Threat Intelligence Indicator - Create
Update a threat Intelligence indicator.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/{name}?api-version=2025-09-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
name
|
path | True |
string |
Threat intelligence indicator name field. |
|
resource
|
path | True |
string minLength: 1maxLength: 90 |
The name of the resource group. The name is case insensitive. |
|
subscription
|
path | True |
string (uuid) |
The ID of the target subscription. The value must be an UUID. |
|
workspace
|
path | True |
string minLength: 1maxLength: 90 pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$ |
The name of the workspace. |
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
Request Body
| Name | Required | Type | Description |
|---|---|---|---|
| kind | True |
string:
indicator |
The kind of the entity. |
| etag |
string |
Etag of the azure resource |
|
| properties.confidence |
integer (int32) |
Confidence of threat intelligence entity |
|
| properties.created |
string |
Created by |
|
| properties.createdByRef |
string |
Created by reference of threat intelligence entity |
|
| properties.defanged |
boolean |
Is threat intelligence entity defanged |
|
| properties.description |
string |
Description of a threat intelligence entity |
|
| properties.displayName |
string |
Display name of a threat intelligence entity |
|
| properties.extensions |
|
Extensions map |
|
| properties.externalId |
string |
External ID of threat intelligence entity |
|
| properties.externalLastUpdatedTimeUtc |
string |
External last updated time in UTC |
|
| properties.externalReferences |
External References |
||
| properties.granularMarkings |
Granular Markings |
||
| properties.indicatorTypes |
string[] |
Indicator types of threat intelligence entities |
|
| properties.killChainPhases |
Kill chain phases |
||
| properties.labels |
string[] |
Labels of threat intelligence entity |
|
| properties.language |
string |
Language of threat intelligence entity |
|
| properties.lastUpdatedTimeUtc |
string |
Last updated time in UTC |
|
| properties.modified |
string |
Modified by |
|
| properties.objectMarkingRefs |
string[] |
Threat intelligence entity object marking references |
|
| properties.parsedPattern |
Parsed patterns |
||
| properties.pattern |
string |
Pattern of a threat intelligence entity |
|
| properties.patternType |
string |
Pattern type of a threat intelligence entity |
|
| properties.patternVersion |
string |
Pattern version of a threat intelligence entity |
|
| properties.revoked |
boolean |
Is threat intelligence entity revoked |
|
| properties.source |
string |
Source of a threat intelligence entity |
|
| properties.threatIntelligenceTags |
string[] |
List of tags |
|
| properties.threatTypes |
string[] |
Threat types |
|
| properties.validFrom |
string |
Valid from |
|
| properties.validUntil |
string |
Valid until |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK | ThreatIntelligenceInformation: |
OK |
| 201 Created | ThreatIntelligenceInformation: |
Created |
| Other Status Codes |
Error response describing why the operation failed to update an indicator. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
Update a threat Intelligence indicator
Sample request
PUT https://management.azure.com/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/threatIntelligence/main/indicators/d9cd6f0b-96b9-3984-17cd-a779d1e15a93?api-version=2025-09-01
{
"kind": "indicator",
"properties": {
"source": "Azure Sentinel",
"threatIntelligenceTags": [
"new schema"
],
"displayName": "new schema",
"confidence": 78,
"createdByRef": "contoso@contoso.com",
"description": "debugging indicators",
"externalReferences": [],
"granularMarkings": [],
"threatTypes": [
"compromised"
],
"killChainPhases": [],
"labels": [],
"modified": "",
"pattern": "[url:value = 'https://www.contoso.com']",
"patternType": "url",
"revoked": false,
"validFrom": "2020-04-15T17:44:00.114052Z",
"validUntil": ""
}
}
Sample response
{
"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6",
"name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6",
"etag": "\"0000322c-0000-0800-0000-5e976c960000\"",
"type": "Microsoft.SecurityInsights/ThreatIntelligence",
"kind": "indicator",
"properties": {
"confidence": 78,
"created": "2020-04-15T20:20:38.6160949Z",
"createdByRef": "contoso@contoso.com",
"externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7",
"externalReferences": [],
"granularMarkings": [],
"lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z",
"revoked": false,
"source": "Azure Sentinel",
"threatIntelligenceTags": [
"new schema"
],
"displayName": "new schema",
"description": "debugging indicators",
"threatTypes": [
"compromised"
],
"killChainPhases": [],
"pattern": "[url:value = 'https://www.contoso.com']",
"patternType": "url",
"validFrom": "2020-04-15T17:44:00.114052Z"
}
}{
"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6",
"name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6",
"etag": "\"0000322c-0000-0800-0000-5e976c960000\"",
"type": "Microsoft.SecurityInsights/ThreatIntelligence",
"kind": "indicator",
"properties": {
"confidence": 78,
"created": "2020-04-15T20:20:38.6160949Z",
"createdByRef": "aztestConnectors@contoso.com",
"externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7",
"externalReferences": [],
"granularMarkings": [],
"lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z",
"revoked": false,
"source": "Azure Sentinel",
"threatIntelligenceTags": [
"new schema"
],
"displayName": "new schema",
"description": "debugging indicators",
"threatTypes": [
"compromised"
],
"killChainPhases": [],
"pattern": "[url:value = 'https://www.contoso.com']",
"patternType": "url",
"validFrom": "2020-04-15T17:44:00.114052Z"
}
}Definitions
| Name | Description |
|---|---|
|
Cloud |
Error response structure. |
|
Cloud |
Error details. |
|
created |
The type of identity that created the resource. |
|
system |
Metadata pertaining to creation and last modification of the resource. |
|
Threat |
Describes external reference |
|
Threat |
Describes threat granular marking model entity |
|
Threat |
Threat intelligence indicator entity. |
|
Threat |
Describes threat kill chain phase entity |
|
Threat |
Describes parsed pattern entity |
|
Threat |
Describes threat kill chain phase entity |
|
Threat |
The kind of the threat intelligence entity |
CloudError
Error response structure.
