Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for ThreatIntelIndicators table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Internal |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Lake-Only Ingestion | ✗ No (source) |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| AdditionalFields | dynamic | The type specifc fields that Sentinel adds. Contains the TLPLevel: white, green, amber, or red. |
| AzureTenantId | string | The tenant that submitted the indicator. |
| Confidence | int | The confidence that the creator has in the correctness of their data. The value must be a number in the range of 0-100. |
| Created | datetime | The date when the indicator was created. |
| Data | dynamic | All object properties, formatted according to the STIX specification (https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.pdf). |
| Id | string | A value that uniquely identifies the indicator STIX object. This value is usable with Sentinel APIs. |
| IsActive | bool | A value that specifies if an indicator is active and valid for detections. |
| IsDeleted | bool | A value that indicates whether the data was deleted from Sentinel or not. |
| LastUpdateMethod | string | The component that last updated the indicator. |
| Modified | datetime | The date when the indicator was modified. |
| ObservableKey | string | The entire left-hand side of an equality comparison from the pattern. |
| ObservableValue | string | The entire right-hand side of an equality comparison from the pattern. |
| Pattern | string | The detection pattern for this indicator MAY be expressed as a STIX pattern. |
| Revoked | bool | A value that specifies whether the indicator was revoked. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| Tags | string | Sentinel defined tags for the indicator. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The time of indicator ingestion. |
| Type | string | The name of the table |
| ValidFrom | datetime | The time from which this indicator is considered a valid indicator of the behaviors it is related or represents. |
| ValidUntil | datetime | The time at which this indicator should no longer be considered a valid indicator of the bahviors it is related to or represents. |
| WorkspaceId | string | The workspace that submitted the indicator. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| CrowdStrike Falcon Adversary Intelligence | SourceSystem == "CrowdStrike Falcon Adversary Intelligence" |
| Cyjax Threat Intelligence IOC Connector | SourceSystem == "Cyjax-IOCs" |
| Datalake2Sentinel | |
| GreyNoise Threat Intelligence | SourceSystem == "GreyNoise" |
| Infoblox Data Connector via REST API | |
| JoeSandboxThreatIntelligence | |
| Lumen Defender Threat Feed Data Connector V2 | ObservableKey in "domain-name:value,ipv4-addr:value"SourceSystem == "Lumen" |
| Lumen Defender Threat Feed Data Connector V2 (using Azure Functions Flex Consumption Plan with Private Networking) | ObservableKey in "domain-name:value,ipv4-addr:value"SourceSystem == "Lumen" |
| MISP2Sentinel | SourceSystem == "MISP" |
| Microsoft Defender Threat Intelligence | |
| Premium Microsoft Defender Threat Intelligence | |
| Threat Intelligence Platforms | |
| Threat intelligence - TAXII | |
| Threat Intelligence Upload API (Preview) | |
| VMRayThreatIntelligence |
In solution Global Secure Access:
| Analytic Rule | Selection Criteria |
|---|---|
| GSA - TI Domain Entity | |
| GSA - TI IP Entity | |
| GSA - TI URL Entity |
In solution Google Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| Google Threat Intelligence - Threat Hunting Domain | ObservableKey == "domain-name:value"SourceSystem == "Google Threat Intelligence" |
| Google Threat Intelligence - Threat Hunting Hash | ObservableKey contains "file:hashes"SourceSystem == "Google Threat Intelligence" |
| Google Threat Intelligence - Threat Hunting IP | ObservableKey == "ipv4-addr:value"SourceSystem == "Google Threat Intelligence" |
| Google Threat Intelligence - Threat Hunting Url | ObservableKey == "url:value"SourceSystem == "Google Threat Intelligence" |
In solution Lumen Defender Threat Feed:
In solution Recorded Future:
| Analytic Rule | Selection Criteria |
|---|---|
| RecordedFuture Threat Hunting Domain All Actors | ObservableKey == "domain-name:value" |
| RecordedFuture Threat Hunting Hash All Actors | |
| RecordedFuture Threat Hunting IP All Actors | ObservableKey == "ipv4-addr:value" |
| RecordedFuture Threat Hunting Url All Actors | ObservableKey == "url:value" |
In solution Threat Intelligence (NEW):
In solution Google Threat Intelligence:
| Hunting Query | Selection Criteria |
|---|---|
| Google Threat Intelligence - Threat Hunting Domain | ObservableKey == "domain-name:value"SourceSystem == "Google Threat Intelligence" |
