Microsoft Graph Security (Preview)

The Microsoft Graph Security connector helps to connect different Microsoft and partner security products and services, using a unified schema, to streamline security operations, and improve threat protection, detection, and response capabilities. Learn more about integrating with the Microsoft Graph Security API at https://aka.ms/graphsecuritydocs

This connector is available in the following products and regions:

Service	Class	Regions
Logic Apps	Standard	All Logic Apps regions except the following:      -   Azure Government regions      -   Azure China regions      -   US Department of Defense (DoD)
Power Automate	Premium	All Power Automate regions except the following:      -   US Government (GCC)      -   US Government (GCC High)      -   China Cloud operated by 21Vianet      -   US Department of Defense (DoD)
Power Apps	Premium	All Power Apps regions except the following:      -   US Government (GCC)      -   US Government (GCC High)      -   China Cloud operated by 21Vianet      -   US Department of Defense (DoD)

Contact
Name	Microsoft
URL	Microsoft LogicApps Support Microsoft Power Automate Support Microsoft Power Apps Support
Email	sipsisgdev@microsoft.com

Connector Metadata
Publisher	Microsoft
Website	https://www.microsoft.com/security/business/graph-security-api

Prerequisites to connect with The Microsoft Graph Security connector

Read more about Microsoft Graph Security API.

1. To use the Microsoft Graph Security connector action, start with a trigger, such as the Recurrence trigger.

2. To use the Microsoft Graph Security connector, Microsoft Entra ID tenant administrator consent needs to be provided as part of Microsoft Graph Security Authentication requirements.

3. The Microsoft Graph Security connector application ID and name (for Microsoft Entra ID in https://portal.azure.com) is as follows for Microsoft Entra ID administrator consent:

• Application Name - MicrosoftGraphSecurityConnector
• Application ID - c4829704-0edc-4c3d-a347-7c4a67586f3c

4. Tenant administrator can either follow steps outlined in granting tenant administrator consent for Microsoft Entra ID applications to the above mentioned application or can grant permissions upon initial run of a workflow using the Microsoft Graph Security connector per the application consent experience.

You are now ready to use the Microsoft Graph Security connector!

Connector in-depth

For more information about the connector, see the in-depth section.

Throttling Limits

Name	Calls	Renewal Period
API calls per connection	100	60 seconds

Actions

Create subscriptions	Create Microsoft Graph webhook subscriptions.
Create tiIndicator	Create a new threat intelligence indicator by posting to the tiIndicators collection.
Delete multiple tiIndicators by external IDs	Delete multiple threat intelligence indicators corresponding to the specified external IDs.
Delete multiple tiIndicators by IDs	Delete multiple threat intelligence indicators corresponding to the specified IDs.
Delete subscriptions	Delete the specific Microsoft Graph Webhook subscription.
Delete tiIndicator by ID	Delete a threat intelligence indicator corresponding to the specified ID.
Get active subscriptions	Get the list of unexpired subscriptions for this Microsoft Entra ID tenant.
Get alert by ID	Get a security alert corresponding to the specified ID.
Get alerts	Get a list of security alerts for this Microsoft Entra ID tenant. Use with different query parameters.
Get tiIndicator by ID	Get a threat intelligence indicator corresponding to the specified ID.
Get tiIndicators	Get a list of threat intelligence indicators for this Microsoft Entra ID tenant. Use with different query parameters.
Submit multiple tiIndicators	Create new threat intelligence indicators by posting a tiIndicators collection. Required fields for each tiIndicator are: action, azureTenantId, description, expirationDateTime, targetProduct, threatType, tlpLevel.
Update alert	Update specific properties of a security alert.
Update multiple tiIndicators	Update specific properties of multiple threat intelligence indicators. Required fields for each tiIndicator are: Id, expirationDateTime, and targetProduct.
Update subscription	Renew a Microsoft Graph webhook subscription by updating its expiration time.
Update tiIndicator	Update specific properties of a threat intelligence indicator. Required fields for the tiIndicator are: Id, expirationDateTime, and targetProduct.

Create subscriptions

Operation ID:

CreateSubscriptions

Create Microsoft Graph webhook subscriptions.

Parameters

Name	Key	Required	Type	Description
Resource URL	resource	True	string	Specify the resource that will be monitored for changes. Do not include base URL (https://graph.microsoft.com/v1.0/). Include security/alerts followed by the odata query. For e.g. security/alerts?$filter=status eq �New�
Change type	changeType	True	string	Specify the property type that should raise a notification when changed on the subscribed resource.
Client state	clientState		string	Specify the client state to confirm the notification origination source.
Notification URL	notificationUrl	True	string	Specify a well-formed URL of the endpoint that will receive notifications.
Expiration date time	expirationDateTime	True	date-time	Specify the date time when the webhook subscription expires; needs to be a date time greater than current time and within 30 days.

Returns

A single subscription entity returned

Subscription

Subscription

Create tiIndicator

Operation ID:

CreateTiIndicator

Create a new threat intelligence indicator by posting to the tiIndicators collection.

