_sentinel.delete_incident_relation
Delete a relation from an incident in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/delete
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Incident ID.
Relation name.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Delete threat intelligence indicator
Action ID:tools.microsoft_sentinel.delete_threat_intelligence_indicator
Delete a threat intelligence indicator from Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/delete
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Threat intelligence indicator name.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Delete watchlist
Action ID:tools.microsoft_sentinel.delete_watchlist
Delete a watchlist from Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/delete
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Delete watchlist item
Action ID:tools.microsoft_sentinel.delete_watchlist_item
Delete an item from a watchlist in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/delete
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Watchlist item ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Get alert rule
Action ID:tools.microsoft_sentinel.get_alert_rule
Get a specific alert rule by ID from Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/get
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Azure resource group name.
Alert rule ID.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Get alert rule template
Action ID:tools.microsoft_sentinel.get_alert_rule_template
Get a specific alert rule template by ID from Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/get
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Alert rule template ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Get bookmark
Action ID:tools.microsoft_sentinel.get_bookmark
Get a specific bookmark by ID from Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/get
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Bookmark ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Get incident
Action ID:tools.microsoft_sentinel.get_incident
Get a specific incident by ID from Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/get
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Get incident relation
Action ID:tools.microsoft_sentinel.get_incident_relation
Get a specific relation for an incident in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/get
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Incident ID.
Relation name (GUID).
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Get threat intelligence indicator
Action ID:tools.microsoft_sentinel.get_threat_intelligence_indicator
Get a specific threat intelligence indicator by name from Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/get
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Threat intelligence indicator name (GUID).
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Get watchlist
Action ID:tools.microsoft_sentinel.get_watchlist
Get a specific watchlist by alias from Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/get
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Get watchlist item
Action ID:tools.microsoft_sentinel.get_watchlist_item
Get a specific item from a watchlist in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/get
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Watchlist item ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.List alert rule templates
Action ID:tools.microsoft_sentinel.list_alert_rule_templates
Get all alert rule templates available in Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/list
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.List alert rules
Action ID:tools.microsoft_sentinel.list_alert_rules
Get all alert rules in Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/list
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.List bookmarks
Action ID:tools.microsoft_sentinel.list_bookmarks
Get all bookmarks in Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/list
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.List incident alerts
Action ID:tools.microsoft_sentinel.list_incident_alerts
Get all alerts related to a specific incident in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-alerts
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.List incident bookmarks
Action ID:tools.microsoft_sentinel.list_incident_bookmarks
Get all bookmarks related to a specific incident in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-bookmarks
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.List incident comments
Action ID:tools.microsoft_sentinel.list_incident_comments
Get all comments for a specific incident in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/list
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.List incident entities
Action ID:tools.microsoft_sentinel.list_incident_entities
Get all entities related to a specific incident in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-entities
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.List incident relations
Action ID:tools.microsoft_sentinel.list_incident_relations
Get all relations for a specific incident in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/list
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Incident ID.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.List incidents
Action ID:tools.microsoft_sentinel.list_incidents
Get all incidents in Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.OData filter expression (e.g., “properties/status eq ‘Active’”).Default:
null.OData orderby expression (e.g., “properties/createdTimeUtc desc”).Default:
null.Skiptoken for pagination.Default:
null.Maximum number of incidents to return.Default:
null.List threat intelligence indicators
Action ID:tools.microsoft_sentinel.list_threat_intelligence_indicators
Get all threat intelligence indicators in Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators/list
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.OData filter expression.Default:
null.OData orderby expression.Default:
null.Skiptoken for pagination.Default:
null.Maximum number of indicators to return.Default:
null.List watchlist items
Action ID:tools.microsoft_sentinel.list_watchlist_items
Get all items in a specific watchlist in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/list
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Azure resource group name.
Azure subscription ID.
Watchlist alias.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.List watchlists
Action ID:tools.microsoft_sentinel.list_watchlists
Get all watchlists in Microsoft Sentinel workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/list
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.Query threat intelligence indicators
Action ID:tools.microsoft_sentinel.query_threat_intelligence_indicators
Query threat intelligence indicators using advanced filters in Microsoft Sentinel.
Reference: https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators/query-indicators
Secrets
Optional secrets:microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_USER_TOKEN.microsoft_sentinel_oauth: OAuth tokenMICROSOFT_SENTINEL_SERVICE_TOKEN.
Input fields
Query parameters including keywords, patternTypes, sources, threatTypes, etc.
Azure resource group name.
Azure subscription ID.
Log Analytics workspace name.
API version.Default:
"2025-09-01".Base URL for the Azure Management API.Default:
"https://management.azure.com".Allowed values: https://management.azure.com, https://management.usgovcloudapi.net.