Skip to main content
Create a new threat intelligence indicator.
External DocumentationTo learn more, visit the Microsoft Sentinel documentation.

Basic Parameters

ParameterDescription
PatternThe pattern of the indicator.

Example: [url:value = 'https://www.contoso.com'].

Note: the pattern must be unique.
Pattern TypeThe pattern type of the indicator.

Example: url.
Resource Group NameThe name of the resource group. The name is case insensitive.
SourceThe source of the indicator.
Subscription IDThe ID of the target subscription.
Workspace NameThe name of the workspace.

Advanced Parameters

ParameterDescription
ConfidenceThe confidence of the indicator.
DefangedIs the indicator defanged.
DescriptionThe description of the indicator.
Display NameThe display name of the indicator.
EtagThe Etag of the azure resource.
ExtensionsExtensions map.
External IDThe external ID of the indicator.
External Last Updated Time UTCExternal last updated time in UTC.
External ReferencesA JSON list of references objects.

Example: 
[
  {
    “description”: “The description”,
    “externalId”: “ABCD1234”,
    “hashes”: {},
    “sourceName”: “SourceName1”,
    “url”: “https://www.example.com
  },
  {
    “description”: “The description”,
    “externalId”: “EFGH5678”,
    “hashes”: {},
    “sourceName”: “SourceName2”,
    “url”: “https://www.example.com
  }
]
Granular MarkingsA JSON list of granular markings objects.

Example:
[
  {
    “language”: “Hebrew”,
    “markingRef”: 12,
    “selectors”: [“a1”,“b2”]
  },
  {
    “language”: “English”,
    “markingRef”: 32,
    “selectors”: [“a1”,“b2”]
  }
]
Indicator TagsA comma-separated list of indicator tags.
Indicator TypesA comma-separated list of indicator types.
Kill Chain PhasesA JSON list of kill chain phases objects.

Example:
[
  {
    “killChainName”: “Kill Chain Name”,
    “phaseName”: “Phase Name”
  },
  {
    “killChainName”: “Kill Chain Name”,
    “phaseName”: “Phase Name”
  }
]
LabelsA comma-Separated list of labels.
LanguageThe language of the indicator.
Parsed PatternList of parsed patterns.

Example:
[
  {
    “patternTypeKey”: “TheKey”,
    “patternTypeValues” : [{“value”: “The Value1”, “valueType”: “Type of the value”},{“value”: “The Value1”, “valueType”: “Type of the value”}]
  },
  {
    “patternTypeKey”: “TheKey”,
    “patternTypeValues” : [{“value”: “The Value1”, “valueType”: “Type of the value”},{“value”: “The Value1”, “valueType”: “Type of the value”}]
  }
]
Pattern VersionThe pattern version of the indicator.
Threat TypesA comma-separated list of threat types.
Valid FromValid from.
Valid UntilValid until.

Example Output

{
	"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6",
	"name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6",
	"etag": "\"0000322c-0000-0800-0000-5e976c960000\"",
	"type": "Microsoft.SecurityInsights/ThreatIntelligence",
	"kind": "indicator",
	"properties": {
		"confidence": 78,
		"created": "2020-04-15T20:20:38.6160949Z",
		"defanged": false,
		"extensions": {
			"sentinel-ext": {
				"severity": null
			}
		},
		"externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7",
		"externalLastUpdatedTimeUtc": "2023-09-01T13:44:57",
		"labels": [
			"<string>"
		],
		"language": "<string>",
		"lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z",
		"source": "Azure Sentinel",
		"threatIntelligenceTags": [
			"new schema"
		],
		"displayName": "new schema",
		"description": "debugging indicators",
		"parsedPattern": [
			{
				"patternTypeKey": "<string>",
				"patternTypeValues": [
					{
						"valueType": "<string>",
						"value": "<string>"
					}
				]
			}
		],
		"pattern": "[url:value = 'https://www.contoso.com']",
		"patternType": "url",
		"validFrom": "2020-04-15T17:44:00.114052Z",
		"validUntil": "2020-12-18T03:14:18"
	}
}

Workflow Library Example

Create Indicator with Microsoft Sentinel and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop