Microsoft Graph Security (Preview)

The Microsoft Graph Security connector helps to connect different Microsoft and partner security products and services, using a unified schema, to streamline security operations, and improve threat protection, detection, and response capabilities. Learn more about integrating with the Microsoft Graph Security API at https://aka.ms/graphsecuritydocs

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
     -   US Department of Defense (DoD)
Power Automate Premium All Power Automate regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Power Apps Premium All Power Apps regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Contact
Name Microsoft
URL Microsoft LogicApps Support
Microsoft Power Automate Support
Microsoft Power Apps Support
Email sipsisgdev@microsoft.com
Connector Metadata
Publisher Microsoft
Website https://www.microsoft.com/security/business/graph-security-api

Prerequisites to connect with The Microsoft Graph Security connector

Read more about Microsoft Graph Security API.

  1. To use the Microsoft Graph Security connector action, start with a trigger, such as the Recurrence trigger.

  2. To use the Microsoft Graph Security connector, Microsoft Entra ID tenant administrator consent needs to be provided as part of Microsoft Graph Security Authentication requirements.

  3. The Microsoft Graph Security connector application ID and name (for Microsoft Entra ID in https://portal.azure.com) is as follows for Microsoft Entra ID administrator consent:

  • Application Name - MicrosoftGraphSecurityConnector
  • Application ID - c4829704-0edc-4c3d-a347-7c4a67586f3c
  1. Tenant administrator can either follow steps outlined in granting tenant administrator consent for Microsoft Entra ID applications to the above mentioned application or can grant permissions upon initial run of a workflow using the Microsoft Graph Security connector per the application consent experience.

You are now ready to use the Microsoft Graph Security connector!

Connector in-depth

For more information about the connector, see the in-depth section.

Throttling Limits

Name Calls Renewal Period
API calls per connection 100 60 seconds

Actions

Create subscriptions

Create Microsoft Graph webhook subscriptions.

Create tiIndicator

Create a new threat intelligence indicator by posting to the tiIndicators collection.

Delete multiple tiIndicators by external IDs

Delete multiple threat intelligence indicators corresponding to the specified external IDs.

Delete multiple tiIndicators by IDs

Delete multiple threat intelligence indicators corresponding to the specified IDs.

Delete subscriptions

Delete the specific Microsoft Graph Webhook subscription.

Delete tiIndicator by ID

Delete a threat intelligence indicator corresponding to the specified ID.

Get active subscriptions

Get the list of unexpired subscriptions for this Microsoft Entra ID tenant.

Get alert by ID

Get a security alert corresponding to the specified ID.

Get alerts

Get a list of security alerts for this Microsoft Entra ID tenant. Use with different query parameters.

Get tiIndicator by ID

Get a threat intelligence indicator corresponding to the specified ID.

Get tiIndicators

Get a list of threat intelligence indicators for this Microsoft Entra ID tenant. Use with different query parameters.

Submit multiple tiIndicators

Create new threat intelligence indicators by posting a tiIndicators collection. Required fields for each tiIndicator are: action, azureTenantId, description, expirationDateTime, targetProduct, threatType, tlpLevel.

Update alert

Update specific properties of a security alert.

Update multiple tiIndicators

Update specific properties of multiple threat intelligence indicators. Required fields for each tiIndicator are: Id, expirationDateTime, and targetProduct.

Update subscription

Renew a Microsoft Graph webhook subscription by updating its expiration time.

Update tiIndicator

Update specific properties of a threat intelligence indicator. Required fields for the tiIndicator are: Id, expirationDateTime, and targetProduct.

Create subscriptions

Create Microsoft Graph webhook subscriptions.

Parameters

Name Key Required Type Description
Resource URL
resource True string

Specify the resource that will be monitored for changes. Do not include base URL (https://graph.microsoft.com/v1.0/). Include security/alerts followed by the odata query. For e.g. security/alerts?$filter=status eq �New�

Change type
changeType True string

Specify the property type that should raise a notification when changed on the subscribed resource.

Client state
clientState string

Specify the client state to confirm the notification origination source.

Notification URL
notificationUrl True string

Specify a well-formed URL of the endpoint that will receive notifications.

Expiration date time
expirationDateTime True date-time

Specify the date time when the webhook subscription expires; needs to be a date time greater than current time and within 30 days.

Returns

A single subscription entity returned

Subscription
Subscription

Create tiIndicator

Create a new threat intelligence indicator by posting to the tiIndicators collection.

Parameters

Name Key Required Type Description
Action
action True string

The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert).

Activity group names
activityGroupNames array of string

The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator.

Additional information
additionalInformation string

Extra data from the indicator not covered by the other tiIndicator properties may be placed

Azure Tenant ID
azureTenantId string

The Microsoft Entra ID tenant id of submitting client.

Confidence
confidence integer

Confidence of the detection logic (percentage between 0-100).

Description
description True string

TiIndicator description (100 charactes or less).

