Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt

Use this file to discover all available pages before exploring further.

Triggers a workflow on a new incident. Endpoint: https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents
Workflows based on this trigger will search for new events every minute.

Parameters

ParameterDescription
Resource Group NameThe name of the resource group. The name is case insensitive.
Subscription IDThe ID of the target subscription.
Workspace NameThe name of the workspace.

Sample Event

{
	"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
	"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
	"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
	"type": "Microsoft.SecurityInsights/incidents",
	"properties": {
		"title": "My incident",
		"description": "This is a demo incident",
		"severity": "High",
		"status": "Closed",
		"classification": "FalsePositive",
		"classificationReason": "InaccurateData",
		"classificationComment": "Not a malicious activity",
		"owner": {
			"objectId": "2046feea-040d-4a46-9e2b-91c2941bfa70",
			"email": "john.doe@contoso.com",
			"assignedTo": "john doe",
			"userPrincipalName": "john@contoso.com",
			"ownerType": "User"
		},
		"labels": [],
		"firstActivityTimeUtc": "2019-01-01T13:00:30Z",
		"lastActivityTimeUtc": "2019-01-01T13:05:30Z",
		"lastModifiedTimeUtc": "2019-01-01T13:15:30Z",
		"createdTimeUtc": "2019-01-01T13:15:30Z",
		"incidentNumber": 3177,
		"additionalData": {
			"alertsCount": 0,
			"bookmarksCount": 0,
			"commentsCount": 3,
			"alertProductNames": [],
			"tactics": [
				"InitialAccess",
				"Persistence"
			],
			"techniques": [
				"T1091",
				"T1133",
				"T1053"
			],
			"providerIncidentUrl": "https://security.microsoft.com/incidents/3177?tid=5b5a146c-eba8-46af-96f8-e31b50d15a3f"
		},
		"relatedAnalyticRuleIds": [
			"/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/alertRules/fab3d2d4-747f-46a7-8ef0-9c0be8112bf7"
		],
		"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
		"providerName": "Azure Sentinel",
		"providerIncidentId": "3177"
	}
}