az sentinel incident
Note
This reference is part of the sentinel extension for the Azure CLI (version 2.37.0 or higher). The extension will automatically install the first time you run an az sentinel incident command. Learn more about extensions.
Manage incident with sentinel.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az sentinel incident comment |
Manage incident comment with sentinel. |
Extension | GA |
| az sentinel incident comment create |
Create the incident comment. |
Extension | Experimental |
| az sentinel incident comment delete |
Delete the incident comment. |
Extension | Experimental |
| az sentinel incident comment list |
Get all incident comments. |
Extension | Experimental |
| az sentinel incident comment show |
Get an incident comment. |
Extension | Experimental |
| az sentinel incident comment update |
Update the incident comment. |
Extension | Experimental |
| az sentinel incident create |
Create the incident. |
Extension | Experimental |
| az sentinel incident create-team |
Create a Microsoft team to investigate the incident by sharing information and insights between participants. |
Extension | Experimental |
| az sentinel incident delete |
Delete the incident. |
Extension | Experimental |
| az sentinel incident list |
Get all incidents. |
Extension | Experimental |
| az sentinel incident list-alert |
Get all incident alerts. |
Extension | Experimental |
| az sentinel incident list-bookmark |
Get all incident bookmarks. |
Extension | Experimental |
| az sentinel incident list-entity |
Get all incident related entities. |
Extension | Experimental |
| az sentinel incident relation |
Manage incident relation with sentinel. |
Extension | GA |
| az sentinel incident relation create |
Create the incident relation. |
Extension | Experimental |
| az sentinel incident relation delete |
Delete the incident relation. |
Extension | Experimental |
| az sentinel incident relation list |
Get all incident relations. |
Extension | Experimental |
| az sentinel incident relation show |
Get an incident relation. |
Extension | Experimental |
| az sentinel incident relation update |
Update the incident relation. |
Extension | Experimental |
| az sentinel incident run-playbook |
Trigger playbook on a specific incident. |
Extension | Experimental |
| az sentinel incident show |
Get an incident. |
Extension | Experimental |
| az sentinel incident update |
Update the incident. |
Extension | Experimental |
az sentinel incident create
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Create the incident.
az sentinel incident create --incident-id
--resource-group
--workspace-name
[--classification {BenignPositive, FalsePositive, TruePositive, Undetermined}]
[--classification-comment]
[--classification-reason {InaccurateData, IncorrectAlertLogic, SuspiciousActivity, SuspiciousButExpected}]
[--description]
[--etag]
[--first-activity-time-utc]
[--labels]
[--last-activity-time-utc]
[--owner]
[--provider-incident-id]
[--provider-name]
[--severity {High, Informational, Low, Medium}]
[--status {Active, Closed, New}]
[--title]Required Parameters
Incident ID.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Optional Parameters
The reason the incident was closed.
Describes the reason the incident was closed.
The classification reason the incident was closed with.
The description of the incident.
Etag of the azure resource.
The time of the first activity in the incident.
List of labels relevant to this incident Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
The time of the last activity in the incident.
Describes a user that the incident is assigned to Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
The incident ID assigned by the incident provider.
The name of the source provider that generated the incident.
The severity of the incident.
The status of the incident.
The title of the incident.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel incident create-team
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Create a Microsoft team to investigate the incident by sharing information and insights between participants.
az sentinel incident create-team --incident-id
--resource-group
--team-name
--workspace-name
[--group-ids]
[--member-ids]
[--team-description]Required Parameters
Incident ID.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the team.
The name of the workspace.
Optional Parameters
List of group IDs to add their members to the team Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
List of member IDs to add to the team Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
The description of the team.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel incident delete
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Delete the incident.
az sentinel incident delete [--ids]
[--incident-id]
[--resource-group]
[--subscription]
[--workspace-name]
[--yes]Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Incident ID.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
The name of the workspace.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel incident list
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Get all incidents.
az sentinel incident list --resource-group
--workspace-name
[--filter]
[--orderby]
[--skip-token]
[--top]Required Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Optional Parameters
Filters the results, based on a Boolean condition. Optional.
Sorts the results. Optional.
Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.
Returns only the first n results. Optional.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel incident list-alert
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Get all incident alerts.
az sentinel incident list-alert --incident-id
--resource-group
--workspace-nameRequired Parameters
Incident ID.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel incident list-bookmark
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Get all incident bookmarks.
az sentinel incident list-bookmark --incident-id
--resource-group
--workspace-nameRequired Parameters
Incident ID.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel incident list-entity
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Get all incident related entities.
az sentinel incident list-entity --incident-id
--resource-group
--workspace-nameRequired Parameters
Incident ID.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel incident run-playbook
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Trigger playbook on a specific incident.
az sentinel incident run-playbook --incident-identifier
--resource-group
--workspace-name
[--logic-apps-resource-id]
[--tenant-id]Required Parameters
Identifier of incident.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Optional Parameters
Resource ID of logic apps.
ID of tenant.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel incident show
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Get an incident.
az sentinel incident show [--ids]
[--incident-id]
[--resource-group]
[--subscription]
[--workspace-name]Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Incident ID.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
The name of the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel incident update
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Update the incident.
az sentinel incident update [--add]
[--classification {BenignPositive, FalsePositive, TruePositive, Undetermined}]
[--classification-comment]
[--classification-reason {InaccurateData, IncorrectAlertLogic, SuspiciousActivity, SuspiciousButExpected}]
[--description]
[--etag]
[--first-activity-time-utc]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--ids]
[--incident-id]
[--labels]
[--last-activity-time-utc]
[--owner]
[--provider-incident-id]
[--provider-name]
[--remove]
[--resource-group]
[--set]
[--severity {High, Informational, Low, Medium}]
[--status {Active, Closed, New}]
[--subscription]
[--title]
[--workspace-name]Optional Parameters
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
The reason the incident was closed.
Describes the reason the incident was closed.
The classification reason the incident was closed with.
The description of the incident.
Etag of the azure resource.
The time of the first activity in the incident.
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Incident ID.
List of labels relevant to this incident Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
The time of the last activity in the incident.
Describes a user that the incident is assigned to Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
The incident ID assigned by the incident provider.
The name of the source provider that generated the incident.
Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.
The severity of the incident.
The status of the incident.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
The title of the incident.
The name of the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