Diamond model
diamondModel string

The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim).

Expiration date time
expirationDateTime True date-time

Time at which the the Indicator expires (UTC).

External ID
externalId string

An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).

Ingested date time
ingestedDateTime date-time

Time at which the the Indicator is ingested (UTC).

Is active
isActive boolean

By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.

Kill chain
killChain array of string

strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization).

Known false positives
knownFalsePositives string

Scenarios in which the indicator may cause false positives.

Last reported date time
lastReportedDateTime date-time

The last time the indicator was seen (UTC).

Malware family names
malwareFamilyNames array of string

The malware family name associated with an indicator if it exists.

Passive Only
passiveOnly boolean

Determines if the indicator should trigger an event that is visible to an end-user.

Severity
severity integer

Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3.

Tags
tags array of string
Target Product
targetProduct True string

Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP.

Threat Type
threatType string

Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList.

Tlp level
tlpLevel string

Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red.

Email encoding
emailEncoding string

The type of text encoding used in the email.

Email language
emailLanguage string

The language of the email.

Email recipient
emailRecipient string

Recipient email address.

Email sender address
emailSenderAddress string

Email address of the attacker|victim.

Email sender name
emailSenderName string

Displayed name of the attacker|victim.

Email source domain
emailSourceDomain string

Domain used in the email.

Email source Ip address
emailSourceIpAddress string

Source IP address of email.

Email subject
emailSubject string

Subject line of email.

Email XMailer
emailXMailer string

X-Mailer value used in the email.

File compile date time
fileCompileDateTime date-time

DateTime when the file was compiled.

File created date time
fileCreatedDateTime date-time

DateTime when the file was created.

File hash type
fileHashType string

The type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph.

File hash value
fileHashValue string

The file hash value.

File mutex name
fileMutexName string

Mutex name used in file-based detections.

File name
fileName string

Name of the file if the indicator is file-based.

File packer
filePacker string

The packer used to build the file in question.

File path
filePath string

Path of file indicating compromise. May be a Windows or *nix style path.

File size
fileSize integer

Size of the file in bytes.

File type
fileType string

Text description of the type of file. For example, “Word Document” or “Binary”.

Domain name
domainName string

Domain name associated with this indicator.

Network cidr block
networkCidrBlock string

CIDR Block notation representation of the network referenced in this indicator.

Network destination Asn
networkDestinationAsn integer

The destination autonomous system identifier of the network referenced in the indicator.

Network destination cidr block
networkDestinationCidrBlock string

CIDR Block notation representation of the destination network in this indicator.

Network destination IPv4
networkDestinationIPv4 string

IPv4 IP address destination.

Network destination IPv6
networkDestinationIPv6 string

IPv6 IP address destination.

Network destination port
networkDestinationPort integer

TCP port destination.

Network IPv4
networkIPv4 string

IPv4 IP address.

Network IPv6
networkIPv6 string

IPv6 IP address.

Network port
networkPort integer

TCP port.

Network protocol
networkProtocol integer

Decimal representation of the protocol field in the IPv4 header.

Network source Asn
networkSourceAsn integer

The source autonomous system identifier of the network referenced in the indicator.

Network source cidr block
networkSourceCidrBlock string

CIDR Block notation representation of the source network in this indicator.

Network source IPv4
networkSourceIPv4 string

IPv4 IP address source.

Network destination IPv6
networkSourceIPv6 string

IPv6 IP address source.

Network source port
networkSourcePort integer

TCP port source.

Url
url string

Uniform Resource Locator.

User agent
userAgent string

User-Agent string from a web request that could indicate compromise.

Returns

A single TiIndicator entity returned

TiIndicator
TiIndicator

Delete multiple tiIndicators by external IDs

Delete multiple threat intelligence indicators corresponding to the specified external IDs.

Parameters

Name Key Required Type Description
value
value array of string

Returns

Name Path Type Description
value
value array of object
code
value.code integer

The result code

message
value.message string

The message

subcode
value.subcode integer

The result sub-code

Delete multiple tiIndicators by IDs

Delete multiple threat intelligence indicators corresponding to the specified IDs.

Parameters

Name Key Required Type Description
value
value array of string

Returns

Name Path Type Description
value
value array of object
code
value.code integer

The result code

message
value.message string

The message

subcode
value.subcode integer

The result sub-code

Delete subscriptions

Delete the specific Microsoft Graph Webhook subscription.

Parameters

Name Key Required Type Description
Subscription ID
Subscription Id True string

Specify the Microsoft Graph Webhook Subscription ID.

Delete tiIndicator by ID

Delete a threat intelligence indicator corresponding to the specified ID.

Parameters

Name Key Required Type Description
TiIndicator ID
indicator-id True string

Specify threat intelligence indicator ID

Get active subscriptions

Get the list of unexpired subscriptions for this Microsoft Entra ID tenant.

