List Indicators

Get all threat intelligence indicators.

External Documentation

To learn more, visit the Microsoft Sentinel documentation.

Basic Parameters

Parameter	Description
Resource Group Name	The name of the resource group. The name is case insensitive.
Subscription ID	The ID of the target subscription.
Workspace Name	The name of the workspace.

Advanced Parameters

Parameter	Description
Filter	Filters the results, based on a Boolean condition.
Order By	Sorts the results.
Skip Token	Specifies a starting point to show results from, this token is received in case that the previous request returned a partial result.
Top	Return Only the first `n` results.

Example Output

{
	"value": [
		{
			"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8",
			"name": "27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8",
			"etag": "\"00002f2c-0000-0800-0000-5e976a8e0000\"",
			"type": "Microsoft.SecurityInsights/ThreatIntelligence",
			"kind": "indicator",
			"properties": {
				"confidence": 90,
				"created": "2020-04-15T20:11:57.9666134Z",
				"createdByRef": "contoso@contoso.com",
				"externalId": "indicator--8516d567-0daa-4614-8745-e3591e1b48cf",
				"externalReferences": [],
				"granularMarkings": [],
				"lastUpdatedTimeUtc": "2020-04-15T20:15:11.0746926Z",
				"revoked": false,
				"source": "Azure Sentinel",
				"threatIntelligenceTags": [
					"new schema"
				],
				"displayName": "new schema 2",
				"description": "debugging indicators",
				"threatTypes": [
					"compromised"
				],
				"killChainPhases": [],
				"pattern": "[url:value = 'https://www.contoso.com']",
				"patternType": "url",
				"validFrom": "2020-04-15T17:44:00.114052Z"
			}
		},
		{
			"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/e16ef847-962e-d7b6-9c8b-a33e4bd30e47",
			"name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47",
			"etag": "\"00002a2c-0000-0800-0000-5e97683b0000\"",
			"type": "Microsoft.SecurityInsights/ThreatIntelligence",
			"kind": "indicator",
			"properties": {
				"confidence": 78,
				"created": "2020-04-15T19:51:17.1050923Z",
				"createdByRef": "contoso@contoso.com",
				"externalId": "indicator--73be1729-babb-4348-a6c4-94621cae2530",
				"externalReferences": [],
				"granularMarkings": [],
				"lastUpdatedTimeUtc": "2020-04-15T20:15:11.074903Z",
				"revoked": false,
				"source": "Azure Sentinel",
				"threatIntelligenceTags": [
					"patching tags"
				],
				"displayName": "updated indicator",
				"description": "debugging indicators",
				"threatTypes": [
					"compromised"
				],
				"killChainPhases": [],
				"pattern": "[url:value = 'https://www.contoso.com']",
				"patternType": "url",
				"validFrom": "2020-04-15T17:44:00.114052Z"
			}
		}
	]
}

Workflow Library Example

List Indicators with Microsoft Sentinel and Send Results Via Email

Preview this Workflow on desktop

On this page

Basic Parameters
Advanced Parameters
Example Output
Workflow Library Example

Get all threat intelligence indicators.

External Documentation

To learn more, visit the Microsoft Sentinel documentation.

Basic Parameters

Parameter	Description
Resource Group Name	The name of the resource group. The name is case insensitive.
Subscription ID	The ID of the target subscription.
Workspace Name	The name of the workspace.

Advanced Parameters

Parameter	Description
Filter	Filters the results, based on a Boolean condition.
Order By	Sorts the results.
Skip Token	Specifies a starting point to show results from, this token is received in case that the previous request returned a partial result.
Top	Return Only the first `n` results.

Example Output

{
	"value": [
		{
			"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8",
			"name": "27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8",
			"etag": "\"00002f2c-0000-0800-0000-5e976a8e0000\"",
			"type": "Microsoft.SecurityInsights/ThreatIntelligence",
			"kind": "indicator",
			"properties": {
				"confidence": 90,
				"created": "2020-04-15T20:11:57.9666134Z",
				"createdByRef": "contoso@contoso.com",
				"externalId": "indicator--8516d567-0daa-4614-8745-e3591e1b48cf",
				"externalReferences": [],
				"granularMarkings": [],
				"lastUpdatedTimeUtc": "2020-04-15T20:15:11.0746926Z",
				"revoked": false,
				"source": "Azure Sentinel",
				"threatIntelligenceTags": [
					"new schema"
				],
				"displayName": "new schema 2",
				"description": "debugging indicators",
				"threatTypes": [
					"compromised"
				],
				"killChainPhases": [],
				"pattern": "[url:value = 'https://www.contoso.com']",
				"patternType": "url",
				"validFrom": "2020-04-15T17:44:00.114052Z"
			}
		},
		{
			"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/e16ef847-962e-d7b6-9c8b-a33e4bd30e47",
			"name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47",
			"etag": "\"00002a2c-0000-0800-0000-5e97683b0000\"",
			"type": "Microsoft.SecurityInsights/ThreatIntelligence",
			"kind": "indicator",
			"properties": {
				"confidence": 78,
				"created": "2020-04-15T19:51:17.1050923Z",
				"createdByRef": "contoso@contoso.com",
				"externalId": "indicator--73be1729-babb-4348-a6c4-94621cae2530",
				"externalReferences": [],
				"granularMarkings": [],
				"lastUpdatedTimeUtc": "2020-04-15T20:15:11.074903Z",
				"revoked": false,
				"source": "Azure Sentinel",
				"threatIntelligenceTags": [
					"patching tags"
				],
				"displayName": "updated indicator",
				"description": "debugging indicators",
				"threatTypes": [
					"compromised"
				],
				"killChainPhases": [],
				"pattern": "[url:value = 'https://www.contoso.com']",
				"patternType": "url",
				"validFrom": "2020-04-15T17:44:00.114052Z"
			}
		}
	]
}

Workflow Library Example

List Indicators with Microsoft Sentinel and Send Results Via Email

Preview this Workflow on desktop

On this page

Basic Parameters
Advanced Parameters
Example Output
Workflow Library Example

Basic Parameters

Advanced Parameters

Example Output

Workflow Library Example

Case Management

Automated Case Management

Case Management Dashboard

Case Management Interface

Triggers & Actions

Case Management Settings

List Indicators

Basic Parameters

Advanced Parameters

Example Output

Workflow Library Example

​Basic Parameters

​Advanced Parameters

​Example Output

​Workflow Library Example

Case Management

Automated Case Management

Case Management Dashboard

Case Management Interface

Triggers & Actions

Case Management Settings

​Basic Parameters

​Advanced Parameters

​Example Output

​Workflow Library Example

Basic Parameters

Advanced Parameters

Example Output

Workflow Library Example

Basic Parameters

Advanced Parameters

Example Output

Workflow Library Example