Microsoft.SecurityInsights threatIntelligence/indicators

Bicep resource definition

The threatIntelligence/indicators resource type can be deployed to:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/threatIntelligence/indicators resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.SecurityInsights/threatIntelligence/indicators@2023-02-01-preview' = {
  name: 'string'
  parent: resourceSymbolicName
  etag: 'string'
  properties: {
    confidence: int
    created: 'string'
    createdByRef: 'string'
    defanged: bool
    description: 'string'
    displayName: 'string'
    extensions: {}
    externalId: 'string'
    externalLastUpdatedTimeUtc: 'string'
    externalReferences: [
      {
        description: 'string'
        externalId: 'string'
        hashes: {}
        sourceName: 'string'
        url: 'string'
      }
    ]
    granularMarkings: [
      {
        language: 'string'
        markingRef: int
        selectors: [
          'string'
        ]
      }
    ]
    indicatorTypes: [
      'string'
    ]
    killChainPhases: [
      {
        killChainName: 'string'
        phaseName: 'string'
      }
    ]
    labels: [
      'string'
    ]
    language: 'string'
    lastUpdatedTimeUtc: 'string'
    modified: 'string'
    objectMarkingRefs: [
      'string'
    ]
    parsedPattern: [
      {
        patternTypeKey: 'string'
        patternTypeValues: [
          {
            value: 'string'
            valueType: 'string'
          }
        ]
      }
    ]
    pattern: 'string'
    patternType: 'string'
    patternVersion: 'string'
    revoked: bool
    source: 'string'
    threatIntelligenceTags: [
      'string'
    ]
    threatTypes: [
      'string'
    ]
    validFrom: 'string'
    validUntil: 'string'
  }
}

Property values

threatIntelligence/indicators

Name Description Value
name The resource name

See how to set names and types for child resources in Bicep.
string (required)
parent In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.

For more information, see Child resource outside parent resource.
Symbolic name for resource of type: threatIntelligence
etag Etag of the azure resource string
properties Threat Intelligence Entity properties ThreatIntelligenceIndicatorProperties

ThreatIntelligenceIndicatorProperties

Name Description Value
confidence Confidence of threat intelligence entity int
created Created by string
createdByRef Created by reference of threat intelligence entity string
defanged Is threat intelligence entity defanged bool
description Description of a threat intelligence entity string
displayName Display name of a threat intelligence entity string
extensions Extensions map object
externalId External ID of threat intelligence entity string
externalLastUpdatedTimeUtc External last updated time in UTC string
externalReferences External References ThreatIntelligenceExternalReference[]
granularMarkings Granular Markings ThreatIntelligenceGranularMarkingModel[]
indicatorTypes Indicator types of threat intelligence entities string[]
killChainPhases Kill chain phases ThreatIntelligenceKillChainPhase[]
labels Labels of threat intelligence entity string[]
language Language of threat intelligence entity string
lastUpdatedTimeUtc Last updated time in UTC string
modified Modified by string
objectMarkingRefs Threat intelligence entity object marking references string[]
parsedPattern Parsed patterns ThreatIntelligenceParsedPattern[]
pattern Pattern of a threat intelligence entity string
patternType Pattern type of a threat intelligence entity string
patternVersion Pattern version of a threat intelligence entity string
revoked Is threat intelligence entity revoked bool
source Source of a threat intelligence entity string
threatIntelligenceTags List of tags string[]
threatTypes Threat types string[]
validFrom Valid from string
validUntil Valid until string

ThreatIntelligenceExternalReference

Name Description Value
description External reference description string
externalId External reference ID string
hashes External reference hashes object
sourceName External reference source name string
url External reference URL string

ThreatIntelligenceGranularMarkingModel

Name Description Value
language Language granular marking model string
markingRef marking reference granular marking model int
selectors granular marking model selectors string[]

ThreatIntelligenceKillChainPhase

Name Description Value
killChainName Kill chainName name string
phaseName Phase name string

ThreatIntelligenceParsedPattern

Name Description Value
patternTypeKey Pattern type key string
patternTypeValues Pattern type keys ThreatIntelligenceParsedPatternTypeValue[]

ThreatIntelligenceParsedPatternTypeValue

Name Description Value
value Value of parsed pattern string
valueType Type of the value string

ARM template resource definition

The threatIntelligence/indicators resource type can be deployed to:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/threatIntelligence/indicators resource, add the following JSON to your template.