Parameters

Name	Key	Required	Type	Description
Action	action	True	string	The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert).
Activity group names	activityGroupNames		array of string	The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator.
Additional information	additionalInformation		string	Extra data from the indicator not covered by the other tiIndicator properties may be placed
Azure Tenant ID	azureTenantId		string	The Microsoft Entra ID tenant id of submitting client.
Confidence	confidence		integer	Confidence of the detection logic (percentage between 0-100).
Description	description	True	string	TiIndicator description (100 charactes or less).
Diamond model	diamondModel		string	The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim).
Expiration date time	expirationDateTime	True	date-time	Time at which the the Indicator expires (UTC).
External ID	externalId		string	An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).
Ingested date time	ingestedDateTime		date-time	Time at which the the Indicator is ingested (UTC).
Is active	isActive		boolean	By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.
Kill chain	killChain		array of string	strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization).
Known false positives	knownFalsePositives		string	Scenarios in which the indicator may cause false positives.
Last reported date time	lastReportedDateTime		date-time	The last time the indicator was seen (UTC).
Malware family names	malwareFamilyNames		array of string	The malware family name associated with an indicator if it exists.
Passive Only	passiveOnly		boolean	Determines if the indicator should trigger an event that is visible to an end-user.
Severity	severity		integer	Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3.
Tags	tags		array of string
Target Product	targetProduct	True	string	Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP.
Threat Type	threatType		string	Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList.
Tlp level	tlpLevel		string	Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red.
Email encoding	emailEncoding		string	The type of text encoding used in the email.
Email language	emailLanguage		string	The language of the email.
Email recipient	emailRecipient		string	Recipient email address.
Email sender address	emailSenderAddress		string	Email address of the attacker|victim.
Email sender name	emailSenderName		string	Displayed name of the attacker|victim.
Email source domain	emailSourceDomain		string	Domain used in the email.
Email source Ip address	emailSourceIpAddress		string	Source IP address of email.
Email subject	emailSubject		string	Subject line of email.
Email XMailer	emailXMailer		string	X-Mailer value used in the email.
File compile date time	fileCompileDateTime		date-time	DateTime when the file was compiled.
File created date time	fileCreatedDateTime		date-time	DateTime when the file was created.
File hash type	fileHashType		string	The type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph.
File hash value	fileHashValue		string	The file hash value.
File mutex name	fileMutexName		string	Mutex name used in file-based detections.
File name	fileName		string	Name of the file if the indicator is file-based.
File packer	filePacker		string	The packer used to build the file in question.
File path	filePath		string	Path of file indicating compromise. May be a Windows or *nix style path.
File size	fileSize		integer	Size of the file in bytes.
File type	fileType		string	Text description of the type of file. For example, “Word Document” or “Binary”.
Domain name	domainName		string	Domain name associated with this indicator.
Network cidr block	networkCidrBlock		string	CIDR Block notation representation of the network referenced in this indicator.
Network destination Asn	networkDestinationAsn		integer	The destination autonomous system identifier of the network referenced in the indicator.
Network destination cidr block	networkDestinationCidrBlock		string	CIDR Block notation representation of the destination network in this indicator.
Network destination IPv4	networkDestinationIPv4		string	IPv4 IP address destination.
Network destination IPv6	networkDestinationIPv6		string	IPv6 IP address destination.
Network destination port	networkDestinationPort		integer	TCP port destination.
Network IPv4	networkIPv4		string	IPv4 IP address.
Network IPv6	networkIPv6		string	IPv6 IP address.
Network port	networkPort		integer	TCP port.
Network protocol	networkProtocol		integer	Decimal representation of the protocol field in the IPv4 header.
Network source Asn	networkSourceAsn		integer	The source autonomous system identifier of the network referenced in the indicator.
Network source cidr block	networkSourceCidrBlock		string	CIDR Block notation representation of the source network in this indicator.
Network source IPv4	networkSourceIPv4		string	IPv4 IP address source.
Network destination IPv6	networkSourceIPv6		string	IPv6 IP address source.
Network source port	networkSourcePort		integer	TCP port source.
Url	url		string	Uniform Resource Locator.
User agent	userAgent		string	User-Agent string from a web request that could indicate compromise.

Returns

A single TiIndicator entity returned

TiIndicator

TiIndicator

Delete multiple tiIndicators by external IDs

Operation ID:

DeleteTiIndicatorsByExternalId

Delete multiple threat intelligence indicators corresponding to the specified external IDs.

Parameters

Name	Key	Required	Type	Description
value	value		array of string

Returns

Name	Path	Type	Description
value	value	array of object
code	value.code	integer	The result code
message	value.message	string	The message
subcode	value.subcode	integer	The result sub-code

Delete multiple tiIndicators by IDs

Operation ID:

DeleteTiIndicators

Delete multiple threat intelligence indicators corresponding to the specified IDs.

Parameters

Name	Key	Required	Type	Description
value	value		array of string

Returns

Name	Path	Type	Description
value	value	array of object
code	value.code	integer	The result code
message	value.message	string	The message
subcode	value.subcode	integer	The result sub-code

Delete subscriptions

Operation ID:

DeleteSubscription

Delete the specific Microsoft Graph Webhook subscription.

Parameters

Name	Key	Required	Type	Description
Subscription ID	Subscription Id	True	string	Specify the Microsoft Graph Webhook Subscription ID.

Delete tiIndicator by ID

Operation ID:

DeleteTiIndicator

Delete a threat intelligence indicator corresponding to the specified ID.

