The ThreatQ Action Bundle for Microsoft Azure Sentinel provides actions that are used to enrich a specific collection and to add or delete them to/from your Microsoft Azure Sentinel instance.

The action yaml installs the following actions:

• Microsoft Azure Sentinel Enrich Indicators - queries indicators in the Threat Library against Microsoft Sentinel and enriches them with the returned data.
• Microsoft Azure Sentinel Add Tag - adds user defined tags to indicators in a data collection both in the Microsoft Sentinel context and in TQ.
• Microsoft Azure Sentinel Export Collection - queries indicators in the Threat Library against Microsoft Sentinel and adds them if not present.
• Microsoft Defender ATP Export Collection - adds the indicators in the Threat Library to Microsoft Defender ATP.
• Microsoft Azure Sentinel Delete Collection - queries indicators in the Threat Library against Microsoft Sentinel and deletes them if present.
• Microsoft Azure Sentinel Create Incidents - uses ThreatQ objects to create incidents in Microsoft Sentinel.

The actions are compatible with the following object types:

• Campaigns
• Events
• Incidents
• IndicatorsCIDR Block
• Email Address
• Filename
• File Path
• FQDN
• IP Address
• IPv6 Address
• Mutex
• URL
• SHA-1
• SHA-256
• MD5

The actions return the following enriched system objects:

• Campaigns
  • Campaign Attributes
• Events
  • Event Attributes
• Incidents
  • Incident Attributes
• Indicators
  • Indicator Attributes

Note: This action bundle is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.