Returns

Name Path Type Description
Existing subcriptions count
@odata.count integer

The number of subcriptions returned

Subscription
value array of Subscription

The subscription entities returned

Next link
@odata.nextLink string

A link to get the next results in case there are more results than requested

Get alert by ID

Get a security alert corresponding to the specified ID.

Parameters

Name Key Required Type Description
Alert ID
alert-id True string

Specify alert ID.

Returns

A single alert entity returned

Alert
Alert

Get alerts

Get a list of security alerts for this Microsoft Entra ID tenant. Use with different query parameters.

Parameters

Name Key Required Type Description
Filter alerts
$filter string

Specify filtering condition for alerts like Severity eq "High".

Top alerts
$top integer

Specify the recent most top number of alerts to retrieve from each provider.

Select alert properties
$select string

Specify alert properties to include in the results.

Sorting order
$orderby string

Specify sorting order for the results.

Skips "n" results
$skip integer

Specify number of results to skip. Useful for pagination.

Include count of alerts returned
$count string

Specify to include the number of alerts returned in the response

Returns

Name Path Type Description
Alerts count
@odata.count integer

The number of alerts returned

Alerts
value array of Alert

The alerts returned

Next link
@odata.nextLink string

A link to get the next results in case there are more results than requested

Get tiIndicator by ID

Get a threat intelligence indicator corresponding to the specified ID.

Parameters

Name Key Required Type Description
TiIndicator ID
indicator-id True string

Specify threat intelligence indicator ID

Returns

A single TiIndicator entity returned

TiIndicator
TiIndicator

Get tiIndicators

Get a list of threat intelligence indicators for this Microsoft Entra ID tenant. Use with different query parameters.

Parameters

Name Key Required Type Description
Filter tiIndicators
$filter string

Specify filtering condition for threat intelligence indicators like threatType eq 'WatchList'

Top tiIndicators
$top integer

Specify the recent top number of threat intelligence indicators to be retrieved

Select tiIndicator properties
$select string

Specify threat intelligence indicator properties to include in the results.

Include count of tiIndicators returned
$count string

Specify to include the number of threat intelligence indicators returned in the response

Skips "n" results
$skip integer

Specify number of results to skip. Useful for pagination.

Sorting order
$orderby string

Specify sorting order for the results.

Returns

Name Path Type Description
TiIndicator count
@odata.count integer

The number of TiIndicator returned

TiIndicators
value array of TiIndicator

The TiIndicator returned

Next link
@odata.nextLink string

A link to get the next results in case there are more results than requested

Submit multiple tiIndicators

Create new threat intelligence indicators by posting a tiIndicators collection. Required fields for each tiIndicator are: action, azureTenantId, description, expirationDateTime, targetProduct, threatType, tlpLevel.

Parameters

Name Key Required Type Description
Action
action True string

The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert).

Activity group names
activityGroupNames array of string

The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator.

Additional information
additionalInformation string

Extra data from the indicator not covered by the other tiIndicator properties may be placed

Azure Tenant ID
azureTenantId string

The Microsoft Entra ID tenant id of submitting client.

Confidence
confidence integer

Confidence of the detection logic (percentage between 0-100).

Description
description True string

TiIndicator description (100 charactes or less).

Diamond model
diamondModel string

The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim).

Expiration date time
expirationDateTime True date-time

Time at which the the Indicator expires (UTC).

External ID
externalId string

An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).

Ingested date time
ingestedDateTime date-time

Time at which the the Indicator is ingested (UTC).

Is active
isActive boolean

By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.

Kill chain
killChain array of string

strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization).

Known false positives
knownFalsePositives string

Scenarios in which the indicator may cause false positives.

Last reported date time
lastReportedDateTime date-time

The last time the indicator was seen (UTC).

Malware family names
malwareFamilyNames array of string

The malware family name associated with an indicator if it exists.

Passive Only
passiveOnly boolean

Determines if the indicator should trigger an event that is visible to an end-user.

Severity
severity integer

Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3.

Tags
tags array of string
Target Product
targetProduct True string

Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP.

Threat Type
threatType string

Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList.

Tlp level
tlpLevel string

Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red.

Email encoding
emailEncoding string

The type of text encoding used in the email.

Email language
emailLanguage string

The language of the email.

Email recipient
emailRecipient string

Recipient email address.

Email sender address
emailSenderAddress string

Email address of the attacker|victim.

Email sender name
emailSenderName string

Displayed name of the attacker|victim.

Email source domain
emailSourceDomain string

Domain used in the email.

Email source Ip address
emailSourceIpAddress string

Source IP address of email.

Email subject
emailSubject string

Subject line of email.

Email XMailer
emailXMailer string

X-Mailer value used in the email.

File compile date time
fileCompileDateTime date-time

DateTime when the file was compiled.

File created date time
fileCreatedDateTime date-time

DateTime when the file was created.

File hash type
fileHashType string

The type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph.

File hash value
fileHashValue string

The file hash value.

File mutex name
fileMutexName string

Mutex name used in file-based detections.

File name
fileName string

Name of the file if the indicator is file-based.

File packer
filePacker string

The packer used to build the file in question.

File path
filePath string

Path of file indicating compromise. May be a Windows or *nix style path.

File size
fileSize integer

Size of the file in bytes.

File type
fileType string

Text description of the type of file. For example, “Word Document” or “Binary”.

Domain name
domainName string

Domain name associated with this indicator.

Network cidr block
networkCidrBlock string

CIDR Block notation representation of the network referenced in this indicator.

Network destination Asn
networkDestinationAsn integer

The destination autonomous system identifier of the network referenced in the indicator.

Network destination cidr block
networkDestinationCidrBlock string

CIDR Block notation representation of the destination network in this indicator.

Network destination IPv4
networkDestinationIPv4 string

IPv4 IP address destination.

Network destination IPv6
networkDestinationIPv6 string

IPv6 IP address destination.

Network destination port
networkDestinationPort integer

TCP port destination.

Network IPv4
networkIPv4 string

IPv4 IP address.

Network IPv6
networkIPv6 string

IPv6 IP address.

Network port
networkPort integer

TCP port.

Network protocol
networkProtocol integer

Decimal representation of the protocol field in the IPv4 header.

Network source Asn
networkSourceAsn integer

The source autonomous system identifier of the network referenced in the indicator.

Network source cidr block
networkSourceCidrBlock string

CIDR Block notation representation of the source network in this indicator.

Network source IPv4
networkSourceIPv4 string

IPv4 IP address source.

Network destination IPv6
networkSourceIPv6 string

IPv6 IP address source.

Network source port
networkSourcePort integer

TCP port source.

Url
url string

Uniform Resource Locator.

User agent
userAgent string

User-Agent string from a web request that could indicate compromise.

Returns

Name Path Type Description
TiIndicators
value array of TiIndicator

The TiIndicators submitted

Update alert

Update specific properties of a security alert.

Parameters

Name Key Required Type Description
Alert ID
alert-id True string

Specify alert ID.

Assigned to
assignedTo string

Specify the name of the analyst the alert is assigned to for triage, investigation, or remediation.

Closed dateTime
closedDateTime string

Specify the time at which the alert was closed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time.

comments
comments array of string

Comments

Tags
tags array of string

Specify any user-definable labels that can be applied to an alert and can serve as filter conditions (for example "HVA", "SAW", etc.).

Feedback
feedback string

Specify analyst feedback on the alert.

Status
status string

Specify status to track alert lifecycle status (stage).

Provider name
provider True string

Specific provider (product/service - not vendor company); for example, WindowsDefenderATP.

Provider version
providerVersion string

Specify version of the provider or subprovider, if it exists, that generated the alert.

Sub Provider name
subProvider string

Specific subprovider (under aggregating provider); for example, WindowsDefenderATP.SmartScreen.

Vendor name
vendor True string

Specify name of the alert vendor (for example, Microsoft, Dell, FireEye).

Update multiple tiIndicators

Update specific properties of multiple threat intelligence indicators. Required fields for each tiIndicator are: Id, expirationDateTime, and targetProduct.

Parameters

Name Key Required Type Description
id
id True string

TiIndicator-id

Action
action string

The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert).

Activity group names
activityGroupNames array of string

The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator.

Additional information
additionalInformation string

Extra data from the indicator not covered by the other tiIndicator properties may be placed

Confidence
confidence integer

Confidence of the detection logic (percentage between 0-100).

Description
description string

TiIndicator description (100 charactes or less).

Diamond model
diamondModel string

The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim).

Expiration date time
expirationDateTime True date-time

Time at which the the Indicator expires (UTC).

Target Product
targetProduct True string

Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP.

External ID
externalId string

An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).

Is active
isActive boolean

By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.

Kill chain
killChain array of string

strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization).

Known false positives
knownFalsePositives string

Scenarios in which the indicator may cause false positives.

Last reported date time
lastReportedDateTime date-time

The last time the indicator was seen (UTC).

Malware family names
malwareFamilyNames array of string

The malware family name associated with an indicator if it exists.

Passive Only
passiveOnly boolean

Determines if the indicator should trigger an event that is visible to an end-user.

Severity
severity integer

Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3.

Tags
tags array of string
Tlp level
tlpLevel string

Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red.

Returns

Name Path Type Description
TiIndicators
value array of TiIndicator

The TiIndicators updated

Update subscription

Renew a Microsoft Graph webhook subscription by updating its expiration time.

Parameters

Name Key Required Type Description
Subscription ID
Subscription Id True string

Specify Microsoft Graph Webhook subscription ID.

Expiration date time
expirationDateTime string

Specify the date and time, in UTC format, of when the Microsoft Graph webhook subscription expires. The maximum expiration time for security alerts is 43200 minutes (under 30 days).

Returns

A single subscription entity returned

Subscription
Subscription

Update tiIndicator

Update specific properties of a threat intelligence indicator. Required fields for the tiIndicator are: Id, expirationDateTime, and targetProduct.

