The ThreatQ Action Bundle for Microsoft Azure Sentinel provides actions that are used to enrich a specific collection and to add or delete them to/from your Microsoft Azure Sentinel instance.

The action yaml installs the following actions:

• Microsoft Azure Sentinel Enrich Indicators - queries indicators contained in a threat-library against Microsoft Sentinel and enriches them with the returned data.
• Microsoft Azure Sentinel Add Tag - adds user defined tags to indicators contained in a threat-collection both in the Microsoft Sentinel context and in TQ.
• Microsoft Azure Sentinel Export Collection - queries indicators contained in a threat-library against Microsoft Sentinel and adds them if not present.
• Microsoft Azure Sentinel Export IOC - exports indicators in the Threat Library to Microsoft Sentinel.
• Microsoft Defender ATP Export Collection - adds the indicators contained in a threat-library to Microsoft Defender ATP.
• Microsoft Azure Sentinel Delete Collection - queries indicators contained in a threat-library against Microsoft Sentinel and deletes them if present.
• Microsoft Azure Sentinel Create Incidents - uses ThreatQ objects to create incidents in Microsoft Sentinel.

The actions are compatible with the following object types:

• Campaigns
• Events
• Incidents
• Indicators
  • CIDR Block
  • Email Address
  • Filename
  • File Path
  • FQDN
  • IP Address
  • IPv6 Address
  • Mutex
  • URL
  • SHA-1
  • SHA-256
  • MD5

The actions return the following enrich system objects:

• Campaigns
  • Campaign Attributes
• Events
  • Event Attributes
• Incidents
  • Incident Attributes
• Indicators
  • Indicator Attributes

Note:  This action bundle is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.