Introduction
The Azure Sentinel Automation API enables you to programmatically manage Sentinel workbooks, playbooks, and hunting queries. Use the API to integrate Sentinel with CI/CD pipelines, automate incident response, and extend Sentinel's capabilities.
Base URL
https://management.azure.comAuthentication
All requests must be authenticated using Azure Active Directory (AAD) OAuth 2.0 tokens. Acquire a token with the https://management.azure.com/.default scope.
POST https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={clientId}
&client_secret={clientSecret}
&grant_type=client_credentials
&scope=https%3A%2F%2Fmanagement.azure.com%2F.defaultCommon Headers
| Header | Value |
|---|---|
| Authorization | Bearer {access_token} |
| Content-Type | application/json |
| Accept | application/json |
Operations
Below are the most frequently used endpoints.
List Workbooks
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/workbooks?api-version=2020-01-01Create or Update a Playbook
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{playbookName}?api-version=2019-05-01
{
"location": "westus2",
"properties": {
"definition": { /* Logic App definition */ },
"parameters": { /* parameters */ }
}
}Run a Hunting Query
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/huntingQueries/{queryId}/run?api-version=2022-12-01
{
"query": "SecurityEvent | where TimeGenerated > ago(1d)"
}SDKs
Microsoft provides SDKs for .NET, Python, JavaScript, and Java. Install via package managers:
dotnet add package Azure.ResourceManager.SecurityInsightspip install azure-mgmt-securityinsightsnpm install @azure/arm-securityinsightsmvn install:install-file -DgroupId=com.azure -DartifactId=azure-securityinsights -Dversion=1.0.0 -Dpackaging=jar
Rate Limits
API calls are limited to 10,000 requests per hour per subscription. Exceeding this limit returns HTTP 429.