Parameters

Name Key Required Type Description
TiIndicator ID
indicator-id True string

Specify threat intelligence indicator ID.

Action
action string

The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert).

Activity group names
activityGroupNames array of string

The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator.

Additional information
additionalInformation string

Extra data from the indicator not covered by the other tiIndicator properties may be placed

Confidence
confidence integer

Confidence of the detection logic (percentage between 0-100).

Description
description string

TiIndicator description (100 charactes or less).

Diamond model
diamondModel string

The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim).

Expiration date time
expirationDateTime True date-time

Time at which the the Indicator expires (UTC format. For example, 2020-03-01T00:00:00Z).

External ID
externalId string

An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).

Is active
isActive boolean

By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.

Kill chain
killChain array of string

strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization).

Known false positives
knownFalsePositives string

Scenarios in which the indicator may cause false positives.

Last reported date time
lastReportedDateTime date-time

The last time the indicator was seen (UTC).

Malware family names
malwareFamilyNames array of string

The malware family name associated with an indicator if it exists.

Passive Only
passiveOnly boolean

Determines if the indicator should trigger an event that is visible to an end-user.

Severity
severity integer

Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3.

Tags
tags array of string
Tlp level
tlpLevel string

Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red.

Target Product
targetProduct True string

Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP.

Triggers

On all new alerts

Triggers on all new alerts

On new high severity alerts

Triggers on new high severity alerts

On all new alerts

Triggers on all new alerts

Returns

Name Path Type Description
Alerts count
@odata.count integer

The number of alerts returned

Alerts
value array of Alert

The alerts returned

Next link
@odata.nextLink string

A link to get the next results in case there are more results than requested

On new high severity alerts

Triggers on new high severity alerts

Returns

Name Path Type Description
Alerts count
@odata.count integer

The number of alerts returned

Alerts
value array of Alert

The alerts returned

Next link
@odata.nextLink string

A link to get the next results in case there are more results than requested

Definitions

Alert

A single alert entity returned

Name Path Type Description
Azure subscription ID
azureSubscriptionId string

Azure subscription ID, present if this alert is related to an Azure resource.

Tags
tags array of string

User-definable labels that can be applied to an alert and can serve as filter conditions (e.g. "HVA", "SAW", etc.).

ID
id string

Provider-generated GUID/unique identifier.

Azure tenant ID
azureTenantId string

Microsoft Entra ID tenant ID.

Activity group name
activityGroupName string

Name or alias of the activity group (attacker) this alert is attributed to.

Assigned to
assignedTo string

Name of the analyst the alert is assigned to for triage, investigation, or remediation.

Category
category string

Category of the alert (e.g. credentialTheft, ransomware, etc.).

Closed date time
closedDateTime date-time

Time at which the alert was closed (UTC).

Comments
comments array of string

Customer-provided comments on alert (for customer alert management).

Confidence
confidence integer

Confidence of the detection logic (percentage between 1-100).

Created date time
createdDateTime date-time

Time at which the alert was created (UTC).

Description
description string

Alert description.

Detection Ids
detectionIds array of string

Set of alerts related to this alert entity.

Event date time
eventDateTime date-time

Time at which the event(s) that served as the trigger(s) to generate the alert occurred (UTC).

Feedback
feedback string

Analyst feedback on the alert. Possible values are: unknown, truePositive, falsePositive, benignPositive.

Last modified date time
lastModifiedDateTime date-time

Time at which the alert entity was last modified (UTC).

Recommended actions
recommendedActions array of string

Vendor/Provider recommended action/s to take as a result of the alert (e.g. isolate machine, enforce2FA, reimage host, etc.).

Severity
severity string

Alert severity - set by vendor/provider. Values: (high, medium, low, Informational) where "informational" infers that the alert is not actionable.

Source materials
sourceMaterials array of string

Hyperlinks (URIs) to the source material related to the alert, e.g. provider investigation UI, etc.

Status
status string

Alert lifecycle status (stage). Values: (unknown, newAlert, inProgress, resolved).

Title
title string

Alert title.

Provider name
vendorInformation.provider string

Specific provider (product/service - not vendor company); for example, WindowsDefenderATP.

Provider version
vendorInformation.providerVersion string

Version of the provider or subprovider.

Sub provider name
vendorInformation.subProvider string

Specific subprovider (under aggregating provider); for example, WindowsDefenderATP.SmartScreen.

Vendor name
vendorInformation.vendor string

Name of the alert vendor (for example, Microsoft, Dell, FireEye).

Cloud app states
cloudAppStates array of object

Security-related stateful information generated by the provider about the cloud application/s related to this alert.

Destination service IP
cloudAppStates.destinationServiceIp string

Destination IP address of the connection to cloud app/service.

Destination service name
cloudAppStates.destinationServiceName string

Destination cloud app/service name.

Risk score
cloudAppStates.riskScore string

Provider-generated/calculated risk score of the Cloud Application/Service.

File states
fileStates array of object

Security-related stateful information generated by the provider about the file(s) related to this alert.

Name
fileStates.name string

File Name (without path).

Path
fileStates.path string

Full file path of the file/imageFile.

Risk score
fileStates.riskScore string

Provider generated/calculated risk score of the alert file.

Type
fileStates.fileHash.type string

File hash type. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph, peSha1, peSha256.

Value
fileStates.fileHash.value string

Value of the file hash.

Host states
hostStates array of object

Security-related stateful information generated by the provider about the host(s) related to this alert.

Fully qualified domain name
hostStates.fqdn string

Host FQDN (Fully Qualified Domain Name).

Is azureAd joined
hostStates.isAzureAdJoined boolean

True if the host is domain joined to Microsoft Entra ID Domain Services.

Is azureAd registered
hostStates.isAzureAdRegistered boolean

True if the host registered with Microsoft Entra ID Device Registration (e.g. BYOD) - not fully managed by enterprise.

Is hybrid azure domain joined
hostStates.isHybridAzureDomainJoined boolean

True if the host is domain joined to an on-premises Microsoft Entra ID domain.

Net bios name
hostStates.netBiosName string

Local host name without DNS domain name.

Operating system name
hostStates.os string

Host Operating System.

Private IP address
hostStates.privateIpAddress string

Private (not routable) IPv4 or IPv6 Address at the time of the alert.

Public IP address
hostStates.publicIpAddress string

Publicly routable IPv4 or IPv6 Address at time of the alert.

Risk score
hostStates.riskScore string

Provider-generated/calculated risk score of the host.

Malware states
malwareStates array of object

Security-related stateful information generated by the provider about the malware related to this alert.

Category
malwareStates.category string

Provider-generated malware category (e.g. trojan, ransomware, etc.).

Family
malwareStates.family string

Provider-generated malware family (e.g. "wannacry", "notpetya", etc.).

Name
malwareStates.name string

Provider-generated malware variant name (e.g. Trojan:Win32/Powessere.H).

Severity
malwareStates.severity string

Provider-determined severity of this malware.

Was running
malwareStates.wasRunning boolean

Indicates whether the detected file (malware/vulnerability) was running at the time of detection or was detected at rest on the disk.

Network connections
networkConnections array of object

Security-related stateful information generated by the provider about the file(s) related to this alert.

Application name
networkConnections.applicationName string

Name of the application managing the network connection (e.g. Facebook, SMTP, etc.).

Destination address
networkConnections.destinationAddress string

Destination IP address of the network connection.

Destination domain
networkConnections.destinationDomain string

Destination domain portion of the destination URL.(for example "www.contoso.com").

Destination port
networkConnections.destinationPort string

Destination port of the network connection.

Destination url
networkConnections.destinationUrl string

Network connection URL/URI string - excluding parameters.

Direction
networkConnections.direction string

Network connection direction. Possible values are: unknown, inbound, outbound.

Domain registered dateTime
networkConnections.domainRegisteredDateTime date-time

Date the destination domain was registered (UTC).

Local dns name
networkConnections.localDnsName string

The local DNS name resolution as it appears in the host local DNS cache (e.g. in case the "hosts" file was tampered with).

Nat destination address
networkConnections.natDestinationAddress string

Network Address Translation destination IP address.

Nat destination port
networkConnections.natDestinationPort string

Network Address Translation destination port.

Nat source address
networkConnections.natSourceAddress string

Network Address Translation source IP address.

Nat source port
networkConnections.natSourcePort string

Network Address Translation source port.

Protocol
networkConnections.protocol string

Network protocol. Possible values are: unknown, ip, icmp, igmp, ggp, ipv4, tcp, pup, udp, idp, ipv6, ipv6RoutingHeader, ipv6FragmentHeader, ipSecEncapsulatingSecurityPayload, ipSecAuthenticationHeader, icmpV6, ipv6NoNextHeader, ipv6DestinationOptions, nd, raw, ipx, spx, spxII.

Risk score
networkConnections.riskScore string

Provider generated/calculated risk score of the network connection.

Source address
networkConnections.sourceAddress string

Source (i.e. origin) IP address of the network connection.

Source port
networkConnections.sourcePort string

Source (i.e. origin) IP port of the network connection.

Status
networkConnections.status string

Network connection status. Possible values are: unknown, attempted, succeeded, blocked, failed.

Url parameters
networkConnections.urlParameters string

Parameters (suffix) of the destination URL as a string.

Processes
processes array of object

Security-related stateful information generated by the provider about the process or processes related to this alert.

Account name
processes.accountName string

User account identifier (user account context the process ran under) e.g. AccountName, SID, etc.

Command line
processes.commandLine string

The full process invocation commandline including all parameters.

Created date time
processes.createdDateTime date-time

DateTime at which the parent process was started (UTC).

