Security alert
resource.
Note!
Copy
Ask AI
Blink is featured in the Microsoft Sentinel Content Hub. Our integration with Microsoft Sentinel accessible via the Content Hub and allows you to trigger workflows directly from Sentinel incidents and alerts.
Sample Event
Copy
Ask AI
{
"etag": "\"26006812-0000-0100-0000-6889db170000\"",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelGroup/providers/Microsoft.OperationalInsights/workspaces/sentinel-workspace/providers/Microsoft.SecurityInsights/Incidents/4a59b9b1-1a3a-477c-9d5d-8fe7189ad420",
"name": "4a59b9b1-1a3a-477c-9d5d-8fe7189ad420",
"properties": {
"additionalData": {
"alertProductNames": [
"Azure Sentinel"
],
"alertsCount": 1,
"bookmarksCount": 0,
"commentsCount": 0,
"tactics": [
"CommandAndControl"
],
"techniques": []
},
"alerts": [
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
"kind": "SecurityAlert",
"properties": {
"additionalData": {
"Alert generation status": "Full alert created",
"Analytic Rule Ids": "[\"3472787c-41c2-423a-a765-a018ff56273a\"]",
"Analytic Rule Name": "Malicious IOC Detection",
"AssignedTo": null,
"Category": "CommandAndControl",
"Classification": null,
"Correlation Id": "5eded85c-0ef1-473f-9f36-a0dcde21020d",
"Data Sources": "[]",
"DetectionSource": "scheduledAlerts",
"DetectorId": "11111111-2222-3333-4444-555555555555_3472787c-41c2-423a-a765-a01",
"Determination": null,
"Event Grouping": "SingleAlert",
"IncidentId": "2453302",
"LastUpdated": "7/30/2025 8:40:03 AM",
"OriginSource": "Microsoft 365 defender",
"ProcessedBySentinel": "True",
"Query": "let startTime = ago(1h);\nlet endTime = now();\nSecurityEvent\n| where TimeGenerated between (startTime .. endTime)\n| where EventID == 4688\n| where CommandLine has_any (\"powershell.exe\", \"curl\", \"wget\")\n| extend MaliciousIP = extract(@\"(\\d{1,3}\\.){3}\\d{1,3}\", 0, CommandLine)\n| extend MaliciousURL = extract(@\"http[s]?://[^\\s'\\\"']+\", 0, CommandLine)\n| extend MaliciousHash = \"\"\n| extend Timestamp = TimeGenerated\n| extend HostCustomEntity = Computer\n| extend AccountCustomEntity = Account\n| extend Entities = pack_array(\n pack(\"Type\", \"host\", \"Value\", tostring(Computer)),\n pack(\"Type\", \"account\", \"Value\", tostring(Account)),\n pack(\"Type\", \"ip\", \"Value\", tostring(MaliciousIP)),\n pack(\"Type\", \"url\", \"Value\", tostring(MaliciousURL)),\n pack(\"Type\", \"fileHash\", \"Value\", tostring(MaliciousHash))\n)",
"Query End Time UTC": "2025-07-30 08:35:00Z",
"Query Period": "01:00:00",
"Query Start Time UTC": "2025-07-30 07:35:00Z",
"Search Query Results Overall Count": "2",
"ThreatFamilyName": null,
"ThreatName": null,
"Trigger Operator": "GreaterThan",
"Trigger Threshold": "0"
},
"alertDisplayName": "Malicious IOC Detection",
"alertLink": "https://security.microsoft.com/alerts/sn343db23a-3f9d-46d7-bc31-0347c63825bb?tid=00000000-0000-0000-0000-000000000000",
"alertType": "11111111-2222-3333-4444-555555555555_3472787c-41c2-423a-a765-a018ff56273a",
"confidenceLevel": "Unknown",
"description": "Detect malicious IPs, URLs, and hashes.",
"endTimeUtc": "2025-07-30T08:10:00Z",
"friendlyName": "Malicious IOC Detection",
"processingEndTime": "2025-07-30T08:40:03.2533333Z",
"productComponentName": "Scheduled Alerts",
"productName": "Azure Sentinel",
"providerAlertId": "343db23a-3f9d-46d7-bc31-0347c63825bb",
"resourceIdentifiers": [
{
"type": "LogAnalytics",
"workspaceId": "11111111-2222-3333-4444-555555555555"
}
],
"severity": "High",
"startTimeUtc": "2025-07-30T08:00:00Z",
"status": "New",
"systemAlertId": "91eb84db-17bf-442f-b3a3-913ea800b834",
"tactics": [
"CommandAndControl"
],
"timeGenerated": "2025-07-30T08:40:02.2566667Z",
"vendorName": "Microsoft"
},
"type": "Microsoft.SecurityInsights/Entities"
}
],
"bookmarks": [],
"comments": [],
"createdTimeUtc": "2025-07-30T08:40:02.64Z",
"firstActivityTimeUtc": "2025-07-30T08:00:00Z",
"incidentNumber": 9816109,
"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fake-rg/providers/Microsoft.OperationalInsights/workspaces/fake-workspace/providers/Microsoft.SecurityInsights/Incidents/4a59b9b1-1a3a-477c-9d5d-8fe7189ad420",
"labels": [],
"lastActivityTimeUtc": "2025-07-30T08:10:00Z",
"lastModifiedTimeUtc": "2025-07-30T08:40:02.83Z",
"owner": {
"assignedTo": null,
"email": null,
"objectId": null,
"userPrincipalName": null
},
"providerIncidentId": "2453302",
"providerName": "Microsoft XDR",
"relatedAnalyticRuleIds": [
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fake-rg/providers/Microsoft.OperationalInsights/workspaces/fake-workspace/providers/Microsoft.SecurityInsights/alertRules/3472787c-41c2-423a-a765-a018ff56273a"
],
"relatedEntities": [
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
"kind": "Ip",
"properties": {
"address": "8.8.8.8",
"friendlyName": "8.8.8.8"
},
"type": "Microsoft.SecurityInsights/Entities"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
"kind": "Ip",
"properties": {
"address": "10.0.0.5",
"friendlyName": "10.0.0.5"
},
"type": "Microsoft.SecurityInsights/Entities"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
"kind": "Url",
"properties": {
"friendlyName": "http://malicious.example.com/payload.ps1",
"url": "http://malicious.example.com/payload.ps1"
},
"type": "Microsoft.SecurityInsights/Entities"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
"kind": "Url",
"properties": {
"friendlyName": "http://evil.example.org/",
"url": "http://evil.example.org/"
},
"type": "Microsoft.SecurityInsights/Entities"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
"kind": "FileHash",
"properties": {
"algorithm": "SHA256",
"friendlyName": "3F785D1B9E4A6A3E6F917FA431F6E9CDA5C7B0F9177B3A2E1F6A86A5F4C9A123(SHA256)",
"hashValue": "3F785D1B9E4A6A3E6F917FA431F6E9CDA5C7B0F9177B3A2E1F6A86A5F4C9A123"
},
"type": "Microsoft.SecurityInsights/Entities"
}
],
"severity": "High",
"status": "New",
"title": "Malicious IOC Detection"
},
"type": "Microsoft.SecurityInsights/Incidents"
}