{
  "type": "Microsoft.SecurityInsights/threatIntelligence/indicators",
  "apiVersion": "2023-02-01-preview",
  "name": "string",
  "etag": "string",
  "properties": {
    "confidence": "int",
    "created": "string",
    "createdByRef": "string",
    "defanged": "bool",
    "description": "string",
    "displayName": "string",
    "extensions": {},
    "externalId": "string",
    "externalLastUpdatedTimeUtc": "string",
    "externalReferences": [
      {
        "description": "string",
        "externalId": "string",
        "hashes": {},
        "sourceName": "string",
        "url": "string"
      }
    ],
    "granularMarkings": [
      {
        "language": "string",
        "markingRef": "int",
        "selectors": [ "string" ]
      }
    ],
    "indicatorTypes": [ "string" ],
    "killChainPhases": [
      {
        "killChainName": "string",
        "phaseName": "string"
      }
    ],
    "labels": [ "string" ],
    "language": "string",
    "lastUpdatedTimeUtc": "string",
    "modified": "string",
    "objectMarkingRefs": [ "string" ],
    "parsedPattern": [
      {
        "patternTypeKey": "string",
        "patternTypeValues": [
          {
            "value": "string",
            "valueType": "string"
          }
        ]
      }
    ],
    "pattern": "string",
    "patternType": "string",
    "patternVersion": "string",
    "revoked": "bool",
    "source": "string",
    "threatIntelligenceTags": [ "string" ],
    "threatTypes": [ "string" ],
    "validFrom": "string",
    "validUntil": "string"
  }
}

Property values

threatIntelligence/indicators

Name Description Value
type The resource type 'Microsoft.SecurityInsights/threatIntelligence/indicators'
apiVersion The resource api version '2023-02-01-preview'
name The resource name

See how to set names and types for child resources in JSON ARM templates.
string (required)
etag Etag of the azure resource string
properties Threat Intelligence Entity properties ThreatIntelligenceIndicatorProperties

ThreatIntelligenceIndicatorProperties

Name Description Value
confidence Confidence of threat intelligence entity int
created Created by string
createdByRef Created by reference of threat intelligence entity string
defanged Is threat intelligence entity defanged bool
description Description of a threat intelligence entity string
displayName Display name of a threat intelligence entity string
extensions Extensions map object
externalId External ID of threat intelligence entity string
externalLastUpdatedTimeUtc External last updated time in UTC string
externalReferences External References ThreatIntelligenceExternalReference[]
granularMarkings Granular Markings ThreatIntelligenceGranularMarkingModel[]
indicatorTypes Indicator types of threat intelligence entities string[]
killChainPhases Kill chain phases ThreatIntelligenceKillChainPhase[]
labels Labels of threat intelligence entity string[]
language Language of threat intelligence entity string
lastUpdatedTimeUtc Last updated time in UTC string
modified Modified by string
objectMarkingRefs Threat intelligence entity object marking references string[]
parsedPattern Parsed patterns ThreatIntelligenceParsedPattern[]
pattern Pattern of a threat intelligence entity string
patternType Pattern type of a threat intelligence entity string
patternVersion Pattern version of a threat intelligence entity string
revoked Is threat intelligence entity revoked bool
source Source of a threat intelligence entity string
threatIntelligenceTags List of tags string[]
threatTypes Threat types string[]
validFrom Valid from string
validUntil Valid until string

ThreatIntelligenceExternalReference

Name Description Value
description External reference description string
externalId External reference ID string
hashes External reference hashes object
sourceName External reference source name string
url External reference URL string

ThreatIntelligenceGranularMarkingModel

Name Description Value
language Language granular marking model string
markingRef marking reference granular marking model int
selectors granular marking model selectors string[]

ThreatIntelligenceKillChainPhase

Name Description Value
killChainName Kill chainName name string
phaseName Phase name string

ThreatIntelligenceParsedPattern

Name Description Value
patternTypeKey Pattern type key string
patternTypeValues Pattern type keys ThreatIntelligenceParsedPatternTypeValue[]

ThreatIntelligenceParsedPatternTypeValue

Name Description Value
value Value of parsed pattern string
valueType Type of the value string