Integrity level
processes.integrityLevel string

The integrity level of the process. Possible values are: unknown, untrusted, low, medium, high, system.

Is elevated
processes.isElevated boolean

True if the process is elevated.

Name
processes.name string

The name of the process Image file.

Parent process created date time
processes.parentProcessCreatedDateTime date-time

Time at which the process was started (UTC).

Parent process ID
processes.parentProcessId integer

The Process ID (PID) of the parent process.

Parent process name
processes.parentProcessName string

The name of the image file of the parent process.

Path
processes.path string

Full path, including filename.

Process Id
processes.processId integer

The Process ID (PID) of the process.

Type
processes.fileHash.type string

File hash type. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph, peSha1, peSha256.

Value
processes.fileHash.value string

Value of the file hash.

Registry key states
registryKeyStates array of object

Security-related stateful information generated by the provider about the registry keys related to this alert.

Process
registryKeyStates.process string

Process ID (PID) of the process that modified the registry key (process details will appear in the alert "processes" collection).

Operation
registryKeyStates.operation string

Operation that changed the registry key name and/or value (add, modify, delete).

Value Type
registryKeyStates.valueType string

Registry key value type. Possible values are: unknown, binary, dword, dwordLittleEndian, dwordBigEndian, expandSz, link, multiSz, none, qword, qwordlittleEndian, sz.

Registry hive
registryKeyStates.hive string

Windows registry hive. Possible values are: unknown, currentConfig, currentUser, localMachineSam, localMachineSamSoftware, localMachineSystem, usersDefault.

Key
registryKeyStates.key string

Current (i.e. changed) registry key (excludes HIVE).

Value name
registryKeyStates.valueName string

Current (i.e. changed) registry key value name.

Value data
registryKeyStates.valueData string

Current (i.e. changed) registry key value data (contents).

Old key
registryKeyStates.oldKey string

Previous (i.e. before changed) registry key (excludes HIVE).

Old value name
registryKeyStates.oldValueName string

Previous (i.e. before changed) registry key value name.

Old value data
registryKeyStates.oldValueData string

Previous (i.e. before changed) registry key value data (contents).

Triggers
triggers array of object

Security-related information about the specific properties that triggered the alert (properties appearing in the alert). Alerts might contain information about multiple users, hosts, files, ip addresses. This field indicates which properties triggered the alert generation.

Name
triggers.name string

Name of the property serving as a detection trigger.

Type
triggers.type string

Type of the attribute in the key:value pair for interpretation, e.g. String, Boolean, etc.

Value
triggers.value string

Value of the attribute serving as a detection trigger.

User states
userStates array of object

Security-related stateful information generated by the provider about the logged-on user or users related to this alert.

Microsoft Entra ID user ID
userStates.aadUserId string

Microsoft Entra ID User object identifier (GUID) - represents the physical/multi-account user entity.

Account name
userStates.accountName string

Account name of user account (without Microsoft Entra ID Domain or DNS Domain) - (also called "mailNickName").

Domain name
userStates.domainName string

NetBIOS/Microsoft Entra ID Domain of user account �(i.e. domain\account format).

Email role
userStates.emailRole string

For email-related alerts - user account email role.

Is Vpn
userStates.isVpn boolean

Indicates whether the user logged on through a VPN.

Logon date time
userStates.logonDateTime date-time

Time at which the logon occurred (UTC).

Logon ID
userStates.logonId string

User sign-in ID.

Logon IP
userStates.logonIp string

IP Address the logon request orginated from.

Logon location
userStates.logonLocation string

Location (by IP address mapping) associated with a user sign-in event by this user.

Logon type
userStates.logonType string

Method of user sign in. Possible values are: unknown, interactive, remoteInteractive, network, batch, service.

On premises security identifier
userStates.onPremisesSecurityIdentifier string

Microsoft Entra ID (on-premises) Security Identifier (SID) of the user.

Risk score
userStates.riskScore string

Provider-generated/calculated risk score of the user account.

User account type
userStates.userAccountType string

User account type (group membership), per Windows definition. Possible values are: unknown, standard, power, administrator.

User principal name
userStates.userPrincipalName string

User sign-in name - internet format: @.

Vulnerability states
vulnerabilityStates array of object

Threat intelligence pertaining to one or more vulnerabilities related to this alert.

Cve
vulnerabilityStates.cve string

Common Vulnerabilities and Exposures (CVE) for the vulnerability.

Was running
vulnerabilityStates.wasRunning boolean

Indicates whether the detected vulnerability (file) was running at the time of detection or was the file detected at rest on the disk.

Severity
vulnerabilityStates.severity string

Base Common Vulnerability Scoring System (CVSS) severity score for this vulnerability.

Subscription

A single subscription entity returned

Name Path Type Description
ID
id string

Unique identifier for the subscription.

Resource
resource string

Specifies the resource that will be monitored for changes.

Application Id
applicationId string

Identifier of the application used to create the subscription.

