incidents
Creates, updates, deletes, gets or lists a incidents resource.
Overview
| Name | incidents |
| Type | Resource |
| Id | azure.sentinel.incidents |
Fields
- vw_incidents
- incidents
| Name | Datatype | Description |
|---|---|---|
description | text | field from the properties object |
additional_data | text | field from the properties object |
classification | text | field from the properties object |
classification_comment | text | field from the properties object |
classification_reason | text | field from the properties object |
created_time_utc | text | field from the properties object |
etag | text | Etag of the azure resource |
first_activity_time_utc | text | field from the properties object |
incidentId | text | field from the properties object |
incident_number | text | field from the properties object |
incident_url | text | field from the properties object |
labels | text | field from the properties object |
last_activity_time_utc | text | field from the properties object |
last_modified_time_utc | text | field from the properties object |
owner | text | field from the properties object |
provider_incident_id | text | field from the properties object |
provider_name | text | field from the properties object |
related_analytic_rule_ids | text | field from the properties object |
resourceGroupName | text | field from the properties object |
severity | text | field from the properties object |
status | text | field from the properties object |
subscriptionId | text | field from the properties object |
title | text | field from the properties object |
workspaceName | text | field from the properties object |
| Name | Datatype | Description |
|---|---|---|
etag | string | Etag of the azure resource |
properties | object | Describes incident properties |
Methods
| Name | Accessible by | Required Params | Description |
|---|---|---|---|
get | SELECT | incidentId, resourceGroupName, subscriptionId, workspaceName | Gets a given incident. |
list | SELECT | resourceGroupName, subscriptionId, workspaceName | Gets all incidents. |
create_or_update | INSERT | incidentId, resourceGroupName, subscriptionId, workspaceName | Creates or updates an incident. |
delete | DELETE | incidentId, resourceGroupName, subscriptionId, workspaceName | Deletes a given incident. |
run_playbook | EXEC | incidentIdentifier, resourceGroupName, subscriptionId, workspaceName, data__logicAppsResourceId | Triggers playbook on a specific incident |
SELECT examples
Gets all incidents.
- vw_incidents
- incidents
SELECT
description,
additional_data,
classification,
classification_comment,
classification_reason,
created_time_utc,
etag,
first_activity_time_utc,
incidentId,
incident_number,
incident_url,
labels,
last_activity_time_utc,
last_modified_time_utc,
owner,
provider_incident_id,
provider_name,
related_analytic_rule_ids,
resourceGroupName,
severity,
status,
subscriptionId,
title,
workspaceName
FROM azure.sentinel.vw_incidents
WHERE resourceGroupName = '{{ resourceGroupName }}'
AND subscriptionId = '{{ subscriptionId }}'
AND workspaceName = '{{ workspaceName }}';
SELECT
etag,
properties
FROM azure.sentinel.incidents
WHERE resourceGroupName = '{{ resourceGroupName }}'
AND subscriptionId = '{{ subscriptionId }}'
AND workspaceName = '{{ workspaceName }}';
INSERT example
Use the following StackQL query and manifest file to create a new incidents resource.
- All Properties
- Manifest
/*+ create */
INSERT INTO azure.sentinel.incidents (
incidentId,
resourceGroupName,
subscriptionId,
workspaceName,
etag,
properties
)
SELECT
'{{ incidentId }}',
'{{ resourceGroupName }}',
'{{ subscriptionId }}',
'{{ workspaceName }}',
'{{ etag }}',
'{{ properties }}'
;
- name: your_resource_model_name
props:
- name: etag
value: string
- name: properties
value:
- name: additionalData
value:
- name: alertsCount
value: integer
- name: bookmarksCount
value: integer
- name: commentsCount
value: integer
- name: alertProductNames
value:
- string
- name: tactics
value:
- []
- name: providerIncidentUrl
value: string
- name: classification
value: string
- name: classificationComment
value: string
- name: classificationReason
value: string
- name: createdTimeUtc
value: string
- name: description
value: string
- name: firstActivityTimeUtc
value: string
- name: incidentUrl
value: string
- name: providerName
value: string
- name: providerIncidentId
value: string
- name: incidentNumber
value: integer
- name: labels
value:
- - name: labelName
value: string
- name: labelType
value: []
- name: lastActivityTimeUtc
value: string
- name: lastModifiedTimeUtc
value: string
- name: owner
value:
- name: email
value: string
- name: assignedTo
value: string
- name: objectId
value: string
- name: userPrincipalName
value: string
- name: ownerType
value: string
- name: relatedAnalyticRuleIds
value:
- string
- name: severity
value: []
- name: status
value: string
- name: title
value: string
DELETE example
Deletes the specified incidents resource.
/*+ delete */
DELETE FROM azure.sentinel.incidents
WHERE incidentId = '{{ incidentId }}'
AND resourceGroupName = '{{ resourceGroupName }}'
AND subscriptionId = '{{ subscriptionId }}'
AND workspaceName = '{{ workspaceName }}';