List Indicators
Get all threat intelligence indicators.
External Documentation
To learn more, visit the Microsoft Sentinel documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| Resource Group Name | The name of the resource group. The name is case insensitive. |
| Subscription ID | The ID of the target subscription. |
| Workspace Name | The name of the workspace. Use the Log Analytics List Workspaces action to get workspace names. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Filter | Filters the results, based on a Boolean condition. |
| Order By | Sorts the results. |
| Skip Token | Skip token is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skip token parameter that specifies a starting point to use for subsequent calls. |
| Top | Returns only the first n results. |
Example Output
{
"value": [
{
"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8",
"name": "27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8",
"etag": "\"00002f2c-0000-0800-0000-5e976a8e0000\"",
"type": "Microsoft.SecurityInsights/ThreatIntelligence",
"kind": "indicator",
"properties": {
"confidence": 90,
"created": "2020-04-15T20:11:57.9666134Z",
"createdByRef": "contoso@contoso.com",
"externalId": "indicator--8516d567-0daa-4614-8745-e3591e1b48cf",
"externalReferences": [],
"granularMarkings": [],
"lastUpdatedTimeUtc": "2020-04-15T20:15:11.0746926Z",
"revoked": false,
"source": "Azure Sentinel",
"threatIntelligenceTags": [
"new schema"
],
"displayName": "new schema 2",
"description": "debugging indicators",
"threatTypes": [
"compromised"
],
"killChainPhases": [],
"pattern": "[url:value = 'https://www.contoso.com']",
"patternType": "url",
"validFrom": "2020-04-15T17:44:00.114052Z"
}
},
{
"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/e16ef847-962e-d7b6-9c8b-a33e4bd30e47",
"name": "e16ef847-962e-d7b6-9c8b-a33e4bd30e47",
"etag": "\"00002a2c-0000-0800-0000-5e97683b0000\"",
"type": "Microsoft.SecurityInsights/ThreatIntelligence",
"kind": "indicator",
"properties": {
"confidence": 78,
"created": "2020-04-15T19:51:17.1050923Z",
"createdByRef": "contoso@contoso.com",
"externalId": "indicator--73be1729-babb-4348-a6c4-94621cae2530",
"externalReferences": [],
"granularMarkings": [],
"lastUpdatedTimeUtc": "2020-04-15T20:15:11.074903Z",
"revoked": false,
"source": "Azure Sentinel",
"threatIntelligenceTags": [
"patching tags"
],
"displayName": "updated indicator",
"description": "debugging indicators",
"threatTypes": [
"compromised"
],
"killChainPhases": [],
"pattern": "[url:value = 'https://www.contoso.com']",
"patternType": "url",
"validFrom": "2020-04-15T17:44:00.114052Z"
}
}
]
}
Workflow Library Example
List Indicators with Microsoft Sentinel and Send Results Via Email
Preview this Workflow on desktop