Skip to main content
Query threat intelligence indicators as per filtering criteria.
External DocumentationTo learn more, visit the Microsoft Sentinel documentation.

Basic Parameters

ParameterDescription
Resource Group NameThe name of the resource group. The name is case insensitive.
Subscription IDThe ID of the target subscription.
Workspace NameThe name of the workspace.

Advanced Parameters

ParameterDescription
IDsA comma-separated list of indicators IDs to filter by.
Include DisabledSelect to include disabled indicators.
KeywordA keyword to filter by.
Max ConfidenceMaximum confidence to filter by.
Max Valid UntilThe maximum date for indicator validity.
Min ConfidenceMinimum confidence to filter by.
Min Valid UntilThe minimum date for indicator validity.
Page SizeThe number of results per page.
Pattern TypesA comma-separated list of pattern types to filter by.
Skip TokenSpecifies a starting point to show results from, this token is received in case that the previous request returned a partial result.
Sort ByColumns to sort by and sorting order.

Example:
[
  {
  “itemKey”: “Column Name”,
  “sortOrder”: “ascending” / “descending” / “unsorted”
  }
]
SourcesA comma-separated list of sources to filter by.
Threat TypesA comma-separated list of threat types to filter by.

Example Output

{
	"value": [
		{
			"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/ThreatIntelligence/27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8",
			"name": "27d963e6-e6e4-e0f9-e9d7-c53985b3bbe8",
			"etag": "\"00002f2c-0000-0800-0000-5e976a8e0000\"",
			"type": "Microsoft.SecurityInsights/ThreatIntelligence",
			"kind": "indicator",
			"properties": {
				"confidence": 90,
				"created": "2020-04-15T20:11:57.9666134Z",
				"createdByRef": "contoso@contoso.com",
				"externalId": "indicator--8516d567-0daa-4614-8745-e3591e1b48cf",
				"externalReferences": [],
				"granularMarkings": [],
				"lastUpdatedTimeUtc": "2020-04-15T20:15:11.0746926Z",
				"revoked": false,
				"source": "Azure Sentinel",
				"threatIntelligenceTags": [
					"new schema"
				],
				"displayName": "new schema 2",
				"description": "debugging indicators 2",
				"threatTypes": [
					"compromised"
				],
				"killChainPhases": [],
				"pattern": "[url:value = 'https://www.contoso.com']",
				"patternType": "url",
				"validFrom": "2020-04-15T17:44:00.114052Z",
				"parsedPattern": [
					{
						"patternTypeKey": "network-traffic",
						"patternTypeValues": [
							{
								"valueType": "0",
								"value": "SSH-2.0-PuTTY_Release_0.64"
							},
							{
								"valueType": "1",
								"value": "194.88.106.146"
							}
						]
					}
				]
			}
		}
	]
}

Workflow Library Example

Query Indicators with Microsoft Sentinel and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop