Threat Intelligence Indicator - Create

Update a threat Intelligence indicator.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}?api-version=2024-09-01

URI Parameters

Name In Required Type Description
name
path True

string

Threat intelligence indicator name field.

resourceGroupName
path True

string

The name of the resource group. The name is case insensitive.

subscriptionId
path True

string

uuid

The ID of the target subscription. The value must be an UUID.

workspaceName
path True

string

The name of the workspace.

Regex pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$

api-version
query True

string

The API version to use for this operation.

Request Body

Name Required Type Description
kind True string:

indicator

The kind of the entity.

etag

string

Etag of the azure resource

properties.confidence

integer

Confidence of threat intelligence entity

properties.created

string

Created by

properties.createdByRef

string

Created by reference of threat intelligence entity

properties.defanged

boolean

Is threat intelligence entity defanged

properties.description

string

Description of a threat intelligence entity

properties.displayName

string

Display name of a threat intelligence entity

properties.extensions

Extensions map

properties.externalId

string

External ID of threat intelligence entity

properties.externalLastUpdatedTimeUtc

string

External last updated time in UTC

properties.externalReferences

ThreatIntelligenceExternalReference[]

External References

properties.granularMarkings

ThreatIntelligenceGranularMarkingModel[]

Granular Markings

properties.indicatorTypes

string[]

Indicator types of threat intelligence entities

properties.killChainPhases

ThreatIntelligenceKillChainPhase[]

Kill chain phases

properties.labels

string[]

Labels of threat intelligence entity

properties.language

string

Language of threat intelligence entity

properties.lastUpdatedTimeUtc

string

Last updated time in UTC

properties.modified

string

Modified by

properties.objectMarkingRefs

string[]

Threat intelligence entity object marking references

properties.parsedPattern

ThreatIntelligenceParsedPattern[]

Parsed patterns

properties.pattern

string

Pattern of a threat intelligence entity

properties.patternType

string

Pattern type of a threat intelligence entity

properties.patternVersion

string

Pattern version of a threat intelligence entity

properties.revoked

boolean

Is threat intelligence entity revoked

properties.source

string

Source of a threat intelligence entity

properties.threatIntelligenceTags

string[]

List of tags

properties.threatTypes

string[]

Threat types

properties.validFrom

string

Valid from

properties.validUntil

string

Valid until

Responses

Name Type Description
200 OK ThreatIntelligenceInformation:

ThreatIntelligenceIndicatorModel

OK

201 Created ThreatIntelligenceInformation:

ThreatIntelligenceIndicatorModel

Created

Other Status Codes

CloudError

Error response describing why the operation failed to update an indicator.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Update a threat Intelligence indicator

Sample request

PUT https://management.azure.com/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/d9cd6f0b-96b9-3984-17cd-a779d1e15a93?api-version=2024-09-01

{
  "kind": "indicator",
  "properties": {
    "source": "Azure Sentinel",
    "threatIntelligenceTags": [
      "new schema"
    ],
    "displayName": "new schema",
    "confidence": 78,
    "createdByRef": "contoso@contoso.com",
    "description": "debugging indicators",
    "externalReferences": [],
    "granularMarkings": [],
    "threatTypes": [
      "compromised"
    ],
    "killChainPhases": [],
    "labels": [],
    "modified": "",
    "pattern": "[url:value = 'https://www.contoso.com']",
    "patternType": "url",
    "revoked": false,
    "validFrom": "2020-04-15T17:44:00.114052Z",
    "validUntil": ""
  }
}

Sample response

{
  "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6",
  "name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6",
  "etag": "\"0000322c-0000-0800-0000-5e976c960000\"",
  "type": "Microsoft.SecurityInsights/ThreatIntelligence",
  "kind": "indicator",
  "properties": {
    "confidence": 78,
    "created": "2020-04-15T20:20:38.6160949Z",
    "createdByRef": "contoso@contoso.com",
    "externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7",
    "externalReferences": [],
    "granularMarkings": [],
    "lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z",
    "revoked": false,
    "source": "Azure Sentinel",
    "threatIntelligenceTags": [
      "new schema"
    ],
    "displayName": "new schema",
    "description": "debugging indicators",
    "threatTypes": [
      "compromised"
    ],
    "killChainPhases": [],
    "pattern": "[url:value = 'https://www.contoso.com']",
    "patternType": "url",
    "validFrom": "2020-04-15T17:44:00.114052Z"
  }
}
{
  "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6",
  "name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6",
  "etag": "\"0000322c-0000-0800-0000-5e976c960000\"",
  "type": "Microsoft.SecurityInsights/ThreatIntelligence",
  "kind": "indicator",
  "properties": {
    "confidence": 78,
    "created": "2020-04-15T20:20:38.6160949Z",
    "createdByRef": "aztestConnectors@contoso.com",
    "externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7",
    "externalReferences": [],
    "granularMarkings": [],
    "lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z",
    "revoked": false,
    "source": "Azure Sentinel",
    "threatIntelligenceTags": [
      "new schema"
    ],
    "displayName": "new schema",
    "description": "debugging indicators",
    "threatTypes": [
      "compromised"
    ],
    "killChainPhases": [],
    "pattern": "[url:value = 'https://www.contoso.com']",
    "patternType": "url",
    "validFrom": "2020-04-15T17:44:00.114052Z"
  }
}

Definitions

Name Description
CloudError

Error response structure.

