az sentinel incident
Note
This reference is part of the sentinel extension for the Azure CLI (version 2.37.0 or higher). The extension will automatically install the first time you run an az sentinel incident command. Learn more about extensions.
Manage incident with sentinel.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az sentinel incident comment |
Manage incident comment with sentinel. |
Extension | GA |
| az sentinel incident comment create |
Create the incident comment. |
Extension | Experimental |
| az sentinel incident comment delete |
Delete the incident comment. |
Extension | Experimental |
| az sentinel incident comment list |
Get all incident comments. |
Extension | Experimental |
| az sentinel incident comment show |
Get an incident comment. |
Extension | Experimental |
| az sentinel incident comment update |
Update the incident comment. |
Extension | Experimental |
| az sentinel incident create |
Create the incident. |
Extension | Experimental |
| az sentinel incident create-team |
Create a Microsoft team to investigate the incident by sharing information and insights between participants. |
Extension | Experimental |
| az sentinel incident delete |
Delete the incident. |
Extension | Experimental |
| az sentinel incident list |
Get all incidents. |
Extension | Experimental |
| az sentinel incident list-alert |
Get all incident alerts. |
Extension | Experimental |
| az sentinel incident list-bookmark |
Get all incident bookmarks. |
Extension | Experimental |
| az sentinel incident list-entity |
Get all incident related entities. |
Extension | Experimental |
| az sentinel incident relation |
Manage incident relation with sentinel. |
Extension | GA |
| az sentinel incident relation create |
Create the incident relation. |
Extension | Experimental |
| az sentinel incident relation delete |
Delete the incident relation. |
Extension | Experimental |
| az sentinel incident relation list |
Get all incident relations. |
Extension | Experimental |
| az sentinel incident relation show |
Get an incident relation. |
Extension | Experimental |
| az sentinel incident relation update |
Update the incident relation. |
Extension | Experimental |
| az sentinel incident run-playbook |
Trigger playbook on a specific incident. |
Extension | Experimental |
| az sentinel incident show |
Get an incident. |
Extension | Experimental |
| az sentinel incident update |
Update the incident. |
Extension | Experimental |
az sentinel incident create
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Create the incident.
az sentinel incident create --incident-id --name
--resource-group
--workspace-name
[--classification {BenignPositive, FalsePositive, TruePositive, Undetermined}]
[--classification-comment]
[--classification-reason {InaccurateData, IncorrectAlertLogic, SuspiciousActivity, SuspiciousButExpected}]
[--description]
[--etag]
[--first-activity-time-utc]
[--labels]
[--last-activity-time-utc]
[--owner]
[--provider-incident-id]
[--provider-name]
[--severity {High, Informational, Low, Medium}]
[--status {Active, Closed, New}]
[--title]Required Parameters
Incident ID.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
The reason the incident was closed.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Accepted values: | BenignPositive, FalsePositive, TruePositive, Undetermined |
Describes the reason the incident was closed.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The classification reason the incident was closed with.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Accepted values: | InaccurateData, IncorrectAlertLogic, SuspiciousActivity, SuspiciousButExpected |
The description of the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Etag of the azure resource.
| Property | Value |
|---|---|
| Parameter group: | Incident Arguments |
The time of the first activity in the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
List of labels relevant to this incident Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The time of the last activity in the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Describes a user that the incident is assigned to Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The incident ID assigned by the incident provider.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The name of the source provider that generated the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The severity of the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Accepted values: | High, Informational, Low, Medium |
The status of the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Accepted values: | Active, Closed, New |
The title of the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az sentinel incident create-team
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Create a Microsoft team to investigate the incident by sharing information and insights between participants.
az sentinel incident create-team --incident-id
--resource-group
--team-name
--workspace-name
[--group-ids]
[--member-ids]
[--team-description]Required Parameters
Incident ID.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the team.
| Property | Value |
|---|---|
| Parameter group: | TeamProperties Arguments |
The name of the workspace.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
List of group IDs to add their members to the team Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | TeamProperties Arguments |
List of member IDs to add to the team Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | TeamProperties Arguments |
The description of the team.
| Property | Value |
|---|---|
| Parameter group: | TeamProperties Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az sentinel incident delete
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Delete the incident.
az sentinel incident delete [--ids]
[--incident-id --name]
[--resource-group]
[--subscription]
[--workspace-name]
[--yes]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Incident ID.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
The name of the workspace.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Do not prompt for confirmation.
| Property | Value |
|---|---|
| Default value: | False |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az sentinel incident list
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Get all incidents.
az sentinel incident list --resource-group
--workspace-name
[--filter]
[--orderby]
[--skip-token]
[--top]Required Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Filters the results, based on a Boolean condition. Optional.
Sorts the results. Optional.
Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.
Returns only the first n results. Optional.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az sentinel incident list-alert
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Get all incident alerts.
az sentinel incident list-alert --incident-id
--resource-group
--workspace-nameRequired Parameters
Incident ID.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az sentinel incident list-bookmark
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Get all incident bookmarks.
az sentinel incident list-bookmark --incident-id
--resource-group
--workspace-nameRequired Parameters
Incident ID.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az sentinel incident list-entity
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Get all incident related entities.
az sentinel incident list-entity --incident-id
--resource-group
--workspace-nameRequired Parameters
Incident ID.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az sentinel incident run-playbook
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Trigger playbook on a specific incident.
az sentinel incident run-playbook --incident-identifier
--resource-group
--workspace-name
[--logic-apps-resource-id]
[--tenant-id]Required Parameters
Identifier of incident.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Resource ID of logic apps.
| Property | Value |
|---|---|
| Parameter group: | RequestBody Arguments |
ID of tenant.
| Property | Value |
|---|---|
| Parameter group: | RequestBody Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az sentinel incident show
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Get an incident.
az sentinel incident show [--ids]
[--incident-id --name]
[--resource-group]
[--subscription]
[--workspace-name]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Incident ID.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
The name of the workspace.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az sentinel incident update
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Update the incident.
az sentinel incident update [--add]
[--classification {BenignPositive, FalsePositive, TruePositive, Undetermined}]
[--classification-comment]
[--classification-reason {InaccurateData, IncorrectAlertLogic, SuspiciousActivity, SuspiciousButExpected}]
[--description]
[--etag]
[--first-activity-time-utc]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--ids]
[--incident-id --name]
[--labels]
[--last-activity-time-utc]
[--owner]
[--provider-incident-id]
[--provider-name]
[--remove]
[--resource-group]
[--set]
[--severity {High, Informational, Low, Medium}]
[--status {Active, Closed, New}]
[--subscription]
[--title]
[--workspace-name]Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
The reason the incident was closed.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Accepted values: | BenignPositive, FalsePositive, TruePositive, Undetermined |
Describes the reason the incident was closed.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The classification reason the incident was closed with.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Accepted values: | InaccurateData, IncorrectAlertLogic, SuspiciousActivity, SuspiciousButExpected |
The description of the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Etag of the azure resource.
| Property | Value |
|---|---|
| Parameter group: | Incident Arguments |
The time of the first activity in the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
| Accepted values: | 0, 1, f, false, n, no, t, true, y, yes |
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Incident ID.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
List of labels relevant to this incident Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The time of the last activity in the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Describes a user that the incident is assigned to Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The incident ID assigned by the incident provider.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The name of the source provider that generated the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.
| Property | Value |
|---|---|
| Parameter group: | Generic Update Arguments |
The severity of the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Accepted values: | High, Informational, Low, Medium |
The status of the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
| Accepted values: | Active, Closed, New |
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
The title of the incident.
| Property | Value |
|---|---|
| Parameter group: | Properties Arguments |
The name of the workspace.
| Property | Value |
|---|---|
| Parameter group: | Resource Id Arguments |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
