Skip to main content
Webhooks can be configured to listen for new incidents or alerts in Microsoft Sentinel. Alerts are sent under the Security alert resource. Note! 
Blink is featured in the Microsoft Sentinel Content Hub. Our integration with Microsoft Sentinel accessible via the Content Hub and allows you to trigger workflows directly from Sentinel incidents and alerts.
For more information on how to install Blink’s solutions, please see our documentation.

Sample Event

{
	"etag": "\"26006812-0000-0100-0000-6889db170000\"",
	"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelGroup/providers/Microsoft.OperationalInsights/workspaces/sentinel-workspace/providers/Microsoft.SecurityInsights/Incidents/4a59b9b1-1a3a-477c-9d5d-8fe7189ad420",
	"name": "4a59b9b1-1a3a-477c-9d5d-8fe7189ad420",
	"properties": {
		"additionalData": {
			"alertProductNames": [
				"Azure Sentinel"
			],
			"alertsCount": 1,
			"bookmarksCount": 0,
			"commentsCount": 0,
			"tactics": [
				"CommandAndControl"
			],
			"techniques": []
		},
		"alerts": [
			{
				"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
				"kind": "SecurityAlert",
				"properties": {
					"additionalData": {
						"Alert generation status": "Full alert created",
						"Analytic Rule Ids": "[\"3472787c-41c2-423a-a765-a018ff56273a\"]",
						"Analytic Rule Name": "Malicious IOC Detection",
						"AssignedTo": null,
						"Category": "CommandAndControl",
						"Classification": null,
						"Correlation Id": "5eded85c-0ef1-473f-9f36-a0dcde21020d",
						"Data Sources": "[]",
						"DetectionSource": "scheduledAlerts",
						"DetectorId": "11111111-2222-3333-4444-555555555555_3472787c-41c2-423a-a765-a01",
						"Determination": null,
						"Event Grouping": "SingleAlert",
						"IncidentId": "2453302",
						"LastUpdated": "7/30/2025 8:40:03 AM",
						"OriginSource": "Microsoft 365 defender",
						"ProcessedBySentinel": "True",
						"Query": "let startTime = ago(1h);\nlet endTime = now();\nSecurityEvent\n| where TimeGenerated between (startTime .. endTime)\n| where EventID == 4688\n| where CommandLine has_any (\"powershell.exe\", \"curl\", \"wget\")\n| extend MaliciousIP = extract(@\"(\\d{1,3}\\.){3}\\d{1,3}\", 0, CommandLine)\n| extend MaliciousURL = extract(@\"http[s]?://[^\\s'\\\"']+\", 0, CommandLine)\n| extend MaliciousHash = \"\"\n| extend Timestamp = TimeGenerated\n| extend HostCustomEntity = Computer\n| extend AccountCustomEntity = Account\n| extend Entities = pack_array(\n    pack(\"Type\", \"host\", \"Value\", tostring(Computer)),\n    pack(\"Type\", \"account\", \"Value\", tostring(Account)),\n    pack(\"Type\", \"ip\", \"Value\", tostring(MaliciousIP)),\n    pack(\"Type\", \"url\", \"Value\", tostring(MaliciousURL)),\n    pack(\"Type\", \"fileHash\", \"Value\", tostring(MaliciousHash))\n)",
						"Query End Time UTC": "2025-07-30 08:35:00Z",
						"Query Period": "01:00:00",
						"Query Start Time UTC": "2025-07-30 07:35:00Z",
						"Search Query Results Overall Count": "2",
						"ThreatFamilyName": null,
						"ThreatName": null,
						"Trigger Operator": "GreaterThan",
						"Trigger Threshold": "0"
					},
					"alertDisplayName": "Malicious IOC Detection",
					"alertLink": "https://security.microsoft.com/alerts/sn343db23a-3f9d-46d7-bc31-0347c63825bb?tid=00000000-0000-0000-0000-000000000000",
					"alertType": "11111111-2222-3333-4444-555555555555_3472787c-41c2-423a-a765-a018ff56273a",
					"confidenceLevel": "Unknown",
