Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for ThreatIntelligenceIndicator table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Security |
| Basic Logs Eligible | ✗ No (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Lake-Only Ingestion | ✗ No (source) |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| Action | string | Action to take on indicator match. |
| Active | bool | Indicates whether indicator is active. |
| ActivityGroupNames | string | Activity groups associated with indicator. |
| AdditionalInformation | string | Free text additional information for indicator. |
| ConfidenceScore | real | Confidence rating of the indicator, from 0 to 100. |
| Description | string | Description of the indicator. |
| DiamondModel | string | Diamond model value for the indicator, one of adversary, capability, infrastructure or victim. |
| DomainName | string | The domain name observable. |
| EmailEncoding | string | The email encoding observable. |
| EmailLanguage | string | The email language observable. |
| EmailRecipient | string | The email recipient observable. |
| EmailSenderAddress | string | The email sender address observable. |
| EmailSenderName | string | The email sender name observable. |
| EmailSourceDomain | string | The email source domain observable. |
| EmailSourceIpAddress | string | The email source IP address observable. |
| EmailSubject | string | The email subject observable. |
| EmailXMailer | string | The email X-Mailer observable. |
| ExpirationDateTime | datetime | Time of indicator expiration. |
| ExternalIndicatorId | string | Identifier for indicator from submitting system. |
| FileCompileDateTime | datetime | The file compilation time observable. |
| FileCreatedDateTime | datetime | The file creation time observable. |
| FileHashType | string | The file hash type observable. |
| FileHashValue | string | The file hash value observable. |
| FileMutexName | string | The file mutex name observable. |
| FileName | string | The file name observable. |
| FilePacker | string | The file packer observable. |
| FilePath | string | The file path observable. |
| FileSize | int | The file size observable. |
| FileType | string | The file type observable. |
| IndicatorId | string | Unique identifier for indicator, calculated by receiving system. |
| IndicatorProvider | string | The name of the entity that provided the indicator. |
| KillChainActions | bool | Indicates whether kill chain value 'actions' is set. |
| KillChainC2 | bool | Indicates whether kill chain value 'C2' is set. |
| KillChainDelivery | bool | Indicates whether kill chain value 'delivery' is set. |
| KillChainExploitation | bool | Indicates whether kill chain value 'exploitation' is set. |
| KillChainReconnaissance | bool | Indicates whether kill chain value 'reconniassance' is set. |
| KillChainWeaponization | bool | Indicates whether kill chain value 'weaponization' is set. |
| KnownFalsePositives | string | Text describing situations where indicator may cause false positives. |
| MalwareNames | string | List of malware names associated with indicator |
| NetworkCidrBlock | string | The network CIDR block observable. |
| NetworkDestinationAsn | int | The network destination autonomous system number observable. |
| NetworkDestinationCidrBlock | string | The network destination CIDR block observable. |
| NetworkDestinationIP | string | The network destination IP address. |
| NetworkDestinationPort | int | The network destination port observable. |
| NetworkIP | string | The network IP address observable. |
| NetworkPort | int | The network port observable. |
| NetworkProtocol | int | The network protocol observable. |
| NetworkSourceAsn | int | The network source autonomous system number observable. |
| NetworkSourceCidrBlock | string | The network source CIDR block observable. |
| NetworkSourceIP | string | The network source IP address observable. |
| NetworkSourcePort | int | The network source port observable. |
| PassiveOnly | bool | Indicates whether the indicator should trigger an event that is visible to a user. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| Tags | string | Free form tags. |
| TenantId | string | The Log Analytics workspace ID |
