Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for ThreatIntelIndicators table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Internal |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| AdditionalFields | dynamic | The type specifc fields that Sentinel adds. Contains the TLPLevel: white, green, amber, or red. |
| AzureTenantId | string | The tenant that submitted the indicator. |
| Confidence | int | The confidence that the creator has in the correctness of their data. The value must be a number in the range of 0-100. |
| Created | datetime | The date when the indicator was created. |
| Data | dynamic | All object properties, formatted according to the STIX specification (https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.pdf). |
| Id | string | A value that uniquely identifies the indicator STIX object. This value is usable with Sentinel APIs. |
| IsActive | bool | A value that specifies if an indicator is active and valid for detections. |
| IsDeleted | bool | A value that indicates whether the data was deleted from Sentinel or not. |
| LastUpdateMethod | string | The component that last updated the indicator. |
| Modified | datetime | The date when the indicator was modified. |
| ObservableKey | string | The entire left-hand side of an equality comparison from the pattern. |
| ObservableValue | string | The entire right-hand side of an equality comparison from the pattern. |
| Pattern | string | The detection pattern for this indicator MAY be expressed as a STIX pattern. |
| Revoked | bool | A value that specifies whether the indicator was revoked. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| Tags | string | Sentinel defined tags for the indicator. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The time of indicator ingestion. |
| Type | string | The name of the table |
| ValidFrom | datetime | The time from which this indicator is considered a valid indicator of the behaviors it is related or represents. |
| ValidUntil | datetime | The time at which this indicator should no longer be considered a valid indicator of the bahviors it is related to or represents. |
| WorkspaceId | string | The workspace that submitted the indicator. |
This table is used by the following solutions:
This table is ingested by the following connectors:
In solution Global Secure Access:
| Analytic Rule | Selection Criteria |
|---|---|
| GSA - TI Domain Entity | |
| GSA - TI IP Entity | |
| GSA - TI URL Entity |
In solution Google Threat Intelligence:
In solution Lumen Defender Threat Feed:
In solution Recorded Future:
In solution Threat Intelligence (NEW):
In solution Google Threat Intelligence:
In solution Lumen Defender Threat Feed:
| Hunting Query | Selection Criteria |
|---|---|
| Lumen TI IPAddress indicator in CommonSecurityLog |
In solution Recorded Future:
In solution Threat Intelligence (NEW):
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| Teams Threat Intelligence Indicator Hit for Domain or URL |
In solution CiscoMeraki:
| Workbook | Selection Criteria |
|---|---|
| CiscoMerakiWorkbook |
In solution CofenseTriage:
| Workbook | Selection Criteria |
|---|---|
| CofenseTriageThreatIndicators |
In solution Cyjax:
| Workbook | Selection Criteria |
|---|---|
| Cyjax |
In solution DNS Essentials:
| Workbook | Selection Criteria |
|---|---|
| DNSSolutionWorkbook |
In solution DORA Compliance:
| Workbook | Selection Criteria |
|---|---|
| DORACompliance |
In solution HIPAA Compliance:
| Workbook | Selection Criteria |
|---|---|
| HIPAACompliance |
In solution Lumen Defender Threat Feed:
| Workbook | Selection Criteria |
|---|---|
| Lumen-Threat-Feed-Overview |
In solution Recorded Future:
| Workbook | Selection Criteria |
|---|---|
| RecordedFutureDomainCorrelation | |
| RecordedFutureHashCorrelation | |
| RecordedFutureIPCorrelation | |
| RecordedFutureURLCorrelation |
In solution ReversingLabs:
| Workbook | Selection Criteria |
|---|---|
| ReversingLabs-CapabilitiesOverview |
In solution Salesforce Service Cloud:
| Workbook | Selection Criteria |
|---|---|
| SalesforceServiceCloud |
In solution Threat Intelligence (NEW):
| Workbook | Selection Criteria |
|---|---|
| ThreatIntelligenceNew |
In solution ThreatConnect:
| Workbook | Selection Criteria |
|---|---|
| ThreatConnectOverview |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| IntsightsIOCWorkbook | |
| InvestigationInsights | |
| OptimizationWorkbook | |
| ThreatIntelligence |
| Parser | Solution | Selection Criteria |
|---|---|---|
| CyjaxCorrelate | Cyjax | |
| CyjaxThreatIndicator | Cyjax | |
| ThreatIntelIndicatorsv2 | Threat Intelligence (NEW) |
This table collects data from the following Azure resource types:
microsoft.securityinsights/threatintelligenceBrowse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