Terraform (AzAPI provider) resource definition

The threatIntelligence/indicators resource type can be deployed to:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/threatIntelligence/indicators resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.SecurityInsights/threatIntelligence/indicators@2023-02-01-preview"
  name = "string"
  parent_id = "string"
  body = jsonencode({
    properties = {
      confidence = int
      created = "string"
      createdByRef = "string"
      defanged = bool
      description = "string"
      displayName = "string"
      extensions = {}
      externalId = "string"
      externalLastUpdatedTimeUtc = "string"
      externalReferences = [
        {
          description = "string"
          externalId = "string"
          hashes = {}
          sourceName = "string"
          url = "string"
        }
      ]
      granularMarkings = [
        {
          language = "string"
          markingRef = int
          selectors = [
            "string"
          ]
        }
      ]
      indicatorTypes = [
        "string"
      ]
      killChainPhases = [
        {
          killChainName = "string"
          phaseName = "string"
        }
      ]
      labels = [
        "string"
      ]
      language = "string"
      lastUpdatedTimeUtc = "string"
      modified = "string"
      objectMarkingRefs = [
        "string"
      ]
      parsedPattern = [
        {
          patternTypeKey = "string"
          patternTypeValues = [
            {
              value = "string"
              valueType = "string"
            }
          ]
        }
      ]
      pattern = "string"
      patternType = "string"
      patternVersion = "string"
      revoked = bool
      source = "string"
      threatIntelligenceTags = [
        "string"
      ]
      threatTypes = [
        "string"
      ]
      validFrom = "string"
      validUntil = "string"
    }
    etag = "string"
  })
}

Property values

threatIntelligence/indicators

Name Description Value
type The resource type "Microsoft.SecurityInsights/threatIntelligence/indicators@2023-02-01-preview"
name The resource name string (required)
parent_id The ID of the resource that is the parent for this resource. ID for resource of type: threatIntelligence
etag Etag of the azure resource string
properties Threat Intelligence Entity properties ThreatIntelligenceIndicatorProperties

ThreatIntelligenceIndicatorProperties

Name Description Value
confidence Confidence of threat intelligence entity int
created Created by string
createdByRef Created by reference of threat intelligence entity string
defanged Is threat intelligence entity defanged bool
description Description of a threat intelligence entity string
displayName Display name of a threat intelligence entity string
extensions Extensions map object
externalId External ID of threat intelligence entity string
externalLastUpdatedTimeUtc External last updated time in UTC string
externalReferences External References ThreatIntelligenceExternalReference[]
granularMarkings Granular Markings ThreatIntelligenceGranularMarkingModel[]
indicatorTypes Indicator types of threat intelligence entities string[]
killChainPhases Kill chain phases ThreatIntelligenceKillChainPhase[]
labels Labels of threat intelligence entity string[]
language Language of threat intelligence entity string
lastUpdatedTimeUtc Last updated time in UTC string
modified Modified by string
objectMarkingRefs Threat intelligence entity object marking references string[]
parsedPattern Parsed patterns ThreatIntelligenceParsedPattern[]
pattern Pattern of a threat intelligence entity string
patternType Pattern type of a threat intelligence entity string
patternVersion Pattern version of a threat intelligence entity string
revoked Is threat intelligence entity revoked bool
source Source of a threat intelligence entity string
threatIntelligenceTags List of tags string[]
threatTypes Threat types string[]
validFrom Valid from string
validUntil Valid until string

ThreatIntelligenceExternalReference

Name Description Value
description External reference description string
externalId External reference ID string
hashes External reference hashes object
sourceName External reference source name string
url External reference URL string

ThreatIntelligenceGranularMarkingModel

Name Description Value
language Language granular marking model string
markingRef marking reference granular marking model int
selectors granular marking model selectors string[]

ThreatIntelligenceKillChainPhase

Name Description Value
killChainName Kill chainName name string
phaseName Phase name string

ThreatIntelligenceParsedPattern

Name Description Value
patternTypeKey Pattern type key string
patternTypeValues Pattern type keys ThreatIntelligenceParsedPatternTypeValue[]

ThreatIntelligenceParsedPatternTypeValue

Name Description Value
value Value of parsed pattern string
valueType Type of the value string