| Google Threat Intelligence - Threat Hunting Hash | ObservableKey contains "file:hashes"SourceSystem == "Google Threat Intelligence" |
| Google Threat Intelligence - Threat Hunting IP | ObservableKey == "ipv4-addr:value"SourceSystem == "Google Threat Intelligence" |
| Google Threat Intelligence - Threat Hunting Url | ObservableKey == "url:value"SourceSystem == "Google Threat Intelligence" |
In solution Lumen Defender Threat Feed:
| Hunting Query | Selection Criteria |
|---|---|
| Lumen TI IPAddress indicator in CommonSecurityLog |
In solution Recorded Future:
| Hunting Query | Selection Criteria |
|---|---|
| RecordedFuture Threat Hunting Domain All Actors | ObservableKey == "domain-name:value" |
| RecordedFuture Threat Hunting Hash All Actors | ObservableKey contains "file:hashes" |
| RecordedFuture Threat Hunting IP All Actors | ObservableKey == "ipv4-addr:value" |
| RecordedFuture Threat Hunting URL All Actors | ObservableKey == "url:value" |
In solution Threat Intelligence (NEW):
In solution CiscoMeraki:
| Workbook | Selection Criteria |
|---|---|
| CiscoMerakiWorkbook |
In solution CofenseTriage:
| Workbook | Selection Criteria |
|---|---|
| CofenseTriageThreatIndicators |
In solution Cyjax:
| Workbook | Selection Criteria |
|---|---|
| Cyjax |
In solution DNS Essentials:
| Workbook | Selection Criteria |
|---|---|
| DNSSolutionWorkbook |
In solution DORA Compliance: ObservableKey contains "file:hashes."ObservableKey contains "network-traffic"
| Workbook |
|---|
| DORACompliance |
In solution GreyNoiseThreatIntelligence: SourceSystem == "GreyNoise"
| Workbook |
|---|
| GreyNoiseOverview |
In solution HIPAA Compliance:
| Workbook | Selection Criteria |
|---|---|
| HIPAACompliance |
In solution Lumen Defender Threat Feed:
| Workbook | Selection Criteria |
|---|---|
| Lumen-Threat-Feed-Overview |
In solution Recorded Future:
| Workbook | Selection Criteria |
|---|---|
| RecordedFutureDomainCorrelation | ObservableKey == "domain-name:value" |
| RecordedFutureHashCorrelation | |
| RecordedFutureIPCorrelation | ObservableKey == "ipv4-addr:value" |
| RecordedFutureURLCorrelation | ObservableKey == "url:value" |
In solution ReversingLabs:
| Workbook | Selection Criteria |
|---|---|
| ReversingLabs-CapabilitiesOverview |
In solution Salesforce Service Cloud:
| Workbook | Selection Criteria |
|---|---|
| SalesforceServiceCloud |
In solution Threat Intelligence (NEW):
| Workbook | Selection Criteria |
|---|---|
| ThreatIntelligenceNew |
In solution ThreatConnect:
| Workbook | Selection Criteria |
|---|---|
| ThreatConnectOverview |
| Parser | Solution | Selection Criteria |
|---|---|---|
| CyjaxCorrelate | Cyjax | |
| CyjaxThreatIndicator | Cyjax | |
| ThreatIntelIndicatorsv2 | Threat Intelligence (NEW) |
This table collects data from the following Azure resource types:
microsoft.securityinsights/threatintelligenceReferences by type: 6 connectors, 20 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ObservableKey == "domain-name:value" |
- | 3 | - | - | 3 |
ObservableKey == "ipv4-addr:value" |
- | 3 | - | - | 3 |
ObservableKey == "url:value" |
- | 3 | - | - | 3 |
SourceSystem == "GreyNoise" |
1 | 1 | - | - | 2 |
ObservableKey in "domain-name:value,ipv4-addr:value"SourceSystem == "Lumen" |
2 | - | - | - | 2 |
ObservableKey == "domain-name:value"SourceSystem == "Google Threat Intelligence" |
- | 2 | - | - | 2 |
ObservableKey contains "file:hashes"SourceSystem == "Google Threat Intelligence" |
- | 2 | - | - | 2 |
ObservableKey == "ipv4-addr:value"SourceSystem == "Google Threat Intelligence" |
- | 2 | - | - | 2 |
ObservableKey == "url:value"SourceSystem == "Google Threat Intelligence" |
- | 2 | - | - | 2 |
SourceSystem == "Cyjax-IOCs" |
1 | - | - | - | 1 |
SourceSystem == "CrowdStrike Falcon Adversary Intelligence" |
1 | - | - | - | 1 |
SourceSystem == "MISP" |
1 | - | - | - | 1 |
ObservableKey contains "file:hashes" |
- | 1 | - | - | 1 |
ObservableKey contains "file:hashes."ObservableKey contains "network-traffic" |
- | 1 | - | - | 1 |
| Total | 6 | 20 | 0 | 0 | 26 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
domain-name:value |
2 | 5 | - | - | 7 |
ipv4-addr:value |
2 | 5 | - | - | 7 |
url:value |
- | 5 | - | - | 5 |
contains file:hashes |
- | 3 | - | - | 3 |
contains file:hashes. |
- | 1 | - | - | 1 |
contains network-traffic |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Google Threat Intelligence |
- | 8 | - | - | 8 |
GreyNoise |
1 | 1 | - | - | 2 |
Lumen |
2 | - | - | - | 2 |
Cyjax-IOCs |
1 | - | - | - | 1 |
CrowdStrike Falcon Adversary Intelligence |
1 | - | - | - | 1 |
MISP |
1 | - | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