Parameters

Name	Key	Required	Type	Description
TiIndicator ID	indicator-id	True	string	Specify threat intelligence indicator ID

Get active subscriptions

Operation ID:

GetActiveSubscriptions

Get the list of unexpired subscriptions for this Microsoft Entra ID tenant.

Returns

Name	Path	Type	Description
Existing subcriptions count	@odata.count	integer	The number of subcriptions returned
Subscription	value	array of Subscription	The subscription entities returned
Next link	@odata.nextLink	string	A link to get the next results in case there are more results than requested

Get alert by ID

Operation ID:

GetAlertById

Get a security alert corresponding to the specified ID.

Parameters

Name	Key	Required	Type	Description
Alert ID	alert-id	True	string	Specify alert ID.

Returns

A single alert entity returned

Alert

Alert

Get alerts

Operation ID:

GetAlerts

Get a list of security alerts for this Microsoft Entra ID tenant. Use with different query parameters.

Parameters

Name	Key	Required	Type	Description
Filter alerts	$filter		string	Specify filtering condition for alerts like Severity eq "High".
Top alerts	$top		integer	Specify the recent most top number of alerts to retrieve from each provider.
Select alert properties	$select		string	Specify alert properties to include in the results.
Sorting order	$orderby		string	Specify sorting order for the results.
Skips "n" results	$skip		integer	Specify number of results to skip. Useful for pagination.
Include count of alerts returned	$count		string	Specify to include the number of alerts returned in the response

Returns

Name	Path	Type	Description
Alerts count	@odata.count	integer	The number of alerts returned
Alerts	value	array of Alert	The alerts returned
Next link	@odata.nextLink	string	A link to get the next results in case there are more results than requested

Get tiIndicator by ID

Operation ID:

GetTiIndicatorbyId

Get a threat intelligence indicator corresponding to the specified ID.

Parameters

Name	Key	Required	Type	Description
TiIndicator ID	indicator-id	True	string	Specify threat intelligence indicator ID

Returns

A single TiIndicator entity returned

TiIndicator

TiIndicator

Get tiIndicators

Operation ID:

GetTiIndicators

Get a list of threat intelligence indicators for this Microsoft Entra ID tenant. Use with different query parameters.

Parameters

Name	Key	Required	Type	Description
Filter tiIndicators	$filter		string	Specify filtering condition for threat intelligence indicators like threatType eq 'WatchList'
Top tiIndicators	$top		integer	Specify the recent top number of threat intelligence indicators to be retrieved
Select tiIndicator properties	$select		string	Specify threat intelligence indicator properties to include in the results.
Include count of tiIndicators returned	$count		string	Specify to include the number of threat intelligence indicators returned in the response
Skips "n" results	$skip		integer	Specify number of results to skip. Useful for pagination.
Sorting order	$orderby		string	Specify sorting order for the results.

Returns

Name	Path	Type	Description
TiIndicator count	@odata.count	integer	The number of TiIndicator returned
TiIndicators	value	array of TiIndicator	The TiIndicator returned
Next link	@odata.nextLink	string	A link to get the next results in case there are more results than requested

Submit multiple tiIndicators

Operation ID:

SubmitTiIndicators

Create new threat intelligence indicators by posting a tiIndicators collection. Required fields for each tiIndicator are: action, azureTenantId, description, expirationDateTime, targetProduct, threatType, tlpLevel.

Parameters

Name	Key	Required	Type	Description
Action	action	True	string	The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert).
Activity group names	activityGroupNames		array of string	The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator.
Additional information	additionalInformation		string	Extra data from the indicator not covered by the other tiIndicator properties may be placed
Azure Tenant ID	azureTenantId		string	The Microsoft Entra ID tenant id of submitting client.
Confidence	confidence		integer	Confidence of the detection logic (percentage between 0-100).
Description	description	True	string	TiIndicator description (100 charactes or less).
Diamond model	diamondModel		string	The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim).
Expiration date time	expirationDateTime	True	date-time	Time at which the the Indicator expires (UTC).
External ID	externalId		string	An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).
Ingested date time	ingestedDateTime		date-time	Time at which the the Indicator is ingested (UTC).
Is active	isActive		boolean	By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.
Kill chain	killChain		array of string	strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization).
Known false positives	knownFalsePositives		string	Scenarios in which the indicator may cause false positives.
Last reported date time	lastReportedDateTime		date-time	The last time the indicator was seen (UTC).
Malware family names	malwareFamilyNames		array of string	The malware family name associated with an indicator if it exists.
Passive Only	passiveOnly		boolean	Determines if the indicator should trigger an event that is visible to an end-user.
Severity	severity		integer	Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3.
Tags	tags		array of string
Target Product	targetProduct	True	string	Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP.
Threat Type	threatType		string	Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList.
Tlp level	tlpLevel		string	Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red.
Email encoding	emailEncoding		string	The type of text encoding used in the email.
Email language	emailLanguage		string	The language of the email.
Email recipient	emailRecipient		string	Recipient email address.
Email sender address	emailSenderAddress		string	Email address of the attacker|victim.
Email sender name	emailSenderName		string	Displayed name of the attacker|victim.
Email source domain	emailSourceDomain		string	Domain used in the email.
Email source Ip address	emailSourceIpAddress		string	Source IP address of email.
Email subject	emailSubject		string	Subject line of email.
Email XMailer	emailXMailer		string	X-Mailer value used in the email.
File compile date time	fileCompileDateTime		date-time	DateTime when the file was compiled.
File created date time	fileCreatedDateTime		date-time	DateTime when the file was created.
File hash type	fileHashType		string	The type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph.
File hash value	fileHashValue		string	The file hash value.
File mutex name	fileMutexName		string	Mutex name used in file-based detections.
File name	fileName		string	Name of the file if the indicator is file-based.
File packer	filePacker		string	The packer used to build the file in question.
File path	filePath		string	Path of file indicating compromise. May be a Windows or *nix style path.
File size	fileSize		integer	Size of the file in bytes.
File type	fileType		string	Text description of the type of file. For example, “Word Document” or “Binary”.
Domain name	domainName		string	Domain name associated with this indicator.
Network cidr block	networkCidrBlock		string	CIDR Block notation representation of the network referenced in this indicator.
Network destination Asn	networkDestinationAsn		integer	The destination autonomous system identifier of the network referenced in the indicator.
Network destination cidr block	networkDestinationCidrBlock		string	CIDR Block notation representation of the destination network in this indicator.
Network destination IPv4	networkDestinationIPv4		string	IPv4 IP address destination.
Network destination IPv6	networkDestinationIPv6		string	IPv6 IP address destination.
Network destination port	networkDestinationPort		integer	TCP port destination.
Network IPv4	networkIPv4		string	IPv4 IP address.
Network IPv6	networkIPv6		string	IPv6 IP address.
Network port	networkPort		integer	TCP port.
Network protocol	networkProtocol		integer	Decimal representation of the protocol field in the IPv4 header.
Network source Asn	networkSourceAsn		integer	The source autonomous system identifier of the network referenced in the indicator.
Network source cidr block	networkSourceCidrBlock		string	CIDR Block notation representation of the source network in this indicator.
Network source IPv4	networkSourceIPv4		string	IPv4 IP address source.
Network destination IPv6	networkSourceIPv6		string	IPv6 IP address source.
Network source port	networkSourcePort		integer	TCP port source.
Url	url		string	Uniform Resource Locator.
User agent	userAgent		string	User-Agent string from a web request that could indicate compromise.

Returns

Name	Path	Type	Description
TiIndicators	value	array of TiIndicator	The TiIndicators submitted

Update alert

Operation ID:

UpdateAlert

Update specific properties of a security alert.

Parameters

Name	Key	Required	Type	Description
Alert ID	alert-id	True	string	Specify alert ID.
Assigned to	assignedTo		string	Specify the name of the analyst the alert is assigned to for triage, investigation, or remediation.
Closed dateTime	closedDateTime		string	Specify the time at which the alert was closed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time.
comments	comments		array of string	Comments
Tags	tags		array of string	Specify any user-definable labels that can be applied to an alert and can serve as filter conditions (for example "HVA", "SAW", etc.).
Feedback	feedback		string	Specify analyst feedback on the alert.
Status	status		string	Specify status to track alert lifecycle status (stage).
Provider name	provider	True	string	Specific provider (product/service - not vendor company); for example, WindowsDefenderATP.
Provider version	providerVersion		string	Specify version of the provider or subprovider, if it exists, that generated the alert.
Sub Provider name	subProvider		string	Specific subprovider (under aggregating provider); for example, WindowsDefenderATP.SmartScreen.
Vendor name	vendor	True	string	Specify name of the alert vendor (for example, Microsoft, Dell, FireEye).

Update multiple tiIndicators

Operation ID:

UpdateTiIndicators

Update specific properties of multiple threat intelligence indicators. Required fields for each tiIndicator are: Id, expirationDateTime, and targetProduct.

Parameters

Name	Key	Required	Type	Description
id	id	True	string	TiIndicator-id
Action	action		string	The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert).
Activity group names	activityGroupNames		array of string	The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator.
Additional information	additionalInformation		string	Extra data from the indicator not covered by the other tiIndicator properties may be placed
Confidence	confidence		integer	Confidence of the detection logic (percentage between 0-100).
Description	description		string	TiIndicator description (100 charactes or less).
Diamond model	diamondModel		string	The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim).
Expiration date time	expirationDateTime	True	date-time	Time at which the the Indicator expires (UTC).
Target Product	targetProduct	True	string	Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP.
External ID	externalId		string	An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).
Is active	isActive		boolean	By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.
Kill chain	killChain		array of string	strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization).
Known false positives	knownFalsePositives		string	Scenarios in which the indicator may cause false positives.
Last reported date time	lastReportedDateTime		date-time	The last time the indicator was seen (UTC).
Malware family names	malwareFamilyNames		array of string	The malware family name associated with an indicator if it exists.
Passive Only	passiveOnly		boolean	Determines if the indicator should trigger an event that is visible to an end-user.
Severity	severity		integer	Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3.
Tags	tags		array of string
Tlp level	tlpLevel		string	Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red.

Returns

Name	Path	Type	Description
TiIndicators	value	array of TiIndicator	The TiIndicators updated

Update subscription

Operation ID:

UpdateSubscription

Renew a Microsoft Graph webhook subscription by updating its expiration time.

