Documentation Index
Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
Use this file to discover all available pages before exploring further.
Create a new threat intelligence indicator.
Basic Parameters
| Parameter | Description |
|---|
| Pattern | The pattern of the indicator.
Example: [url:value = 'https://www.contoso.com'].
Note: the pattern must be unique. |
| Pattern Type | The pattern type of the indicator.
Example: url. |
| Resource Group Name | The name of the resource group. The name is case insensitive. |
| Source | The source of the indicator. |
| Subscription ID | The ID of the target subscription. |
| Workspace Name | The name of the workspace. |
Advanced Parameters
| Parameter | Description |
|---|
| Confidence | The confidence of the indicator. |
| Defanged | Is the indicator defanged. |
| Description | The description of the indicator. |
| Display Name | The display name of the indicator. |
| Etag | The Etag of the azure resource. |
| Extensions | Extensions map. |
| External ID | The external ID of the indicator. |
| External Last Updated Time UTC | External last updated time in UTC. |
| External References | A JSON list of references objects.
Example:
[
{
“description”: “The description”,
“externalId”: “ABCD1234”,
“hashes”: {},
“sourceName”: “SourceName1”,
“url”: “https://www.example.com”
},
{
“description”: “The description”,
“externalId”: “EFGH5678”,
“hashes”: {},
“sourceName”: “SourceName2”,
“url”: “https://www.example.com”
}
]
|
| Granular Markings | A JSON list of granular markings objects.
Example:
[
{
“language”: “Hebrew”,
“markingRef”: 12,
“selectors”: [“a1”,“b2”]
},
{
“language”: “English”,
“markingRef”: 32,
“selectors”: [“a1”,“b2”]
}
]
|
| Indicator Tags | A comma-separated list of indicator tags. |
| Indicator Types | A comma-separated list of indicator types. |
| Kill Chain Phases | A JSON list of kill chain phases objects.
Example:
[
{
“killChainName”: “Kill Chain Name”,
“phaseName”: “Phase Name”
},
{
“killChainName”: “Kill Chain Name”,
“phaseName”: “Phase Name”
}
]
|
| Labels | A comma-Separated list of labels. |
| Language | The language of the indicator. |
| Parsed Pattern | List of parsed patterns.
Example:
[
{
“patternTypeKey”: “TheKey”,
“patternTypeValues” : [{“value”: “The Value1”, “valueType”: “Type of the value”},{“value”: “The Value1”, “valueType”: “Type of the value”}]
},
{
“patternTypeKey”: “TheKey”,
“patternTypeValues” : [{“value”: “The Value1”, “valueType”: “Type of the value”},{“value”: “The Value1”, “valueType”: “Type of the value”}]
}
]
|
| Pattern Version | The pattern version of the indicator. |
| Threat Types | A comma-separated list of threat types. |
| Valid From | Valid from. |
| Valid Until | Valid until. |
Example Output
{
"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/180105c7-a28d-b1a2-4a78-234f6ec80fd6",
"name": "180105c7-a28d-b1a2-4a78-234f6ec80fd6",
"etag": "\"0000322c-0000-0800-0000-5e976c960000\"",
"type": "Microsoft.SecurityInsights/ThreatIntelligence",
"kind": "indicator",
"properties": {
"confidence": 78,
"created": "2020-04-15T20:20:38.6160949Z",
"defanged": false,
"extensions": {
"sentinel-ext": {
"severity": null
}
},
"externalId": "indicator--a2b6a95e-2108-4a38-bd49-ef95811bbcd7",
"externalLastUpdatedTimeUtc": "2023-09-01T13:44:57",
"labels": [
"<string>"
],
"language": "<string>",
"lastUpdatedTimeUtc": "2020-04-15T20:20:38.6161887Z",
"source": "Azure Sentinel",
"threatIntelligenceTags": [
"new schema"
],
"displayName": "new schema",
"description": "debugging indicators",
"parsedPattern": [
{
"patternTypeKey": "<string>",
"patternTypeValues": [
{
"valueType": "<string>",
"value": "<string>"
}
]
}
],
"pattern": "[url:value = 'https://www.contoso.com']",
"patternType": "url",
"validFrom": "2020-04-15T17:44:00.114052Z",
"validUntil": "2020-12-18T03:14:18"
}
}
Workflow Library Example
Create Indicator with Microsoft Sentinel and Send Results Via Email
