Azure Sentinel REST API
Overview
The Azure Sentinel API enables you to programmatically manage incidents, watchlists, and threat intelligence in your Sentinel workspace. Use it to automate workflows, integrate with third‑party tools, and build custom dashboards.
Base URL: https://management.azure.com
Authentication
All requests must be authenticated with Azure AD bearer tokens. Obtain a token using the https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token endpoint with the https://management.azure.com/.default scope.
curl -X POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token \
-d "client_id={client_id}" \
-d "client_secret={client_secret}" \
-d "grant_type=client_credentials" \
-d "scope=https://management.azure.com/.default"Endpoints
| Operation | HTTP Method | URI Template |
|---|---|---|
| List Incidents | GET | /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents?api-version=2023-01-01 |
| Get Incident | GET | /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}?api-version=2023-01-01 |
| Create Incident | PUT | /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}?api-version=2023-01-01 |
| Update Incident | PATCH | /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}?api-version=2023-01-01 |
| Delete Incident | DELETE | /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}?api-version=2023-01-01 |
Sample Requests
List Incidents
curl -X GET "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents?api-version=2023-01-01" \
-H "Authorization: Bearer {access_token}"Create an Incident
{
"properties": {
"title": "Suspicious PowerShell Activity",
"severity": "High",
"status": "New",
"description": "Detected anomalous PowerShell command execution on host XYZ."
}
}curl -X PUT "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}?api-version=2023-01-01" \
-H "Authorization: Bearer {access_token}" \
-H "Content-Type: application/json" \
-d @incident.jsonError Codes
| Status | Code | Message |
|---|---|---|
| 400 | BadRequest | Request parameters are missing or invalid. |
| 401 | Unauthorized | Authentication token is missing or expired. |
| 403 | Forbidden | Caller does not have permission to perform the operation. |
| 404 | NotFound | Specified resource could not be found. |
| 429 | TooManyRequests | Rate limit exceeded. Retry after the value in Retry-After header. |
| 500 | InternalServerError | Unexpected server error. |