Parameters

Name	Key	Required	Type	Description
Subscription ID	Subscription Id	True	string	Specify Microsoft Graph Webhook subscription ID.
Expiration date time	expirationDateTime		string	Specify the date and time, in UTC format, of when the Microsoft Graph webhook subscription expires. The maximum expiration time for security alerts is 43200 minutes (under 30 days).

Returns

A single subscription entity returned

Subscription

Subscription

Update tiIndicator

Operation ID:

UpdateTiIndicator

Update specific properties of a threat intelligence indicator. Required fields for the tiIndicator are: Id, expirationDateTime, and targetProduct.

Parameters

Name	Key	Required	Type	Description
TiIndicator ID	indicator-id	True	string	Specify threat intelligence indicator ID.
Action	action		string	The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert).
Activity group names	activityGroupNames		array of string	The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator.
Additional information	additionalInformation		string	Extra data from the indicator not covered by the other tiIndicator properties may be placed
Confidence	confidence		integer	Confidence of the detection logic (percentage between 0-100).
Description	description		string	TiIndicator description (100 charactes or less).
Diamond model	diamondModel		string	The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim).
Expiration date time	expirationDateTime	True	date-time	Time at which the the Indicator expires (UTC format. For example, 2020-03-01T00:00:00Z).
External ID	externalId		string	An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).
Is active	isActive		boolean	By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.
Kill chain	killChain		array of string	strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization).
Known false positives	knownFalsePositives		string	Scenarios in which the indicator may cause false positives.
Last reported date time	lastReportedDateTime		date-time	The last time the indicator was seen (UTC).
Malware family names	malwareFamilyNames		array of string	The malware family name associated with an indicator if it exists.
Passive Only	passiveOnly		boolean	Determines if the indicator should trigger an event that is visible to an end-user.
Severity	severity		integer	Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3.
Tags	tags		array of string
Tlp level	tlpLevel		string	Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red.
Target Product	targetProduct	True	string	Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP.

Triggers

On all new alerts	Triggers on all new alerts
On new high severity alerts	Triggers on new high severity alerts

On all new alerts

Operation ID:

OnAllNewAlerts

Triggers on all new alerts

Returns

Name	Path	Type	Description
Alerts count	@odata.count	integer	The number of alerts returned
Alerts	value	array of Alert	The alerts returned
Next link	@odata.nextLink	string	A link to get the next results in case there are more results than requested

On new high severity alerts

Operation ID:

OnNewHighSeverityAlerts

Triggers on new high severity alerts

Returns

Name	Path	Type	Description
Alerts count	@odata.count	integer	The number of alerts returned
Alerts	value	array of Alert	The alerts returned
Next link	@odata.nextLink	string	A link to get the next results in case there are more results than requested

