openapi: 3.1.0
info:
  title: Microsoft Sentinel REST API
  description: >-
    Minimal OpenAPI definition for the Microsoft Sentinel (Security Insights)
    REST API covering alert rules, incidents, bookmarks, data connectors, and
    threat intelligence indicators.
  version: '2023-02-01'
  x-generated-from: https://learn.microsoft.com/en-us/rest/api/securityinsights/
  x-generated-by: claude-crawl-2026-05-08
servers:
  - url: https://management.azure.com
    description: Azure Resource Manager
security:
  - bearerAuth: []
tags:
  - name: AlertRules
  - name: Incidents
  - name: Bookmarks
  - name: DataConnectors
  - name: ThreatIntelligence
paths:
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [AlertRules]
      summary: List alert rules
      operationId: listAlertRules
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericList'
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - in: path
        name: ruleId
        required: true
        schema: { type: string }
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [AlertRules]
      summary: Get alert rule
      operationId: getAlertRule
      responses:
        '200':
          description: OK
    put:
      tags: [AlertRules]
      summary: Create or update alert rule
      operationId: createOrUpdateAlertRule
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/GenericObject'
      responses:
        '200':
          description: OK
        '201':
          description: Created
    delete:
      tags: [AlertRules]
      summary: Delete alert rule
      operationId: deleteAlertRule
      responses:
        '200':
          description: OK
        '204':
          description: No Content
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [Incidents]
      summary: List incidents
      operationId: listIncidents
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericList'
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - in: path
        name: incidentId
        required: true
        schema: { type: string }
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [Incidents]
      summary: Get incident
      operationId: getIncident
      responses:
        '200':
          description: OK
    put:
      tags: [Incidents]
      summary: Create or update incident
      operationId: createOrUpdateIncident
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/GenericObject'
      responses:
        '200':
          description: OK
        '201':
          description: Created
    delete:
      tags: [Incidents]
      summary: Delete incident
      operationId: deleteIncident
      responses:
        '200':
          description: OK
        '204':
          description: No Content
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/bookmarks:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [Bookmarks]
      summary: List bookmarks
      operationId: listBookmarks
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericList'
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [DataConnectors]
      summary: List data connectors
      operationId: listDataConnectors
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericList'
  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators:
    parameters:
      - $ref: '#/components/parameters/SubscriptionId'
      - $ref: '#/components/parameters/ResourceGroupName'
      - $ref: '#/components/parameters/WorkspaceName'
      - $ref: '#/components/parameters/ApiVersion'
    get:
      tags: [ThreatIntelligence]
      summary: List threat intelligence indicators
      operationId: listThreatIntelligenceIndicators
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GenericList'
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
  parameters:
    SubscriptionId:
      in: path
      name: subscriptionId
      required: true
      schema: { type: string }
    ResourceGroupName:
      in: path
      name: resourceGroupName
      required: true
      schema: { type: string }
    WorkspaceName:
      in: path
      name: workspaceName
      required: true
      schema: { type: string }
    ApiVersion:
      in: query
      name: api-version
      required: true
      schema:
        type: string
        default: '2023-02-01'
  schemas:
    GenericObject:
      type: object
      additionalProperties: true
    GenericList:
      type: object
      properties:
        value:
          type: array
          items:
            $ref: '#/components/schemas/GenericObject'
      additionalProperties: true