| ThreatSeverity | int | Indicator severity rating from 0 to 5. Higher value indicates greater severity. |
| ThreatType | string | Threat type of indicator. |
| TimeGenerated | datetime | Time of indicator ingestion. |
| TrafficLightProtocolLevel | string | Industry standard traffic light protocol level, one of white, green, amber or red. |
| Type | string | The name of the table |
| Url | string | The url observable. |
| UserAgent | string | The user agent observable. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Cofense Intelligence Threat Indicators Ingestion | SourceSystem startswith "Cofense Intelligence :" |
| Cofense Triage Threat Indicators Ingestion | SourceSystem !startswith "Cofense :"SourceSystem startswith "Cofense :" |
| Luminar IOCs and Leaked Credentials | SourceSystem !contains "Luminar"SourceSystem contains "Luminar" |
| Mimecast Intelligence for Microsoft - Microsoft Sentinel |
In solution GitLab:
| Analytic Rule | Selection Criteria |
|---|---|
| GitLab - TI - Connection from Malicious IP |
In solution GreyNoiseThreatIntelligence:
In solution Infoblox Cloud Data Connector:
| Analytic Rule | Selection Criteria |
|---|---|
| Infoblox - TI - CommonSecurityLog Match Found - MalwareC2 | |
| Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains | |
| Infoblox - TI - Syslog Match Found - URL |
In solution Lastpass Enterprise Activity Monitoring:
| Analytic Rule | Selection Criteria |
|---|---|
| TI map IP entity to LastPass data |
In solution Microsoft Business Applications:
| Analytic Rule | Selection Criteria |
|---|---|
| Dataverse - TI map IP to DataverseActivity | |
| Dataverse - TI map URL to DataverseActivity | |
| Power Apps - Multiple users access a malicious link after launching new app |
In solution Proofpoint On demand(POD) Email Security:
| Analytic Rule | Selection Criteria |
|---|---|
| ProofpointPOD - Email sender IP in TI list | |
| ProofpointPOD - Email sender in TI list |
In solution Threat Intelligence:
In solution ThreatConnect:
In solution Ubiquiti UniFi:
| Analytic Rule | Selection Criteria |
|---|---|
| Ubiquiti - Connection to known malicious IP or C2 |
In solution Threat Intelligence:
In solution CofenseIntelligence: SourceSystem == "Cofense Intelligence"
| Workbook |
|---|
| CofenseIntelligenceThreatIndicators |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution Forcepoint NGFW:
| Workbook | Selection Criteria |
|---|---|
| ForcepointNGFWAdvanced |
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Defender Threat Intelligence:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftThreatIntelligence |
In solution MimecastTIRegional:
| Workbook | Selection Criteria |
|---|---|
| MimecastTIRegional |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution Network Session Essentials:
| Workbook | Selection Criteria |
|---|---|
| NetworkSessionEssentials | |
| NetworkSessionEssentialsV2 |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| IntsightsIOCWorkbook | |
| InvestigationInsights |
In solution Team Cymru Scout:
| Workbook | Selection Criteria |
|---|---|
| TeamCymruScout |
In solution Threat Intelligence:
| Workbook | Selection Criteria |
|---|---|
| ThreatIntelligence |
In solution Web Session Essentials:
| Workbook | Selection Criteria |
|---|---|
| WebSessionEssentials |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
| Parser | Solution | Selection Criteria |
|---|---|---|
| CymruScoutCorrelate | Team Cymru Scout |
References by type: 3 connectors, 1 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
SourceSystem startswith "Cofense Intelligence :" |
1 | - | - | - | 1 |
SourceSystem !contains "Luminar"SourceSystem contains "Luminar" |
1 | - | - | - | 1 |
SourceSystem !startswith "Cofense :"SourceSystem startswith "Cofense :" |
1 | - | - | - | 1 |
SourceSystem == "Cofense Intelligence" |
- | 1 | - | - | 1 |
| Total | 3 | 1 | 0 | 0 | 4 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
startswith Cofense Intelligence : |
1 | - | - | - | 1 |
!contains Luminar |
1 | - | - | - | 1 |
contains Luminar |
1 | - | - | - | 1 |
!startswith Cofense : |
1 | - | - | - | 1 |
startswith Cofense : |
1 | - | - | - | 1 |
Cofense Intelligence |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