Definitions

Alert

A single alert entity returned

Name	Path	Type	Description
Azure subscription ID	azureSubscriptionId	string	Azure subscription ID, present if this alert is related to an Azure resource.
Tags	tags	array of string	User-definable labels that can be applied to an alert and can serve as filter conditions (e.g. "HVA", "SAW", etc.).
ID	id	string	Provider-generated GUID/unique identifier.
Azure tenant ID	azureTenantId	string	Microsoft Entra ID tenant ID.
Activity group name	activityGroupName	string	Name or alias of the activity group (attacker) this alert is attributed to.
Assigned to	assignedTo	string	Name of the analyst the alert is assigned to for triage, investigation, or remediation.
Category	category	string	Category of the alert (e.g. credentialTheft, ransomware, etc.).
Closed date time	closedDateTime	date-time	Time at which the alert was closed (UTC).
Comments	comments	array of string	Customer-provided comments on alert (for customer alert management).
Confidence	confidence	integer	Confidence of the detection logic (percentage between 1-100).
Created date time	createdDateTime	date-time	Time at which the alert was created (UTC).
Description	description	string	Alert description.
Detection Ids	detectionIds	array of string	Set of alerts related to this alert entity.
Event date time	eventDateTime	date-time	Time at which the event(s) that served as the trigger(s) to generate the alert occurred (UTC).
Feedback	feedback	string	Analyst feedback on the alert. Possible values are: unknown, truePositive, falsePositive, benignPositive.
Last modified date time	lastModifiedDateTime	date-time	Time at which the alert entity was last modified (UTC).
Recommended actions	recommendedActions	array of string	Vendor/Provider recommended action/s to take as a result of the alert (e.g. isolate machine, enforce2FA, reimage host, etc.).
Severity	severity	string	Alert severity - set by vendor/provider. Values: (high, medium, low, Informational) where "informational" infers that the alert is not actionable.
Source materials	sourceMaterials	array of string	Hyperlinks (URIs) to the source material related to the alert, e.g. provider investigation UI, etc.
Status	status	string	Alert lifecycle status (stage). Values: (unknown, newAlert, inProgress, resolved).
Title	title	string	Alert title.
Provider name	vendorInformation.provider	string	Specific provider (product/service - not vendor company); for example, WindowsDefenderATP.
Provider version	vendorInformation.providerVersion	string	Version of the provider or subprovider.
Sub provider name	vendorInformation.subProvider	string	Specific subprovider (under aggregating provider); for example, WindowsDefenderATP.SmartScreen.
Vendor name	vendorInformation.vendor	string	Name of the alert vendor (for example, Microsoft, Dell, FireEye).
Cloud app states	cloudAppStates	array of object	Security-related stateful information generated by the provider about the cloud application/s related to this alert.
Destination service IP	cloudAppStates.destinationServiceIp	string	Destination IP address of the connection to cloud app/service.
Destination service name	cloudAppStates.destinationServiceName	string	Destination cloud app/service name.
Risk score	cloudAppStates.riskScore	string	Provider-generated/calculated risk score of the Cloud Application/Service.
File states	fileStates	array of object	Security-related stateful information generated by the provider about the file(s) related to this alert.
Name	fileStates.name	string	File Name (without path).
Path	fileStates.path	string	Full file path of the file/imageFile.
Risk score	fileStates.riskScore	string	Provider generated/calculated risk score of the alert file.
Type	fileStates.fileHash.type	string	File hash type. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph, peSha1, peSha256.
Value	fileStates.fileHash.value	string	Value of the file hash.
Host states	hostStates	array of object	Security-related stateful information generated by the provider about the host(s) related to this alert.
Fully qualified domain name	hostStates.fqdn	string	Host FQDN (Fully Qualified Domain Name).
Is azureAd joined	hostStates.isAzureAdJoined	boolean	True if the host is domain joined to Microsoft Entra ID Domain Services.
Is azureAd registered	hostStates.isAzureAdRegistered	boolean	True if the host registered with Microsoft Entra ID Device Registration (e.g. BYOD) - not fully managed by enterprise.
Is hybrid azure domain joined	hostStates.isHybridAzureDomainJoined	boolean	True if the host is domain joined to an on-premises Microsoft Entra ID domain.
Net bios name	hostStates.netBiosName	string	Local host name without DNS domain name.
Operating system name	hostStates.os	string	Host Operating System.
Private IP address	hostStates.privateIpAddress	string	Private (not routable) IPv4 or IPv6 Address at the time of the alert.
Public IP address	hostStates.publicIpAddress	string	Publicly routable IPv4 or IPv6 Address at time of the alert.
Risk score	hostStates.riskScore	string	Provider-generated/calculated risk score of the host.
Malware states	malwareStates	array of object	Security-related stateful information generated by the provider about the malware related to this alert.
Category	malwareStates.category	string	Provider-generated malware category (e.g. trojan, ransomware, etc.).
Family	malwareStates.family	string	Provider-generated malware family (e.g. "wannacry", "notpetya", etc.).
Name	malwareStates.name	string	Provider-generated malware variant name (e.g. Trojan:Win32/Powessere.H).
Severity	malwareStates.severity	string	Provider-determined severity of this malware.
Was running	malwareStates.wasRunning	boolean	Indicates whether the detected file (malware/vulnerability) was running at the time of detection or was detected at rest on the disk.
Network connections	networkConnections	array of object	Security-related stateful information generated by the provider about the file(s) related to this alert.
Application name	networkConnections.applicationName	string	Name of the application managing the network connection (e.g. Facebook, SMTP, etc.).
Destination address	networkConnections.destinationAddress	string	Destination IP address of the network connection.
Destination domain	networkConnections.destinationDomain	string	Destination domain portion of the destination URL.(for example "www.contoso.com").
Destination port	networkConnections.destinationPort	string	Destination port of the network connection.
Destination url	networkConnections.destinationUrl	string	Network connection URL/URI string - excluding parameters.
Direction	networkConnections.direction	string	Network connection direction. Possible values are: unknown, inbound, outbound.
Domain registered dateTime	networkConnections.domainRegisteredDateTime	date-time	Date the destination domain was registered (UTC).
Local dns name	networkConnections.localDnsName	string	The local DNS name resolution as it appears in the host local DNS cache (e.g. in case the "hosts" file was tampered with).
Nat destination address	networkConnections.natDestinationAddress	string	Network Address Translation destination IP address.
