> ## Documentation Index > Fetch the complete documentation index at: https://docs.tracecat.com/llms.txt > Use this file to discover all available pages before exploring further. # Microsoft Sentinel > Reference for the Tracecat Microsoft Sentinel integration: registered actions, required secrets, expected inputs, and example workflow usage. ## Create incident comment Action ID: `tools.microsoft_sentinel.create_incident_comment` Create a comment on an incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Comment ID (GUID). Incident ID. Comment message text. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create or update alert rule Action ID: `tools.microsoft_sentinel.create_or_update_alert_rule` Create or update an alert rule in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Alert rule properties including kind, displayName, enabled, query, etc. Azure resource group name. Alert rule ID. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create or update bookmark Action ID: `tools.microsoft_sentinel.create_or_update_bookmark` Create or update a bookmark in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Bookmark ID. Bookmark properties including displayName, notes, query, labels, etc. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create or update incident Action ID: `tools.microsoft_sentinel.create_or_update_incident` Create or update an incident in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Incident properties including title, severity, status, description, etc. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create or update incident relation Action ID: `tools.microsoft_sentinel.create_or_update_incident_relation` Create or update a relation for an incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Relation properties including relatedResourceId. Relation name (GUID). Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create or update watchlist Action ID: `tools.microsoft_sentinel.create_or_update_watchlist` Create or update a watchlist in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Watchlist properties including displayName, provider, source, itemsSearchKey, etc. Azure resource group name. Azure subscription ID. Watchlist alias. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create or update watchlist item Action ID: `tools.microsoft_sentinel.create_or_update_watchlist_item` Create or update an item in a watchlist in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/create-or-update?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/create-or-update?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Watchlist item properties including itemsKeyValue. Azure resource group name. Azure subscription ID. Watchlist alias. Watchlist item ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Create threat intelligence indicator Action ID: `tools.microsoft_sentinel.create_threat_intelligence_indicator` Create a threat intelligence indicator in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/create?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/create?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Threat intelligence indicator name (GUID). Indicator properties including kind, pattern, patternType, source, displayName, etc. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete alert rule Action ID: `tools.microsoft_sentinel.delete_alert_rule` Delete an alert rule from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Alert rule ID. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete bookmark Action ID: `tools.microsoft_sentinel.delete_bookmark` Delete a bookmark from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Bookmark ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete incident Action ID: `tools.microsoft_sentinel.delete_incident` Delete an incident from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete incident comment Action ID: `tools.microsoft_sentinel.delete_incident_comment` Delete a comment from an incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Comment ID. Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete incident relation Action ID: `tools.microsoft_sentinel.delete_incident_relation` Delete a relation from an incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Relation name. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete threat intelligence indicator Action ID: `tools.microsoft_sentinel.delete_threat_intelligence_indicator` Delete a threat intelligence indicator from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Threat intelligence indicator name. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete watchlist Action ID: `tools.microsoft_sentinel.delete_watchlist` Delete a watchlist from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Watchlist alias. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Delete watchlist item Action ID: `tools.microsoft_sentinel.delete_watchlist_item` Delete an item from a watchlist in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/delete?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/delete?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Watchlist alias. Watchlist item ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get alert rule Action ID: `tools.microsoft_sentinel.get_alert_rule` Get a specific alert rule by ID from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Alert rule ID. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get alert rule template Action ID: `tools.microsoft_sentinel.get_alert_rule_template` Get a specific alert rule template by ID from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Alert rule template ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get bookmark Action ID: `tools.microsoft_sentinel.get_bookmark` Get a specific bookmark by ID from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Bookmark ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get incident Action ID: `tools.microsoft_sentinel.get_incident` Get a specific incident by ID from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get incident relation Action ID: `tools.microsoft_sentinel.get_incident_relation` Get a specific relation for an incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Relation name (GUID). Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get threat intelligence indicator Action ID: `tools.microsoft_sentinel.get_threat_intelligence_indicator` Get a specific threat intelligence indicator by name from Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicator/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Threat intelligence indicator name (GUID). Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get watchlist Action ID: `tools.microsoft_sentinel.get_watchlist` Get a specific watchlist by alias from Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Watchlist alias. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Get watchlist item Action ID: `tools.microsoft_sentinel.get_watchlist_item` Get a specific item from a watchlist in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/get?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/get?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Watchlist alias. Watchlist item ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List alert rule templates Action ID: `tools.microsoft_sentinel.list_alert_rule_templates` Get all alert rule templates available in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rule-templates/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List alert rules Action ID: `tools.microsoft_sentinel.list_alert_rules` Get all alert rules in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List bookmarks Action ID: `tools.microsoft_sentinel.list_bookmarks` Get all bookmarks in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/bookmarks/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List incident alerts Action ID: `tools.microsoft_sentinel.list_incident_alerts` Get all alerts related to a specific incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-alerts?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-alerts?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List incident bookmarks Action ID: `tools.microsoft_sentinel.list_incident_bookmarks` Get all bookmarks related to a specific incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-bookmarks?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-bookmarks?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List incident comments Action ID: `tools.microsoft_sentinel.list_incident_comments` Get all comments for a specific incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-comments/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List incident entities Action ID: `tools.microsoft_sentinel.list_incident_entities` Get all entities related to a specific incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-entities?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-entities?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List incident relations Action ID: `tools.microsoft_sentinel.list_incident_relations` Get all relations for a specific incident in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incident-relations/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Incident ID. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List incidents Action ID: `tools.microsoft_sentinel.list_incidents` Get all incidents in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. OData filter expression (e.g., "properties/status eq 'Active'"). Default: `null`. OData orderby expression (e.g., "properties/createdTimeUtc desc"). Default: `null`. Skiptoken for pagination. Default: `null`. Maximum number of incidents to return. Default: `null`. ## List threat intelligence indicators Action ID: `tools.microsoft_sentinel.list_threat_intelligence_indicators` Get all threat intelligence indicators in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. OData filter expression. Default: `null`. OData orderby expression. Default: `null`. Skiptoken for pagination. Default: `null`. Maximum number of indicators to return. Default: `null`. ## List watchlist items Action ID: `tools.microsoft_sentinel.list_watchlist_items` Get all items in a specific watchlist in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlist-items/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Watchlist alias. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## List watchlists Action ID: `tools.microsoft_sentinel.list_watchlists` Get all watchlists in Microsoft Sentinel workspace. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/list?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/watchlists/list?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`. ## Query threat intelligence indicators Action ID: `tools.microsoft_sentinel.query_threat_intelligence_indicators` Query threat intelligence indicators using advanced filters in Microsoft Sentinel. Reference: [https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators?view=rest-securityinsights-2025-09-01](https://learn.microsoft.com/en-us/rest/api/securityinsights/threat-intelligence-indicators?view=rest-securityinsights-2025-09-01) ### Secrets Optional secrets: * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_USER_TOKEN`. * `microsoft_sentinel_oauth`: OAuth token `MICROSOFT_SENTINEL_SERVICE_TOKEN`. ### Input fields Query parameters including keywords, patternTypes, sources, threatTypes, etc. Azure resource group name. Azure subscription ID. Log Analytics workspace name. API version. Default: `"2025-09-01"`. Base URL for the Azure Management API. Default: `"https://management.azure.com"`. Allowed values: `https://management.azure.com`, `https://management.usgovcloudapi.net`.