Get all threat intelligence indicators.

External Documentation

To learn more, visit the Microsoft Sentinel documentation.

Basic Parameters

ParameterDescription
Resource Group NameThe name of the resource group. The name is case insensitive.
Subscription IDThe ID of the target subscription.
Workspace NameThe name of the workspace.

Advanced Parameters

ParameterDescription
FilterFilters the results, based on a Boolean condition.
Order BySorts the results.
Skip TokenSpecifies a starting point to show results from, this token is received in case that the previous request returned a partial result.
TopReturn Only the first n results.

Example Output

{
	"value": [
		{
			"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8",
			"name": "27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8",
			"etag": "\"00002f2c-0000-0800-0000-5e976a8e0000\"",
			"type": "Microsoft.SecurityInsights/ThreatIntelligence",
			"kind": "indicator",
			"properties": {
				"confidence": 90,
				"created": "2020-04-15T20:11:57.9666134Z",
				"createdByRef": "contoso@contoso.com",
				"externalId": "indicator--8516d567-0daa-4614-8745-e3591e1b48cf",
				"externalReferences": [],
				"granularMarkings": [],
				"lastUpdatedTimeUtc": "2020-04-15T20:15:11.0746926Z",
				"revoked": false,
				"source": "Azure Sentinel",
				"threatIntelligenceTags": [
					"new schema"
				],
				"displayName": "new schema 2",
				"description": "debugging indicators",
				"threatTypes": [
					"compromised"
				],
				"killChainPhases": [],
				"pattern": "[url:value = 'https://www.contoso.com']",
				"patternType": "url",
				"validFrom": "2020-04-15T17:44:00.114052Z"
			}
		},
		{
			"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/e16ef847-962e-d7b6-9c8b-a33e4bd30e47",
			"name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47",
			"etag": "\"00002a2c-0000-0800-0000-5e97683b0000\"",
			"type": "Microsoft.SecurityInsights/ThreatIntelligence",
			"kind": "indicator",
			"properties": {
				"confidence": 78,
				"created": "2020-04-15T19:51:17.1050923Z",
				"createdByRef": "contoso@contoso.com",
				"externalId": "indicator--73be1729-babb-4348-a6c4-94621cae2530",
				"externalReferences": [],
				"granularMarkings": [],
				"lastUpdatedTimeUtc": "2020-04-15T20:15:11.074903Z",
				"revoked": false,
				"source": "Azure Sentinel",
				"threatIntelligenceTags": [
					"patching tags"
				],
				"displayName": "updated indicator",
				"description": "debugging indicators",
				"threatTypes": [
					"compromised"
				],
				"killChainPhases": [],
				"pattern": "[url:value = 'https://www.contoso.com']",
				"patternType": "url",
				"validFrom": "2020-04-15T17:44:00.114052Z"
			}
		}
	]
}

Workflow Library Example

List Indicators with Microsoft Sentinel and Send Results Via Email

Preview this Workflow on desktop