Share via


az sentinel threat-indicator

Note

This reference is part of the sentinel extension for the Azure CLI (version 2.37.0 or higher). The extension will automatically install the first time you run an az sentinel threat-indicator command. Learn more about extensions.

Manage threat intelligence indicator with sentinel.

Commands

Name Description Type Status
az sentinel threat-indicator append-tag

Append tags to a threat intelligence indicator.

Extension Experimental
az sentinel threat-indicator create

Create a new threat intelligence indicator.

Extension Experimental
az sentinel threat-indicator delete

Delete a threat intelligence indicator.

Extension Experimental
az sentinel threat-indicator list

Get all threat intelligence indicators.

Extension Experimental
az sentinel threat-indicator metric

Manage threat intelligence indicator metric with sentinel.

Extension GA
az sentinel threat-indicator metric list

Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source).

Extension GA
az sentinel threat-indicator query

Query threat intelligence indicators as per filtering criteria.

Extension Experimental
az sentinel threat-indicator replace-tag

Replace tags added to a threat intelligence indicator.

Extension Experimental
az sentinel threat-indicator show

View a threat intelligence indicator by name.

Extension Experimental
az sentinel threat-indicator update

Update a threat Intelligence indicator.

Extension Experimental

az sentinel threat-indicator append-tag

Experimental

This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Append tags to a threat intelligence indicator.

az sentinel threat-indicator append-tag --name
                                        --resource-group
                                        --workspace-name
                                        [--intelligence-tags]

Required Parameters

--name

Threat intelligence indicator name field.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--workspace-name -w
Experimental

The name of the workspace.

Optional Parameters

--intelligence-tags

List of tags to be appended. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az sentinel threat-indicator create

Experimental

This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Create a new threat intelligence indicator.

az sentinel threat-indicator create --resource-group
                                    --workspace-name
                                    [--confidence]
                                    [--created]
                                    [--created-by-ref]
                                    [--defanged {0, 1, f, false, n, no, t, true, y, yes}]
                                    [--description]
                                    [--display-name]
                                    [--etag]
                                    [--external-id]
                                    [--external-references]
                                    [--external-updated-time]
                                    [--granular-markings]
                                    [--indicator-types]
                                    [--kill-chain-phases]
                                    [--labels]
                                    [--language]
                                    [--last-updated-time]
                                    [--modified]
                                    [--object-marking-refs]
                                    [--parsed-pattern]
                                    [--pattern]
                                    [--pattern-type]
                                    [--pattern-version]
                                    [--revoked {0, 1, f, false, n, no, t, true, y, yes}]
                                    [--source]
                                    [--threat-tags]
                                    [--threat-types]
                                    [--valid-from]
                                    [--valid-until]

Required Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--workspace-name -w

The name of the workspace.

Optional Parameters

--confidence

Confidence of threat intelligence entity.

--created

Created by.

--created-by-ref

Created by reference of threat intelligence entity.

--defanged

Is threat intelligence entity defanged.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--description

Description of a threat intelligence entity.

--display-name

Display name of a threat intelligence entity.

--etag

Etag of the azure resource.

--external-id

External ID of threat intelligence entity.

--external-references

External References Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--external-updated-time

External last updated time in UTC.

--granular-markings

Granular Markings Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--indicator-types

Indicator types of threat intelligence entities Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--kill-chain-phases

Kill chain phases Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--labels

Labels of threat intelligence entity Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--language

Language of threat intelligence entity.

--last-updated-time

Last updated time in UTC.

--modified

Modified by.

--object-marking-refs

Threat intelligence entity object marking references Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--parsed-pattern

Parsed patterns Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--pattern

Pattern of a threat intelligence entity.

--pattern-type

Pattern type of a threat intelligence entity.

--pattern-version

Pattern version of a threat intelligence entity.

--revoked

Is threat intelligence entity revoked.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--source

Source of a threat intelligence entity.

--threat-tags

List of tags Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--threat-types

Threat types Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--valid-from

Valid from.

--valid-until

Valid until.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az sentinel threat-indicator delete

Experimental

This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Delete a threat intelligence indicator.

az sentinel threat-indicator delete [--ids]
                                    [--name]
                                    [--resource-group]
                                    [--subscription]
                                    [--workspace-name]
                                    [--yes]

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Threat intelligence indicator name field.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--workspace-name -w

The name of the workspace.

--yes -y

Do not prompt for confirmation.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az sentinel threat-indicator list

Experimental

This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Get all threat intelligence indicators.

az sentinel threat-indicator list --resource-group
                                  --workspace-name
                                  [--filter]
                                  [--orderby]
                                  [--skip-token]
                                  [--top]

Required Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--workspace-name -w
Experimental

The name of the workspace.

Optional Parameters

--filter

Filters the results, based on a Boolean condition. Optional.

--orderby

Sorts the results. Optional.

--skip-token

Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.

--top

Returns only the first n results. Optional.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az sentinel threat-indicator query

Experimental

This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Query threat intelligence indicators as per filtering criteria.

az sentinel threat-indicator query --resource-group
                                   --workspace-name
                                   [--ids]
                                   [--include-disabled {0, 1, f, false, n, no, t, true, y, yes}]
                                   [--keywords]
                                   [--max-confidence]
                                   [--max-valid-until]
                                   [--min-confidence]
                                   [--min-valid-until]
                                   [--page-size]
                                   [--pattern-types]
                                   [--skip-token]
                                   [--sort-by]
                                   [--sources]
                                   [--threat-types]

Required Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--workspace-name -w
Experimental

The name of the workspace.

Optional Parameters

--ids

Ids of threat intelligence indicators Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--include-disabled

Parameter to include/exclude disabled indicators.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--keywords

Keywords for searching threat intelligence indicators Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--max-confidence

Maximum confidence.

