Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for ThreatIntelligenceIndicator table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Security |
| Basic Logs Eligible | ✗ No (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| Action | string | Action to take on indicator match. |
| Active | bool | Indicates whether indicator is active. |
| ActivityGroupNames | string | Activity groups associated with indicator. |
| AdditionalInformation | string | Free text additional information for indicator. |
| ConfidenceScore | real | Confidence rating of the indicator, from 0 to 100. |
| Description | string | Description of the indicator. |
| DiamondModel | string | Diamond model value for the indicator, one of adversary, capability, infrastructure or victim. |
| DomainName | string | The domain name observable. |
| EmailEncoding | string | The email encoding observable. |
| EmailLanguage | string | The email language observable. |
| EmailRecipient | string | The email recipient observable. |
| EmailSenderAddress | string | The email sender address observable. |
| EmailSenderName | string | The email sender name observable. |
| EmailSourceDomain | string | The email source domain observable. |
| EmailSourceIpAddress | string | The email source IP address observable. |
| EmailSubject | string | The email subject observable. |
| EmailXMailer | string | The email X-Mailer observable. |
| ExpirationDateTime | datetime | Time of indicator expiration. |
| ExternalIndicatorId | string | Identifier for indicator from submitting system. |
| FileCompileDateTime | datetime | The file compilation time observable. |
| FileCreatedDateTime | datetime | The file creation time observable. |
| FileHashType | string | The file hash type observable. |
| FileHashValue | string | The file hash value observable. |
| FileMutexName | string | The file mutex name observable. |
| FileName | string | The file name observable. |
| FilePacker | string | The file packer observable. |
| FilePath | string | The file path observable. |
| FileSize | int | The file size observable. |
| FileType | string | The file type observable. |
| IndicatorId | string | Unique identifier for indicator, calculated by receiving system. |
| IndicatorProvider | string | The name of the entity that provided the indicator. |
| KillChainActions | bool | Indicates whether kill chain value 'actions' is set. |
| KillChainC2 | bool | Indicates whether kill chain value 'C2' is set. |
| KillChainDelivery | bool | Indicates whether kill chain value 'delivery' is set. |
| KillChainExploitation | bool | Indicates whether kill chain value 'exploitation' is set. |
| KillChainReconnaissance | bool | Indicates whether kill chain value 'reconniassance' is set. |
| KillChainWeaponization | bool | Indicates whether kill chain value 'weaponization' is set. |
| KnownFalsePositives | string | Text describing situations where indicator may cause false positives. |
| MalwareNames | string | List of malware names associated with indicator |
| NetworkCidrBlock | string | The network CIDR block observable. |
| NetworkDestinationAsn | int | The network destination autonomous system number observable. |
| NetworkDestinationCidrBlock | string | The network destination CIDR block observable. |
| NetworkDestinationIP | string | The network destination IP address. |
| NetworkDestinationPort | int | The network destination port observable. |
| NetworkIP | string | The network IP address observable. |
| NetworkPort | int | The network port observable. |
| NetworkProtocol | int | The network protocol observable. |
| NetworkSourceAsn | int | The network source autonomous system number observable. |
| NetworkSourceCidrBlock | string | The network source CIDR block observable. |
| NetworkSourceIP | string | The network source IP address observable. |
| NetworkSourcePort | int | The network source port observable. |
| PassiveOnly | bool | Indicates whether the indicator should trigger an event that is visible to a user. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| Tags | string | Free form tags. |
| TenantId | string | The Log Analytics workspace ID |
| ThreatSeverity | int | Indicator severity rating from 0 to 5. Higher value indicates greater severity. |
| ThreatType | string | Threat type of indicator. |
| TimeGenerated | datetime | Time of indicator ingestion. |
| TrafficLightProtocolLevel | string | Industry standard traffic light protocol level, one of white, green, amber or red. |
| Type | string | The name of the table |
| Url | string | The url observable. |
| UserAgent | string | The user agent observable. |
This table is used by the following solutions:
This table is ingested by the following connectors:
In solution GitLab:
| Analytic Rule | Selection Criteria |
|---|---|
| GitLab - TI - Connection from Malicious IP |
In solution GreyNoiseThreatIntelligence:
In solution Infoblox Cloud Data Connector:
| Analytic Rule | Selection Criteria |
|---|---|
| Infoblox - TI - CommonSecurityLog Match Found - MalwareC2 | |
| Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains | |
| Infoblox - TI - Syslog Match Found - URL |
In solution Lastpass Enterprise Activity Monitoring:
| Analytic Rule | Selection Criteria |
|---|---|
| TI map IP entity to LastPass data |
In solution Microsoft Business Applications:
| Analytic Rule | Selection Criteria |
|---|---|
| Dataverse - TI map IP to DataverseActivity | |
| Dataverse - TI map URL to DataverseActivity | |
| Power Apps - Multiple users access a malicious link after launching new app |
In solution Proofpoint On demand(POD) Email Security:
| Analytic Rule | Selection Criteria |
|---|---|
| ProofpointPOD - Email sender IP in TI list | |
| ProofpointPOD - Email sender in TI list |
In solution Threat Intelligence:
In solution ThreatConnect:
In solution Ubiquiti UniFi:
| Analytic Rule | Selection Criteria |
|---|---|
| Ubiquiti - Connection to known malicious IP or C2 |
In solution Threat Intelligence:
In solution CofenseIntelligence:
| Workbook | Selection Criteria |
|---|---|
| CofenseIntelligenceThreatIndicators |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution Forcepoint NGFW:
| Workbook | Selection Criteria |
|---|---|
| ForcepointNGFWAdvanced |
In solution GreyNoiseThreatIntelligence:
| Workbook | Selection Criteria |
|---|---|
| GreyNoiseOverview |
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Defender Threat Intelligence:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftThreatIntelligence |
In solution MimecastTIRegional:
| Workbook | Selection Criteria |
|---|---|
| MimecastTIRegional |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution Network Session Essentials:
| Workbook | Selection Criteria |
|---|---|
| NetworkSessionEssentials | |
| NetworkSessionEssentialsV2 |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| IntsightsIOCWorkbook | |
| InvestigationInsights |
In solution Team Cymru Scout:
| Workbook | Selection Criteria |
|---|---|
| TeamCymruScout |
In solution Threat Intelligence:
| Workbook | Selection Criteria |
|---|---|
| ThreatIntelligence |
In solution Web Session Essentials:
| Workbook | Selection Criteria |
|---|---|
| WebSessionEssentials |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| DSTIMWorkbook | |
| DoDZeroTrustWorkbook | |
| ForcepointNGFWAdvanced | |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| PhishingAnalysis | |
| WorkspaceUsage | |
| ZeroTrustStrategyWorkbook |
| Parser | Solution | Selection Criteria |
|---|---|---|
| CymruScoutCorrelate | Team Cymru Scout |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