Change type
changeType string

Indicates the type of change in the subscribed resource that will raise a notification.

Client state
clientState string

Specifies the value of the clientState property sent by the service in each notification. The maximum length is 128 characters. The client can check that the notification came from the service by comparing the value of the clientState property sent with the subscription with the value of the clientState property received with each notification.

Notification URL
notificationUrl string

The URL of the endpoint that will receive the notifications. This URL must make use of the HTTPS protocol.

Expiration date time
expirationDateTime string

Specifies the date and time when the webhook subscription expires (UTC).

Creator Id
creatorId string

Identifier of the user or service principal that created the subscription. If the app used delegated permissions to create the subscription, this field contains the id of the signed-in user the app called on behalf of. If the app used application permissions, this field contains the id of the service principal corresponding to the app.

TiIndicator

A single TiIndicator entity returned

Name Path Type Description
Action
action string

The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert).

Activity group names
activityGroupNames array of string

The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator.

Additional information
additionalInformation string

Extra data from the indicator not covered by the other tiIndicator properties may be placed

Azure Tenant ID
azureTenantId string

The Microsoft Entra ID tenant id of submitting client.

Confidence
confidence integer

Confidence of the detection logic (percentage between 0-100).

Description
description string

TiIndicator description (100 charactes or less).

Diamond model
diamondModel string

The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim).

Expiration date time
expirationDateTime date-time

Time at which the the Indicator expires (UTC).

External ID
externalId string

An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).

ID
id string

Created by the system when the indicator is ingested. Generated GUID/unique identifier.

Ingested date time
ingestedDateTime date-time

Time at which the the Indicator is ingested (UTC).

Is active
isActive boolean

By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.

Kill chain
killChain array of string

strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization).

Known false positives
knownFalsePositives string

Scenarios in which the indicator may cause false positives.

Last reported date time
lastReportedDateTime date-time

The last time the indicator was seen (UTC).

Malware family names
malwareFamilyNames array of string

The malware family name associated with an indicator if it exists.

Passive Only
passiveOnly boolean

Determines if the indicator should trigger an event that is visible to an end-user.

Severity
severity integer

Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3.

Tags
tags array of string
Target Product
targetProduct string

Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP.

Threat Type
threatType string

Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList.

Tlp level
tlpLevel string

Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red.

Email encoding
emailEncoding string

The type of text encoding used in the email.

Email language
emailLanguage string

The language of the email.

Email recipient
emailRecipient string

Recipient email address.

Email sender address
emailSenderAddress string

Email address of the attacker|victim.

Email sender name
emailSenderName string

Displayed name of the attacker|victim.

Email source domain
emailSourceDomain string

Domain used in the email.

Email source Ip address
emailSourceIpAddress string

Source IP address of email.

Email subject
emailSubject string

Subject line of email.

Email XMailer
emailXMailer string

X-Mailer value used in the email.

File compile date time
fileCompileDateTime date-time

DateTime when the file was compiled.

File created date time
fileCreatedDateTime date-time

DateTime when the file was created.

File hash type
fileHashType string

The type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph.

File hash value
fileHashValue string

The file hash value.

File mutex name
fileMutexName string

Mutex name used in file-based detections.

File name
fileName string

Name of the file if the indicator is file-based.

File packer
filePacker string

The packer used to build the file in question.

File path
filePath string

Path of file indicating compromise. May be a Windows or *nix style path.

File size
fileSize integer

Size of the file in bytes.

File type
fileType string

Text description of the type of file. For example, “Word Document” or “Binary”.

Domain name
domainName string

Domain name associated with this indicator.

Network cidr block
networkCidrBlock string

CIDR Block notation representation of the network referenced in this indicator.

Network destination Asn
networkDestinationAsn integer

The destination autonomous system identifier of the network referenced in the indicator.

Network destination cidr block
networkDestinationCidrBlock string

CIDR Block notation representation of the destination network in this indicator.

Network destination IPv4
networkDestinationIPv4 string

IPv4 IP address destination.

Network destination IPv6
networkDestinationIPv6 string

IPv6 IP address destination.

Network destination port
networkDestinationPort integer

TCP port destination.

Network IPv4
networkIPv4 string

IPv4 IP address.

Network IPv6
networkIPv6 string

IPv6 IP address.

Network port
networkPort integer

TCP port.

Network protocol
networkProtocol integer

Decimal representation of the protocol field in the IPv4 header.

Network source Asn
networkSourceAsn integer

The source autonomous system identifier of the network referenced in the indicator.

Network source cidr block
networkSourceCidrBlock string

CIDR Block notation representation of the source network in this indicator.

Network source IPv4
networkSourceIPv4 string

IPv4 IP address source.

Network destination IPv6
networkSourceIPv6 string

IPv6 IP address source.

Network source port
networkSourcePort integer

TCP port source.

Url
url string

Uniform Resource Locator.

User agent
userAgent string

User-Agent string from a web request that could indicate compromise.