Nat destination port	networkConnections.natDestinationPort	string	Network Address Translation destination port.
Nat source address	networkConnections.natSourceAddress	string	Network Address Translation source IP address.
Nat source port	networkConnections.natSourcePort	string	Network Address Translation source port.
Protocol	networkConnections.protocol	string	Network protocol. Possible values are: unknown, ip, icmp, igmp, ggp, ipv4, tcp, pup, udp, idp, ipv6, ipv6RoutingHeader, ipv6FragmentHeader, ipSecEncapsulatingSecurityPayload, ipSecAuthenticationHeader, icmpV6, ipv6NoNextHeader, ipv6DestinationOptions, nd, raw, ipx, spx, spxII.
Risk score	networkConnections.riskScore	string	Provider generated/calculated risk score of the network connection.
Source address	networkConnections.sourceAddress	string	Source (i.e. origin) IP address of the network connection.
Source port	networkConnections.sourcePort	string	Source (i.e. origin) IP port of the network connection.
Status	networkConnections.status	string	Network connection status. Possible values are: unknown, attempted, succeeded, blocked, failed.
Url parameters	networkConnections.urlParameters	string	Parameters (suffix) of the destination URL as a string.
Processes	processes	array of object	Security-related stateful information generated by the provider about the process or processes related to this alert.
Account name	processes.accountName	string	User account identifier (user account context the process ran under) e.g. AccountName, SID, etc.
Command line	processes.commandLine	string	The full process invocation commandline including all parameters.
Created date time	processes.createdDateTime	date-time	DateTime at which the parent process was started (UTC).
Integrity level	processes.integrityLevel	string	The integrity level of the process. Possible values are: unknown, untrusted, low, medium, high, system.
Is elevated	processes.isElevated	boolean	True if the process is elevated.
Name	processes.name	string	The name of the process Image file.
Parent process created date time	processes.parentProcessCreatedDateTime	date-time	Time at which the process was started (UTC).
Parent process ID	processes.parentProcessId	integer	The Process ID (PID) of the parent process.
Parent process name	processes.parentProcessName	string	The name of the image file of the parent process.
Path	processes.path	string	Full path, including filename.
Process Id	processes.processId	integer	The Process ID (PID) of the process.
Type	processes.fileHash.type	string	File hash type. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph, peSha1, peSha256.
Value	processes.fileHash.value	string	Value of the file hash.
Registry key states	registryKeyStates	array of object	Security-related stateful information generated by the provider about the registry keys related to this alert.
Process	registryKeyStates.process	string	Process ID (PID) of the process that modified the registry key (process details will appear in the alert "processes" collection).
Operation	registryKeyStates.operation	string	Operation that changed the registry key name and/or value (add, modify, delete).
Value Type	registryKeyStates.valueType	string	Registry key value type. Possible values are: unknown, binary, dword, dwordLittleEndian, dwordBigEndian, expandSz, link, multiSz, none, qword, qwordlittleEndian, sz.
Registry hive	registryKeyStates.hive	string	Windows registry hive. Possible values are: unknown, currentConfig, currentUser, localMachineSam, localMachineSamSoftware, localMachineSystem, usersDefault.
Key	registryKeyStates.key	string	Current (i.e. changed) registry key (excludes HIVE).
Value name	registryKeyStates.valueName	string	Current (i.e. changed) registry key value name.
Value data	registryKeyStates.valueData	string	Current (i.e. changed) registry key value data (contents).
Old key	registryKeyStates.oldKey	string	Previous (i.e. before changed) registry key (excludes HIVE).
Old value name	registryKeyStates.oldValueName	string	Previous (i.e. before changed) registry key value name.
Old value data	registryKeyStates.oldValueData	string	Previous (i.e. before changed) registry key value data (contents).
Triggers	triggers	array of object	Security-related information about the specific properties that triggered the alert (properties appearing in the alert). Alerts might contain information about multiple users, hosts, files, ip addresses. This field indicates which properties triggered the alert generation.
Name	triggers.name	string	Name of the property serving as a detection trigger.
Type	triggers.type	string	Type of the attribute in the key:value pair for interpretation, e.g. String, Boolean, etc.
Value	triggers.value	string	Value of the attribute serving as a detection trigger.
User states	userStates	array of object	Security-related stateful information generated by the provider about the logged-on user or users related to this alert.
Microsoft Entra ID user ID	userStates.aadUserId	string	Microsoft Entra ID User object identifier (GUID) - represents the physical/multi-account user entity.
Account name	userStates.accountName	string	Account name of user account (without Microsoft Entra ID Domain or DNS Domain) - (also called "mailNickName").
Domain name	userStates.domainName	string	NetBIOS/Microsoft Entra ID Domain of user account �(i.e. domain\account format).
Email role	userStates.emailRole	string	For email-related alerts - user account email role.
Is Vpn	userStates.isVpn	boolean	Indicates whether the user logged on through a VPN.
Logon date time	userStates.logonDateTime	date-time	Time at which the logon occurred (UTC).
Logon ID	userStates.logonId	string	User sign-in ID.
Logon IP	userStates.logonIp	string	IP Address the logon request orginated from.
Logon location	userStates.logonLocation	string	Location (by IP address mapping) associated with a user sign-in event by this user.
Logon type	userStates.logonType	string	Method of user sign in. Possible values are: unknown, interactive, remoteInteractive, network, batch, service.
On premises security identifier	userStates.onPremisesSecurityIdentifier	string	Microsoft Entra ID (on-premises) Security Identifier (SID) of the user.
Risk score	userStates.riskScore	string	Provider-generated/calculated risk score of the user account.
User account type	userStates.userAccountType	string	User account type (group membership), per Windows definition. Possible values are: unknown, standard, power, administrator.
User principal name	userStates.userPrincipalName	string	User sign-in name - internet format: @.
Vulnerability states	vulnerabilityStates	array of object	Threat intelligence pertaining to one or more vulnerabilities related to this alert.
Cve	vulnerabilityStates.cve	string	Common Vulnerabilities and Exposures (CVE) for the vulnerability.
Was running	vulnerabilityStates.wasRunning	boolean	Indicates whether the detected vulnerability (file) was running at the time of detection or was the file detected at rest on the disk.
Severity	vulnerabilityStates.severity	string	Base Common Vulnerability Scoring System (CVSS) severity score for this vulnerability.

