Threat Intelligence Indicator - Create
Update a threat Intelligence indicator.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}?api-version=2024-09-01
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
name
|
path | True |
string |
Threat intelligence indicator name field. |
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
subscription
|
path | True |
string uuid |
The ID of the target subscription. The value must be an UUID. |
workspace
|
path | True |
string |
The name of the workspace. Regex pattern: |
api-version
|
query | True |
string |
The API version to use for this operation. |
Request Body
Name | Required | Type | Description |
---|---|---|---|
kind | True |
string:
indicator |
The kind of the entity. |
etag |
string |
Etag of the azure resource |
|
properties.confidence |
integer |
Confidence of threat intelligence entity |
|
properties.created |
string |
Created by |
|
properties.createdByRef |
string |
Created by reference of threat intelligence entity |
|
properties.defanged |
boolean |
Is threat intelligence entity defanged |
|
properties.description |
string |
Description of a threat intelligence entity |
|
properties.displayName |
string |
Display name of a threat intelligence entity |
|
properties.extensions |
|
Extensions map |
|
properties.externalId |
string |
External ID of threat intelligence entity |
|
properties.externalLastUpdatedTimeUtc |
string |
External last updated time in UTC |
|
properties.externalReferences |
External References |
||
properties.granularMarkings |
Granular Markings |
||
properties.indicatorTypes |
string[] |
Indicator types of threat intelligence entities |
|
properties.killChainPhases |
Kill chain phases |
||
properties.labels |
string[] |
Labels of threat intelligence entity |
|
properties.language |
string |
Language of threat intelligence entity |
|
properties.lastUpdatedTimeUtc |
string |
Last updated time in UTC |
|
properties.modified |
string |
Modified by |
|
properties.objectMarkingRefs |
string[] |
Threat intelligence entity object marking references |
|
properties.parsedPattern |
Parsed patterns |
||
properties.pattern |
string |
Pattern of a threat intelligence entity |
|
properties.patternType |
string |
Pattern type of a threat intelligence entity |
|
properties.patternVersion |
string |
Pattern version of a threat intelligence entity |
|
properties.revoked |
boolean |
Is threat intelligence entity revoked |
|
properties.source |
string |
Source of a threat intelligence entity |
|
properties.threatIntelligenceTags |
string[] |
List of tags |
|
properties.threatTypes |
string[] |
Threat types |
|
properties.validFrom |
string |
Valid from |
|
properties.validUntil |
string |
Valid until |
Responses
Name | Type | Description |
---|---|---|
200 OK | ThreatIntelligenceInformation: |
OK |
201 Created | ThreatIntelligenceInformation: |
Created |
Other Status Codes |
Error response describing why the operation failed to update an indicator. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name | Description |
---|---|
user_impersonation | impersonate your user account |
Examples
Update a threat Intelligence indicator
Sample request
PUT https://management.azure.com/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/d9cd6f0b-96b9-3984-17cd-a779d1e15a93?api-version=2024-09-01
{
"kind": "indicator",
"properties": {
"source": "Azure Sentinel",
"threatIntelligenceTags": [
"new schema"
],
"displayName": "new schema",
"confidence": 78,
"createdByRef": "contoso@contoso.com",
"description": "debugging indicators",
"externalReferences": [],
"granularMarkings": [],
"threatTypes": [
"compromised"
],
"killChainPhases": [],
"labels": [],
"modified": "",
"pattern": "[url:value = 'https://www.contoso.com']",
"patternType": "url",
"revoked": false,
"validFrom": "2020-04-15T17:44:00.114052Z",
"validUntil": ""
}
}
Sample response
{
"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6",
"name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6",
"etag": "\"0000322c-0000-0800-0000-5e976c960000\"",
"type": "Microsoft.SecurityInsights/ThreatIntelligence",
"kind": "indicator",
"properties": {
"confidence": 78,
"created": "2020-04-15T20:20:38.6160949Z",
"createdByRef": "contoso@contoso.com",
"externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7",
"externalReferences": [],
"granularMarkings": [],
"lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z",
"revoked": false,
"source": "Azure Sentinel",
"threatIntelligenceTags": [
"new schema"
],
"displayName": "new schema",
"description": "debugging indicators",
"threatTypes": [
"compromised"
],
"killChainPhases": [],
"pattern": "[url:value = 'https://www.contoso.com']",
"patternType": "url",
"validFrom": "2020-04-15T17:44:00.114052Z"
}
}
{
"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6",
"name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6",
"etag": "\"0000322c-0000-0800-0000-5e976c960000\"",
"type": "Microsoft.SecurityInsights/ThreatIntelligence",
"kind": "indicator",
"properties": {
"confidence": 78,
"created": "2020-04-15T20:20:38.6160949Z",
"createdByRef": "aztestConnectors@contoso.com",
"externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7",
"externalReferences": [],
"granularMarkings": [],
"lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z",
"revoked": false,
"source": "Azure Sentinel",
"threatIntelligenceTags": [
"new schema"
],
"displayName": "new schema",
"description": "debugging indicators",
"threatTypes": [
"compromised"
],
"killChainPhases": [],
"pattern": "[url:value = 'https://www.contoso.com']",
"patternType": "url",
"validFrom": "2020-04-15T17:44:00.114052Z"
}
}
Definitions
Name | Description |
---|---|
Cloud |
Error response structure. |
Cloud |
Error details. |
created |
The type of identity that created the resource. |
system |
Metadata pertaining to creation and last modification of the resource. |
Threat |
Describes external reference |
Threat |
Describes threat granular marking model entity |
Threat |
Threat intelligence indicator entity. |
Threat |
Describes threat kill chain phase entity |
Threat |
Describes parsed pattern entity |
Threat |
Describes threat kill chain phase entity |
Threat |
The kind of the threat intelligence entity |
CloudError
Error response structure.
