threat_intelligence_indicators
Creates, updates, deletes, gets or lists a threat_intelligence_indicators resource.
Overview
| Name | threat_intelligence_indicators |
| Type | Resource |
| Id | azure.sentinel.threat_intelligence_indicators |
Fields
The following fields are returned by SELECT queries:
- get
- list
| Name | Datatype | Description |
|---|---|---|
etag | string | Etag of the azure resource |
kind | string | The kind of the entity. |
| Name | Datatype | Description |
|---|---|---|
etag | string | Etag of the azure resource |
kind | string | The kind of the entity. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | subscriptionId, resourceGroupName, workspaceName, name | View a threat intelligence indicator by name. | |
list | select | subscriptionId, resourceGroupName, workspaceName | $filter, $top, $skipToken, $orderby | Get all threat intelligence indicators. |
create | insert | subscriptionId, resourceGroupName, workspaceName, name | Update a threat Intelligence indicator. | |
delete | delete | subscriptionId, resourceGroupName, workspaceName, name | Delete a threat intelligence indicator. | |
query_indicators | exec | subscriptionId, resourceGroupName, workspaceName | Query threat intelligence indicators as per filtering criteria. | |
append_tags | exec | subscriptionId, resourceGroupName, workspaceName, name | Append tags to a threat intelligence indicator. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
name | string | Threat intelligence indicator name field. |
resourceGroupName | string | The name of the resource group. The name is case insensitive. |
subscriptionId | string | The ID of the target subscription. |
workspaceName | string | The name of the workspace. |
$filter | string | Filters the results, based on a Boolean condition. Optional. |
$orderby | string | Sorts the results. Optional. |
$skipToken | string | Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. |
$top | integer (int32) | Returns only the first n results. Optional. |
SELECT examples
- get
- list
View a threat intelligence indicator by name.
SELECT
etag,
kind
FROM azure.sentinel.threat_intelligence_indicators
WHERE subscriptionId = '{{ subscriptionId }}' -- required
AND resourceGroupName = '{{ resourceGroupName }}' -- required
AND workspaceName = '{{ workspaceName }}' -- required
AND name = '{{ name }}' -- required
;
Get all threat intelligence indicators.
SELECT
etag,
kind
FROM azure.sentinel.threat_intelligence_indicators
WHERE subscriptionId = '{{ subscriptionId }}' -- required
AND resourceGroupName = '{{ resourceGroupName }}' -- required
AND workspaceName = '{{ workspaceName }}' -- required
AND $filter = '{{ $filter }}'
AND $top = '{{ $top }}'
AND $skipToken = '{{ $skipToken }}'
AND $orderby = '{{ $orderby }}'
;
INSERT examples
- create
- Manifest
Update a threat Intelligence indicator.
INSERT INTO azure.sentinel.threat_intelligence_indicators (
data__kind,
data__properties,
subscriptionId,
resourceGroupName,
workspaceName,
name
)
SELECT
'{{ kind }}',
'{{ properties }}',
'{{ subscriptionId }}',
'{{ resourceGroupName }}',
'{{ workspaceName }}',
'{{ name }}'
RETURNING
etag,
kind
;
# Description fields are for documentation purposes
- name: threat_intelligence_indicators
props:
- name: subscriptionId
value: string
description: Required parameter for the threat_intelligence_indicators resource.
- name: resourceGroupName
value: string
description: Required parameter for the threat_intelligence_indicators resource.
- name: workspaceName
value: string
description: Required parameter for the threat_intelligence_indicators resource.
- name: name
value: string
description: Required parameter for the threat_intelligence_indicators resource.
- name: kind
value: string
description: |
The kind of the entity.
valid_values: ['indicator']
- name: properties
value: object
description: |
Threat Intelligence Entity properties
DELETE examples
- delete
Delete a threat intelligence indicator.
DELETE FROM azure.sentinel.threat_intelligence_indicators
WHERE subscriptionId = '{{ subscriptionId }}' --required
AND resourceGroupName = '{{ resourceGroupName }}' --required
AND workspaceName = '{{ workspaceName }}' --required
AND name = '{{ name }}' --required
;
Lifecycle Methods
- query_indicators
- append_tags
Query threat intelligence indicators as per filtering criteria.
EXEC azure.sentinel.threat_intelligence_indicators.query_indicators
@subscriptionId='{{ subscriptionId }}' --required,
@resourceGroupName='{{ resourceGroupName }}' --required,
@workspaceName='{{ workspaceName }}' --required
@@json=
'{
"pageSize": {{ pageSize }},
"minConfidence": {{ minConfidence }},
"maxConfidence": {{ maxConfidence }},
"minValidUntil": "{{ minValidUntil }}",
"maxValidUntil": "{{ maxValidUntil }}",
"includeDisabled": {{ includeDisabled }},
"sortBy": "{{ sortBy }}",
"sources": "{{ sources }}",
"patternTypes": "{{ patternTypes }}",
"threatTypes": "{{ threatTypes }}",
"ids": "{{ ids }}",
"keywords": "{{ keywords }}",
"skipToken": "{{ skipToken }}"
}'
;
Append tags to a threat intelligence indicator.
EXEC azure.sentinel.threat_intelligence_indicators.append_tags
@subscriptionId='{{ subscriptionId }}' --required,
@resourceGroupName='{{ resourceGroupName }}' --required,
@workspaceName='{{ workspaceName }}' --required,
@name='{{ name }}' --required
@@json=
'{
"threatIntelligenceTags": "{{ threatIntelligenceTags }}"
}'
;