Subscription

A single subscription entity returned

Name	Path	Type	Description
ID	id	string	Unique identifier for the subscription.
Resource	resource	string	Specifies the resource that will be monitored for changes.
Application Id	applicationId	string	Identifier of the application used to create the subscription.
Change type	changeType	string	Indicates the type of change in the subscribed resource that will raise a notification.
Client state	clientState	string	Specifies the value of the clientState property sent by the service in each notification. The maximum length is 128 characters. The client can check that the notification came from the service by comparing the value of the clientState property sent with the subscription with the value of the clientState property received with each notification.
Notification URL	notificationUrl	string	The URL of the endpoint that will receive the notifications. This URL must make use of the HTTPS protocol.
Expiration date time	expirationDateTime	string	Specifies the date and time when the webhook subscription expires (UTC).
Creator Id	creatorId	string	Identifier of the user or service principal that created the subscription. If the app used delegated permissions to create the subscription, this field contains the id of the signed-in user the app called on behalf of. If the app used application permissions, this field contains the id of the service principal corresponding to the app.

TiIndicator

A single TiIndicator entity returned

Name	Path	Type	Description
Action	action	string	The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert).
Activity group names	activityGroupNames	array of string	The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator.
Additional information	additionalInformation	string	Extra data from the indicator not covered by the other tiIndicator properties may be placed
Azure Tenant ID	azureTenantId	string	The Microsoft Entra ID tenant id of submitting client.
Confidence	confidence	integer	Confidence of the detection logic (percentage between 0-100).
Description	description	string	TiIndicator description (100 charactes or less).
Diamond model	diamondModel	string	The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim).
Expiration date time	expirationDateTime	date-time	Time at which the the Indicator expires (UTC).
External ID	externalId	string	An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key).
ID	id	string	Created by the system when the indicator is ingested. Generated GUID/unique identifier.
Ingested date time	ingestedDateTime	date-time	Time at which the the Indicator is ingested (UTC).
Is active	isActive	boolean	By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.
Kill chain	killChain	array of string	strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization).
Known false positives	knownFalsePositives	string	Scenarios in which the indicator may cause false positives.
Last reported date time	lastReportedDateTime	date-time	The last time the indicator was seen (UTC).
Malware family names	malwareFamilyNames	array of string	The malware family name associated with an indicator if it exists.
Passive Only	passiveOnly	boolean	Determines if the indicator should trigger an event that is visible to an end-user.
Severity	severity	integer	Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3.
Tags	tags	array of string
Target Product	targetProduct	string	Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP.
Threat Type	threatType	string	Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList.
Tlp level	tlpLevel	string	Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red.
Email encoding	emailEncoding	string	The type of text encoding used in the email.
Email language	emailLanguage	string	The language of the email.
Email recipient	emailRecipient	string	Recipient email address.
Email sender address	emailSenderAddress	string	Email address of the attacker|victim.
Email sender name	emailSenderName	string	Displayed name of the attacker|victim.
Email source domain	emailSourceDomain	string	Domain used in the email.
Email source Ip address	emailSourceIpAddress	string	Source IP address of email.
Email subject	emailSubject	string	Subject line of email.
Email XMailer	emailXMailer	string	X-Mailer value used in the email.
File compile date time	fileCompileDateTime	date-time	DateTime when the file was compiled.
File created date time	fileCreatedDateTime	date-time	DateTime when the file was created.
File hash type	fileHashType	string	The type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph.
File hash value	fileHashValue	string	The file hash value.
File mutex name	fileMutexName	string	Mutex name used in file-based detections.
File name	fileName	string	Name of the file if the indicator is file-based.
File packer	filePacker	string	The packer used to build the file in question.
File path	filePath	string	Path of file indicating compromise. May be a Windows or *nix style path.
File size	fileSize	integer	Size of the file in bytes.
File type	fileType	string	Text description of the type of file. For example, “Word Document” or “Binary”.
Domain name	domainName	string	Domain name associated with this indicator.
Network cidr block	networkCidrBlock	string	CIDR Block notation representation of the network referenced in this indicator.
Network destination Asn	networkDestinationAsn	integer	The destination autonomous system identifier of the network referenced in the indicator.
Network destination cidr block	networkDestinationCidrBlock	string	CIDR Block notation representation of the destination network in this indicator.
Network destination IPv4	networkDestinationIPv4	string	IPv4 IP address destination.
Network destination IPv6	networkDestinationIPv6	string	IPv6 IP address destination.
Network destination port	networkDestinationPort	integer	TCP port destination.
Network IPv4	networkIPv4	string	IPv4 IP address.
Network IPv6	networkIPv6	string	IPv6 IP address.
Network port	networkPort	integer	TCP port.
Network protocol	networkProtocol	integer	Decimal representation of the protocol field in the IPv4 header.
Network source Asn	networkSourceAsn	integer	The source autonomous system identifier of the network referenced in the indicator.
Network source cidr block	networkSourceCidrBlock	string	CIDR Block notation representation of the source network in this indicator.
Network source IPv4	networkSourceIPv4	string	IPv4 IP address source.
Network destination IPv6	networkSourceIPv6	string	IPv6 IP address source.
Network source port	networkSourcePort	integer	TCP port source.
Url	url	string	Uniform Resource Locator.
User agent	userAgent	string	User-Agent string from a web request that could indicate compromise.