Name | Type | Description |
---|---|---|
error |
Error data |
CloudErrorBody
Error details.
Name | Type | Description |
---|---|---|
code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
createdByType
The type of identity that created the resource.
Name | Type | Description |
---|---|---|
Application |
string |
|
Key |
string |
|
ManagedIdentity |
string |
|
User |
string |
systemData
Metadata pertaining to creation and last modification of the resource.
Name | Type | Description |
---|---|---|
createdAt |
string |
The timestamp of resource creation (UTC). |
createdBy |
string |
The identity that created the resource. |
createdByType |
The type of identity that created the resource. |
|
lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
lastModifiedBy |
string |
The identity that last modified the resource. |
lastModifiedByType |
The type of identity that last modified the resource. |
ThreatIntelligenceExternalReference
Describes external reference
Name | Type | Description |
---|---|---|
description |
string |
External reference description |
externalId |
string |
External reference ID |
hashes |
object |
External reference hashes |
sourceName |
string |
External reference source name |
url |
string |
External reference URL |
ThreatIntelligenceGranularMarkingModel
Describes threat granular marking model entity
Name | Type | Description |
---|---|---|
language |
string |
Language granular marking model |
markingRef |
integer |
marking reference granular marking model |
selectors |
string[] |
granular marking model selectors |
ThreatIntelligenceIndicatorModel
Threat intelligence indicator entity.
Name | Type | Description |
---|---|---|
etag |
string |
Etag of the azure resource |
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
indicator |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.confidence |
integer |
Confidence of threat intelligence entity |
properties.created |
string |
Created by |
properties.createdByRef |
string |
Created by reference of threat intelligence entity |
properties.defanged |
boolean |
Is threat intelligence entity defanged |
properties.description |
string |
Description of a threat intelligence entity |
properties.displayName |
string |
Display name of a threat intelligence entity |
properties.extensions |
|
Extensions map |
properties.externalId |
string |
External ID of threat intelligence entity |
properties.externalLastUpdatedTimeUtc |
string |
External last updated time in UTC |
properties.externalReferences |
External References |
|
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.granularMarkings |
Granular Markings |
|
properties.indicatorTypes |
string[] |
Indicator types of threat intelligence entities |
properties.killChainPhases |
Kill chain phases |
|
properties.labels |
string[] |
Labels of threat intelligence entity |
properties.language |
string |
Language of threat intelligence entity |
properties.lastUpdatedTimeUtc |
string |
Last updated time in UTC |
properties.modified |
string |
Modified by |
properties.objectMarkingRefs |
string[] |
Threat intelligence entity object marking references |
properties.parsedPattern |
Parsed patterns |
|
properties.pattern |
string |
Pattern of a threat intelligence entity |
properties.patternType |
string |
Pattern type of a threat intelligence entity |
properties.patternVersion |
string |
Pattern version of a threat intelligence entity |
properties.revoked |
boolean |
Is threat intelligence entity revoked |
properties.source |
string |
Source of a threat intelligence entity |
properties.threatIntelligenceTags |
string[] |
List of tags |
properties.threatTypes |
string[] |
Threat types |
properties.validFrom |
string |
Valid from |
properties.validUntil |
string |
Valid until |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
ThreatIntelligenceKillChainPhase
Describes threat kill chain phase entity
Name | Type | Description |
---|---|---|
killChainName |
string |
Kill chainName name |
phaseName |
string |
Phase name |
ThreatIntelligenceParsedPattern
Describes parsed pattern entity
Name | Type | Description |
---|---|---|
patternTypeKey |
string |
Pattern type key |
patternTypeValues |
Pattern type keys |
ThreatIntelligenceParsedPatternTypeValue
Describes threat kill chain phase entity
Name | Type | Description |
---|---|---|
value |
string |
Value of parsed pattern |
valueType |
string |
Type of the value |
ThreatIntelligenceResourceInnerKind
The kind of the threat intelligence entity
Name | Type | Description |
---|---|---|
indicator |
string |
Entity represents threat intelligence indicator in the system. |