| Name | Type | Description |
|---|---|---|
| error |
Error data |
CloudErrorBody
Error details.
| Name | Type | Description |
|---|---|---|
| code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
| message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
createdByType
The type of identity that created the resource.
| Value | Description |
|---|---|
| User | |
| Application | |
| ManagedIdentity | |
| Key |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string (date-time) |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string (date-time) |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |
ThreatIntelligenceExternalReference
Describes external reference
| Name | Type | Description |
|---|---|---|
| description |
string |
External reference description |
| externalId |
string |
External reference ID |
| hashes |
object |
External reference hashes |
| sourceName |
string |
External reference source name |
| url |
string |
External reference URL |
ThreatIntelligenceGranularMarkingModel
Describes threat granular marking model entity
| Name | Type | Description |
|---|---|---|
| language |
string |
Language granular marking model |
| markingRef |
integer (int32) |
marking reference granular marking model |
| selectors |
string[] |
granular marking model selectors |
ThreatIntelligenceIndicatorModel
Threat intelligence indicator entity.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string (arm-id) |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
indicator |
The kind of the entity. |
| name |
string |
The name of the resource |
| properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
| properties.confidence |
integer (int32) |
Confidence of threat intelligence entity |
| properties.created |
string |
Created by |
| properties.createdByRef |
string |
Created by reference of threat intelligence entity |
| properties.defanged |
boolean |
Is threat intelligence entity defanged |
| properties.description |
string |
Description of a threat intelligence entity |
| properties.displayName |
string |
Display name of a threat intelligence entity |
| properties.extensions |
|
Extensions map |
| properties.externalId |
string |
External ID of threat intelligence entity |
| properties.externalLastUpdatedTimeUtc |
string |
External last updated time in UTC |
| properties.externalReferences |
External References |
|
| properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
| properties.granularMarkings |
Granular Markings |
|
| properties.indicatorTypes |
string[] |
Indicator types of threat intelligence entities |
| properties.killChainPhases |
Kill chain phases |
|
| properties.labels |
string[] |
Labels of threat intelligence entity |
| properties.language |
string |
Language of threat intelligence entity |
| properties.lastUpdatedTimeUtc |
string |
Last updated time in UTC |
| properties.modified |
string |
Modified by |
| properties.objectMarkingRefs |
string[] |
Threat intelligence entity object marking references |
| properties.parsedPattern |
Parsed patterns |
|
| properties.pattern |
string |
Pattern of a threat intelligence entity |
| properties.patternType |
string |
Pattern type of a threat intelligence entity |
| properties.patternVersion |
string |
Pattern version of a threat intelligence entity |
| properties.revoked |
boolean |
Is threat intelligence entity revoked |
| properties.source |
string |
Source of a threat intelligence entity |
| properties.threatIntelligenceTags |
string[] |
List of tags |
| properties.threatTypes |
string[] |
Threat types |
| properties.validFrom |
string |
Valid from |
| properties.validUntil |
string |
Valid until |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
ThreatIntelligenceKillChainPhase
Describes threat kill chain phase entity
| Name | Type | Description |
|---|---|---|
| killChainName |
string |
Kill chainName name |
| phaseName |
string |
Phase name |
ThreatIntelligenceParsedPattern
Describes parsed pattern entity
| Name | Type | Description |
|---|---|---|
| patternTypeKey |
string |
Pattern type key |
| patternTypeValues |
Pattern type keys |
ThreatIntelligenceParsedPatternTypeValue
Describes threat kill chain phase entity
| Name | Type | Description |
|---|---|---|
| value |
string |
Value of parsed pattern |
| valueType |
string |
Type of the value |
ThreatIntelligenceResourceInnerKind
The kind of the threat intelligence entity
| Value | Description |
|---|---|
| indicator |
Entity represents threat intelligence indicator in the system. |