--max-valid-until

End time for ValidUntil filter.

--min-confidence

Minimum confidence.

--min-valid-until

Start time for ValidUntil filter.

--page-size

Page size.

--pattern-types

Pattern types Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--skip-token

Skip token.

--sort-by

Columns to sort by and sorting order Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--sources

Sources of threat intelligence indicators Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--threat-types

Threat types of threat intelligence indicators Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az sentinel threat-indicator replace-tag

Experimental

This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Replace tags added to a threat intelligence indicator.

az sentinel threat-indicator replace-tag --name
                                         --resource-group
                                         --workspace-name
                                         [--confidence]
                                         [--created]
                                         [--created-by-ref]
                                         [--defanged {0, 1, f, false, n, no, t, true, y, yes}]
                                         [--description]
                                         [--display-name]
                                         [--etag]
                                         [--external-id]
                                         [--external-references]
                                         [--external-updated-time]
                                         [--granular-markings]
                                         [--indicator-types]
                                         [--intelligence-tags]
                                         [--kill-chain-phases]
                                         [--labels]
                                         [--language]
                                         [--last-updated-time]
                                         [--modified]
                                         [--object-marking-refs]
                                         [--parsed-pattern]
                                         [--pattern]
                                         [--pattern-type]
                                         [--pattern-version]
                                         [--revoked {0, 1, f, false, n, no, t, true, y, yes}]
                                         [--source]
                                         [--threat-types]
                                         [--valid-from]
                                         [--valid-until]

Required Parameters

--name

Threat intelligence indicator name field.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--workspace-name -w
Experimental

The name of the workspace.

Optional Parameters

--confidence

Confidence of threat intelligence entity.

--created

Created by.

--created-by-ref

Created by reference of threat intelligence entity.

--defanged

Is threat intelligence entity defanged.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--description

Description of a threat intelligence entity.

--display-name

Display name of a threat intelligence entity.

--etag

Etag of the azure resource.

--external-id

External ID of threat intelligence entity.

--external-references

External References Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--external-updated-time

External last updated time in UTC.

--granular-markings

Granular Markings Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--indicator-types

Indicator types of threat intelligence entities Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--intelligence-tags

List of tags Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--kill-chain-phases

Kill chain phases Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--labels

Labels of threat intelligence entity Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--language

Language of threat intelligence entity.

--last-updated-time

Last updated time in UTC.

--modified

Modified by.

--object-marking-refs

Threat intelligence entity object marking references Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--parsed-pattern

Parsed patterns Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--pattern

Pattern of a threat intelligence entity.

--pattern-type

Pattern type of a threat intelligence entity.

--pattern-version

Pattern version of a threat intelligence entity.

--revoked

Is threat intelligence entity revoked.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--source

Source of a threat intelligence entity.

--threat-types

Threat types Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--valid-from

Valid from.

--valid-until

Valid until.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az sentinel threat-indicator show

Experimental

This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

View a threat intelligence indicator by name.

az sentinel threat-indicator show [--ids]
                                  [--name]
                                  [--resource-group]
                                  [--subscription]
                                  [--workspace-name]

Optional Parameters

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--name -n

Threat intelligence indicator name field.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--workspace-name -w

The name of the workspace.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az sentinel threat-indicator update

Experimental

This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Update a threat Intelligence indicator.

az sentinel threat-indicator update [--confidence]
                                    [--created]
                                    [--created-by-ref]
                                    [--defanged {0, 1, f, false, n, no, t, true, y, yes}]
                                    [--description]
                                    [--display-name]
                                    [--etag]
                                    [--external-id]
                                    [--external-references]
                                    [--external-updated-time]
                                    [--granular-markings]
                                    [--ids]
                                    [--indicator-types]
                                    [--kill-chain-phases]
                                    [--labels]
                                    [--language]
                                    [--last-updated-time]
                                    [--modified]
                                    [--name]
                                    [--object-marking-refs]
                                    [--parsed-pattern]
                                    [--pattern]
                                    [--pattern-type]
                                    [--pattern-version]
                                    [--resource-group]
                                    [--revoked {0, 1, f, false, n, no, t, true, y, yes}]
                                    [--source]
                                    [--subscription]
                                    [--threat-tags]
                                    [--threat-types]
                                    [--valid-from]
                                    [--valid-until]
                                    [--workspace-name]

Optional Parameters

--confidence

Confidence of threat intelligence entity.

--created

Created by.

--created-by-ref

Created by reference of threat intelligence entity.

--defanged

Is threat intelligence entity defanged.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--description

Description of a threat intelligence entity.

--display-name

Display name of a threat intelligence entity.

--etag

Etag of the azure resource.

--external-id

External ID of threat intelligence entity.

--external-references

External References Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--external-updated-time

External last updated time in UTC.

--granular-markings

Granular Markings Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

--indicator-types

Indicator types of threat intelligence entities Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--kill-chain-phases

Kill chain phases Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--labels

Labels of threat intelligence entity Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--language

Language of threat intelligence entity.

--last-updated-time

Last updated time in UTC.

--modified

Modified by.

--name -n

Threat intelligence indicator name field.

--object-marking-refs

Threat intelligence entity object marking references Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--parsed-pattern

Parsed patterns Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--pattern

Pattern of a threat intelligence entity.

--pattern-type

Pattern type of a threat intelligence entity.

--pattern-version

Pattern version of a threat intelligence entity.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

--revoked

Is threat intelligence entity revoked.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
--source

Source of a threat intelligence entity.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--threat-tags

List of tags Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--threat-types

Threat types Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.

--valid-from

Valid from.

--valid-until

Valid until.

--workspace-name -w

The name of the workspace.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.