Microsoft Sentinel

Microsoft Sentinel REST API

The Microsoft Sentinel REST API provides programmatic access to security incident management, threat intelligence, watchlists, analytics rules, and automation playbooks. Developers can manage incidents, configure data connectors, create custom detection rules, and automate security response workflows through Azure Resource Manager endpoints.

GitHub OpenAPI

Documentation

📖
Documentation
https://learn.microsoft.com/en-us/rest/api/securityinsights/
📖
GettingStarted
https://learn.microsoft.com/en-us/azure/sentinel/quickstart-onboard

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/microsoft-sentinel/refs/heads/main/openapi/microsoft-sentinel-openapi.yml

OpenAPI Specification

microsoft-sentinel-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Microsoft Sentinel REST API
  description: >-
    Minimal OpenAPI definition for the Microsoft Sentinel (Security Insights)
    REST API covering alert rules, incidents, bookmarks, data connectors, and
    threat intelligence indicators.
  version: '2023-02-01'
  x-generated-from: https://learn.microsoft.com/en-us/rest/api/securityinsights/
  x-generated-by: claude-crawl-2026-05-08
servers:
  - url: https://management.azure.com
    description: Azure Resource Manager
security:
  - bearerAuth: []
tags:
  - name: AlertRules
  - name: Incidents
  - name: Bookmarks
  - name: DataConnectors
  - name: ThreatIntelligence
paths:
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [AlertRules]
      summary: List alert rules
      operationId: listAlertRules
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericList'
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - in: path
        name: ruleId
        required: true
        schema: { type: string }
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [AlertRules]
      summary: Get alert rule
      operationId: getAlertRule
      responses:
        '200':
          description: OK
    put:
      tags: [AlertRules]
      summary: Create or update alert rule
      operationId: createOrUpdateAlertRule
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/GenericObject'
      responses:
        '200':
          description: OK
        '201':
          description: Created
    delete:
      tags: [AlertRules]
      summary: Delete alert rule
      operationId: deleteAlertRule
      responses:
        '200':
          description: OK
        '204':
          description: No Content
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [Incidents]
      summary: List incidents
      operationId: listIncidents
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericList'
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - in: path
        name: incidentId
        required: true
        schema: { type: string }
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [Incidents]
      summary: Get incident
      operationId: getIncident
      responses:
        '200':
          description: OK
    put:
      tags: [Incidents]
      summary: Create or update incident
      operationId: createOrUpdateIncident
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/GenericObject'
      responses:
        '200':
          description: OK
        '201':
          description: Created
    delete:
      tags: [Incidents]
      summary: Delete incident
      operationId: deleteIncident
      responses:
        '200':
          description: OK
        '204':
          description: No Content
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [Bookmarks]
      summary: List bookmarks
      operationId: listBookmarks
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericList'
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [DataConnectors]
      summary: List data connectors
      operationId: listDataConnectors
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericList'
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [ThreatIntelligence]
      summary: List threat intelligence indicators
      operationId: listThreatIntelligenceIndicators
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericList'
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
  parameters:
    SubscriptionId:
      in: path
      name: subscriptionId
      required: true
      schema: { type: string }
    ResourceGroupName:
      in: path
      name: resourceGroupName
      required: true
      schema: { type: string }
    WorkspaceName:
      in: path
      name: workspaceName
      required: true
      schema: { type: string }
    ApiVersion:
      in: query
      name: api-version
      required: true
      schema:
        type: string
        default: '2023-02-01'
  schemas:
    GenericObject:
      type: object
      additionalProperties: true
    GenericList:
      type: object
      properties:
        value:
          type: array
          items:
            $ref: '#/components/schemas/GenericObject'
      additionalProperties: true