Security alert
resource.
Note!
Blink is featured in the Microsoft Sentinel Content Hub. Our integration with Microsoft Sentinel accessible via the Content Hub and allows you to trigger workflows directly from Sentinel incidents and alerts.
{
"etag": "\"26006812-0000-0100-0000-6889db170000\"",
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelGroup/providers/Microsoft.OperationalInsights/workspaces/sentinel-workspace/providers/Microsoft.SecurityInsights/Incidents/4a59b9b1-1a3a-477c-9d5d-8fe7189ad420",
"name": "4a59b9b1-1a3a-477c-9d5d-8fe7189ad420",
"properties": {
"additionalData": {
"alertProductNames": [
"Azure Sentinel"
],
"alertsCount": 1,
"bookmarksCount": 0,
"commentsCount": 0,
"tactics": [
"CommandAndControl"
],
"techniques": []
},
"alerts": [
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
"kind": "SecurityAlert",
"properties": {
"additionalData": {
"Alert generation status": "Full alert created",
"Analytic Rule Ids": "[\"3472787c-41c2-423a-a765-a018ff56273a\"]",
"Analytic Rule Name": "Malicious IOC Detection",
"AssignedTo": null,
"Category": "CommandAndControl",
"Classification": null,
"Correlation Id": "5eded85c-0ef1-473f-9f36-a0dcde21020d",
"Data Sources": "[]",
"DetectionSource": "scheduledAlerts",
"DetectorId": "11111111-2222-3333-4444-555555555555_3472787c-41c2-423a-a765-a01",
"Determination": null,
"Event Grouping": "SingleAlert",
"IncidentId": "2453302",
"LastUpdated": "7/30/2025 8:40:03 AM",
"OriginSource": "Microsoft 365 defender",
"ProcessedBySentinel": "True",
"Query": "let startTime = ago(1h);\nlet endTime = now();\nSecurityEvent\n| where TimeGenerated between (startTime .. endTime)\n| where EventID == 4688\n| where CommandLine has_any (\"powershell.exe\", \"curl\", \"wget\")\n| extend MaliciousIP = extract(@\"(\\d{1,3}\\.){3}\\d{1,3}\", 0, CommandLine)\n| extend MaliciousURL = extract(@\"http[s]?://[^\\s'\\\"']+\", 0, CommandLine)\n| extend MaliciousHash = \"\"\n| extend Timestamp = TimeGenerated\n| extend HostCustomEntity = Computer\n| extend AccountCustomEntity = Account\n| extend Entities = pack_array(\n pack(\"Type\", \"host\", \"Value\", tostring(Computer)),\n pack(\"Type\", \"account\", \"Value\", tostring(Account)),\n pack(\"Type\", \"ip\", \"Value\", tostring(MaliciousIP)),\n pack(\"Type\", \"url\", \"Value\", tostring(MaliciousURL)),\n pack(\"Type\", \"fileHash\", \"Value\", tostring(MaliciousHash))\n)",
"Query End Time UTC": "2025-07-30 08:35:00Z",
"Query Period": "01:00:00",
"Query Start Time UTC": "2025-07-30 07:35:00Z",
"Search Query Results Overall Count": "2",
"ThreatFamilyName": null,
"ThreatName": null,
"Trigger Operator": "GreaterThan",
"Trigger Threshold": "0"
},
"alertDisplayName": "Malicious IOC Detection",
"alertLink": "https://security.microsoft.com/alerts/sn343db23a-3f9d-46d7-bc31-0347c63825bb?tid=00000000-0000-0000-0000-000000000000",
"alertType": "11111111-2222-3333-4444-555555555555_3472787c-41c2-423a-a765-a018ff56273a",
"confidenceLevel": "Unknown",
"description": "Detect malicious IPs, URLs, and hashes.",
"endTimeUtc": "2025-07-30T08:10:00Z",
"friendlyName": "Malicious IOC Detection",
"processingEndTime": "2025-07-30T08:40:03.2533333Z",
"productComponentName": "Scheduled Alerts",
"productName": "Azure Sentinel",
"providerAlertId": "343db23a-3f9d-46d7-bc31-0347c63825bb",
"resourceIdentifiers": [
{
"type": "LogAnalytics",
"workspaceId": "11111111-2222-3333-4444-555555555555"
}
],
"severity": "High",
"startTimeUtc": "2025-07-30T08:00:00Z",
"status": "New",
"systemAlertId": "91eb84db-17bf-442f-b3a3-913ea800b834",
"tactics": [
"CommandAndControl"
],
"timeGenerated": "2025-07-30T08:40:02.2566667Z",
"vendorName": "Microsoft"
},
"type": "Microsoft.SecurityInsights/Entities"
}
],
"bookmarks": [],
"comments": [],
"createdTimeUtc": "2025-07-30T08:40:02.64Z",
"firstActivityTimeUtc": "2025-07-30T08:00:00Z",
"incidentNumber": 9816109,
"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fake-rg/providers/Microsoft.OperationalInsights/workspaces/fake-workspace/providers/Microsoft.SecurityInsights/Incidents/4a59b9b1-1a3a-477c-9d5d-8fe7189ad420",
"labels": [],
"lastActivityTimeUtc": "2025-07-30T08:10:00Z",
"lastModifiedTimeUtc": "2025-07-30T08:40:02.83Z",
"owner": {
"assignedTo": null,
"email": null,
"objectId": null,
"userPrincipalName": null
},
"providerIncidentId": "2453302",
"providerName": "Microsoft XDR",
"relatedAnalyticRuleIds": [
"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fake-rg/providers/Microsoft.OperationalInsights/workspaces/fake-workspace/providers/Microsoft.SecurityInsights/alertRules/3472787c-41c2-423a-a765-a018ff56273a"
],
"relatedEntities": [
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
"kind": "Ip",
"properties": {
"address": "8.8.8.8",
"friendlyName": "8.8.8.8"
},
"type": "Microsoft.SecurityInsights/Entities"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
"kind": "Ip",
"properties": {
"address": "10.0.0.5",
"friendlyName": "10.0.0.5"
},
"type": "Microsoft.SecurityInsights/Entities"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
"kind": "Url",
"properties": {
"friendlyName": "http://malicious.example.com/payload.ps1",
"url": "http://malicious.example.com/payload.ps1"
},
"type": "Microsoft.SecurityInsights/Entities"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
"kind": "Url",
"properties": {
"friendlyName": "http://evil.example.org/",
"url": "http://evil.example.org/"
},
"type": "Microsoft.SecurityInsights/Entities"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
"kind": "FileHash",
"properties": {
"algorithm": "SHA256",
"friendlyName": "3F785D1B9E4A6A3E6F917FA431F6E9CDA5C7B0F9177B3A2E1F6A86A5F4C9A123(SHA256)",
"hashValue": "3F785D1B9E4A6A3E6F917FA431F6E9CDA5C7B0F9177B3A2E1F6A86A5F4C9A123"
},
"type": "Microsoft.SecurityInsights/Entities"
}
],
"severity": "High",
"status": "New",
"title": "Malicious IOC Detection"
},
"type": "Microsoft.SecurityInsights/Incidents"
}
Was this page helpful?