					"description": "Detect malicious IPs, URLs, and hashes.",
					"endTimeUtc": "2025-07-30T08:10:00Z",
					"friendlyName": "Malicious IOC Detection",
					"processingEndTime": "2025-07-30T08:40:03.2533333Z",
					"productComponentName": "Scheduled Alerts",
					"productName": "Azure Sentinel",
					"providerAlertId": "343db23a-3f9d-46d7-bc31-0347c63825bb",
					"resourceIdentifiers": [
						{
							"type": "LogAnalytics",
							"workspaceId": "11111111-2222-3333-4444-555555555555"
						}
					],
					"severity": "High",
					"startTimeUtc": "2025-07-30T08:00:00Z",
					"status": "New",
					"systemAlertId": "91eb84db-17bf-442f-b3a3-913ea800b834",
					"tactics": [
						"CommandAndControl"
					],
					"timeGenerated": "2025-07-30T08:40:02.2566667Z",
					"vendorName": "Microsoft"
				},
				"type": "Microsoft.SecurityInsights/Entities"
			}
		],
		"bookmarks": [],
		"comments": [],
		"createdTimeUtc": "2025-07-30T08:40:02.64Z",
		"firstActivityTimeUtc": "2025-07-30T08:00:00Z",
		"incidentNumber": 9816109,
		"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fake-rg/providers/Microsoft.OperationalInsights/workspaces/fake-workspace/providers/Microsoft.SecurityInsights/Incidents/4a59b9b1-1a3a-477c-9d5d-8fe7189ad420",
		"labels": [],
		"lastActivityTimeUtc": "2025-07-30T08:10:00Z",
		"lastModifiedTimeUtc": "2025-07-30T08:40:02.83Z",
		"owner": {
			"assignedTo": null,
			"email": null,
			"objectId": null,
			"userPrincipalName": null
		},
		"providerIncidentId": "2453302",
		"providerName": "Microsoft XDR",
		"relatedAnalyticRuleIds": [
			"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/fake-rg/providers/Microsoft.OperationalInsights/workspaces/fake-workspace/providers/Microsoft.SecurityInsights/alertRules/3472787c-41c2-423a-a765-a018ff56273a"
		],
		"relatedEntities": [
			{
				"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
				"kind": "Ip",
				"properties": {
					"address": "8.8.8.8",
					"friendlyName": "8.8.8.8"
				},
				"type": "Microsoft.SecurityInsights/Entities"
			},
			{
				"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
				"kind": "Ip",
				"properties": {
					"address": "10.0.0.5",
					"friendlyName": "10.0.0.5"
				},
				"type": "Microsoft.SecurityInsights/Entities"
			},
			{
				"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
				"kind": "Url",
				"properties": {
					"friendlyName": "http://malicious.example.com/payload.ps1",
					"url": "http://malicious.example.com/payload.ps1"
				},
				"type": "Microsoft.SecurityInsights/Entities"
			},
			{
				"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
				"kind": "Url",
				"properties": {
					"friendlyName": "http://evil.example.org/",
					"url": "http://evil.example.org/"
				},
				"type": "Microsoft.SecurityInsights/Entities"
			},
			{
				"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sentinelgroup/providers/Microsoft.OperationalInsights/workspaces/sentinel/providers/Microsoft.SecurityInsights/Entities/",
				"kind": "FileHash",
				"properties": {
					"algorithm": "SHA256",
					"friendlyName": "3F785D1B9E4A6A3E6F917FA431F6E9CDA5C7B0F9177B3A2E1F6A86A5F4C9A123(SHA256)",
					"hashValue": "3F785D1B9E4A6A3E6F917FA431F6E9CDA5C7B0F9177B3A2E1F6A86A5F4C9A123"
				},
				"type": "Microsoft.SecurityInsights/Entities"
			}
		],
		"severity": "High",
		"status": "New",
		"title": "Malicious IOC Detection"
	},
	"type": "Microsoft.SecurityInsights/Incidents"
}