CloudErrorBody

Error details.

createdByType

The type of identity that created the resource.

systemData

Metadata pertaining to creation and last modification of the resource.

ThreatIntelligenceExternalReference

Describes external reference

ThreatIntelligenceGranularMarkingModel

Describes threat granular marking model entity

ThreatIntelligenceIndicatorModel

Threat intelligence indicator entity.

ThreatIntelligenceKillChainPhase

Describes threat kill chain phase entity

ThreatIntelligenceParsedPattern

Describes parsed pattern entity

ThreatIntelligenceParsedPatternTypeValue

Describes threat kill chain phase entity

ThreatIntelligenceResourceInnerKind

The kind of the threat intelligence entity

CloudError

Error response structure.

Name Type Description
error

CloudErrorBody

Error data

CloudErrorBody

Error details.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

message

string

A message describing the error, intended to be suitable for display in a user interface.

createdByType

The type of identity that created the resource.

Name Type Description
Application

string

Key

string

ManagedIdentity

string

User

string

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string

The timestamp of resource creation (UTC).

createdBy

string

The identity that created the resource.

createdByType

createdByType

The type of identity that created the resource.

lastModifiedAt

string

The timestamp of resource last modification (UTC)

lastModifiedBy

string

The identity that last modified the resource.

lastModifiedByType

createdByType

The type of identity that last modified the resource.

ThreatIntelligenceExternalReference

Describes external reference

Name Type Description
description

string

External reference description

externalId

string

External reference ID

hashes

object

External reference hashes

sourceName

string

External reference source name

url

string

External reference URL

ThreatIntelligenceGranularMarkingModel

Describes threat granular marking model entity

Name Type Description
language

string

Language granular marking model

markingRef

integer

marking reference granular marking model

selectors

string[]

granular marking model selectors

ThreatIntelligenceIndicatorModel

Threat intelligence indicator entity.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

indicator

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.confidence

integer

Confidence of threat intelligence entity

properties.created

string

Created by

properties.createdByRef

string

Created by reference of threat intelligence entity

properties.defanged

boolean

Is threat intelligence entity defanged

properties.description

string

Description of a threat intelligence entity

properties.displayName

string

Display name of a threat intelligence entity

properties.extensions

Extensions map

properties.externalId

string

External ID of threat intelligence entity

properties.externalLastUpdatedTimeUtc

string

External last updated time in UTC

properties.externalReferences

ThreatIntelligenceExternalReference[]

External References

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.granularMarkings

ThreatIntelligenceGranularMarkingModel[]

Granular Markings

properties.indicatorTypes

string[]

Indicator types of threat intelligence entities

properties.killChainPhases

ThreatIntelligenceKillChainPhase[]

Kill chain phases

properties.labels

string[]

Labels of threat intelligence entity

properties.language

string

Language of threat intelligence entity

properties.lastUpdatedTimeUtc

string

Last updated time in UTC

properties.modified

string

Modified by

properties.objectMarkingRefs

string[]

Threat intelligence entity object marking references

properties.parsedPattern

ThreatIntelligenceParsedPattern[]

Parsed patterns

properties.pattern

string

Pattern of a threat intelligence entity

properties.patternType

string

Pattern type of a threat intelligence entity

properties.patternVersion

string

Pattern version of a threat intelligence entity

properties.revoked

boolean

Is threat intelligence entity revoked

properties.source

string

Source of a threat intelligence entity

properties.threatIntelligenceTags

string[]

List of tags

properties.threatTypes

string[]

Threat types

properties.validFrom

string

Valid from

properties.validUntil

string

Valid until

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

ThreatIntelligenceKillChainPhase

Describes threat kill chain phase entity

Name Type Description
killChainName

string

Kill chainName name

phaseName

string

Phase name

ThreatIntelligenceParsedPattern

Describes parsed pattern entity

Name Type Description
patternTypeKey

string

Pattern type key

patternTypeValues

ThreatIntelligenceParsedPatternTypeValue[]

Pattern type keys

ThreatIntelligenceParsedPatternTypeValue

Describes threat kill chain phase entity

Name Type Description
value

string

Value of parsed pattern

valueType

string

Type of the value

ThreatIntelligenceResourceInnerKind

The kind of the threat intelligence entity

Name Type Description
indicator

string

Entity represents threat intelligence indicator in the system.