az sentinel threat-indicator
Note
This reference is part of the sentinel extension for the Azure CLI (version 2.37.0 or higher). The extension will automatically install the first time you run an az sentinel threat-indicator command. Learn more about extensions.
Manage threat intelligence indicator with sentinel.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az sentinel threat-indicator append-tag |
Append tags to a threat intelligence indicator. |
Extension | Experimental |
| az sentinel threat-indicator create |
Create a new threat intelligence indicator. |
Extension | Experimental |
| az sentinel threat-indicator delete |
Delete a threat intelligence indicator. |
Extension | Experimental |
| az sentinel threat-indicator list |
Get all threat intelligence indicators. |
Extension | Experimental |
| az sentinel threat-indicator metric |
Manage threat intelligence indicator metric with sentinel. |
Extension | GA |
| az sentinel threat-indicator metric list |
Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source). |
Extension | GA |
| az sentinel threat-indicator query |
Query threat intelligence indicators as per filtering criteria. |
Extension | Experimental |
| az sentinel threat-indicator replace-tag |
Replace tags added to a threat intelligence indicator. |
Extension | Experimental |
| az sentinel threat-indicator show |
View a threat intelligence indicator by name. |
Extension | Experimental |
| az sentinel threat-indicator update |
Update a threat Intelligence indicator. |
Extension | Experimental |
az sentinel threat-indicator append-tag
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Append tags to a threat intelligence indicator.
az sentinel threat-indicator append-tag --name
--resource-group
--workspace-name
[--intelligence-tags]Required Parameters
Threat intelligence indicator name field.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Optional Parameters
List of tags to be appended. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel threat-indicator create
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Create a new threat intelligence indicator.
az sentinel threat-indicator create --resource-group
--workspace-name
[--confidence]
[--created]
[--created-by-ref]
[--defanged {0, 1, f, false, n, no, t, true, y, yes}]
[--description]
[--display-name]
[--etag]
[--external-id]
[--external-references]
[--external-updated-time]
[--granular-markings]
[--indicator-types]
[--kill-chain-phases]
[--labels]
[--language]
[--last-updated-time]
[--modified]
[--object-marking-refs]
[--parsed-pattern]
[--pattern]
[--pattern-type]
[--pattern-version]
[--revoked {0, 1, f, false, n, no, t, true, y, yes}]
[--source]
[--threat-tags]
[--threat-types]
[--valid-from]
[--valid-until]Required Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Optional Parameters
Confidence of threat intelligence entity.
Created by.
Created by reference of threat intelligence entity.
Is threat intelligence entity defanged.
Description of a threat intelligence entity.
Display name of a threat intelligence entity.
Etag of the azure resource.
External ID of threat intelligence entity.
External References Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
External last updated time in UTC.
Granular Markings Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Indicator types of threat intelligence entities Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Kill chain phases Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Labels of threat intelligence entity Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Language of threat intelligence entity.
Last updated time in UTC.
Modified by.
Threat intelligence entity object marking references Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Parsed patterns Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Pattern of a threat intelligence entity.
Pattern type of a threat intelligence entity.
Pattern version of a threat intelligence entity.
Is threat intelligence entity revoked.
Source of a threat intelligence entity.
List of tags Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Threat types Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Valid from.
Valid until.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel threat-indicator delete
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Delete a threat intelligence indicator.
az sentinel threat-indicator delete [--ids]
[--name]
[--resource-group]
[--subscription]
[--workspace-name]
[--yes]Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Threat intelligence indicator name field.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
The name of the workspace.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel threat-indicator list
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Get all threat intelligence indicators.
az sentinel threat-indicator list --resource-group
--workspace-name
[--filter]
[--orderby]
[--skip-token]
[--top]Required Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Optional Parameters
Filters the results, based on a Boolean condition. Optional.
Sorts the results. Optional.
Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.
Returns only the first n results. Optional.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel threat-indicator query
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Query threat intelligence indicators as per filtering criteria.
az sentinel threat-indicator query --resource-group
--workspace-name
[--ids]
[--include-disabled {0, 1, f, false, n, no, t, true, y, yes}]
[--keywords]
[--max-confidence]
[--max-valid-until]
[--min-confidence]
[--min-valid-until]
[--page-size]
[--pattern-types]
[--skip-token]
[--sort-by]
[--sources]
[--threat-types]Required Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Optional Parameters
Ids of threat intelligence indicators Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Parameter to include/exclude disabled indicators.
Keywords for searching threat intelligence indicators Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Maximum confidence.
End time for ValidUntil filter.
Minimum confidence.
Start time for ValidUntil filter.
Page size.
Pattern types Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Skip token.
Columns to sort by and sorting order Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Sources of threat intelligence indicators Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Threat types of threat intelligence indicators Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel threat-indicator replace-tag
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Replace tags added to a threat intelligence indicator.
az sentinel threat-indicator replace-tag --name
--resource-group
--workspace-name
[--confidence]
[--created]
[--created-by-ref]
[--defanged {0, 1, f, false, n, no, t, true, y, yes}]
[--description]
[--display-name]
[--etag]
[--external-id]
[--external-references]
[--external-updated-time]
[--granular-markings]
[--indicator-types]
[--intelligence-tags]
[--kill-chain-phases]
[--labels]
[--language]
[--last-updated-time]
[--modified]
[--object-marking-refs]
[--parsed-pattern]
[--pattern]
[--pattern-type]
[--pattern-version]
[--revoked {0, 1, f, false, n, no, t, true, y, yes}]
[--source]
[--threat-types]
[--valid-from]
[--valid-until]Required Parameters
Threat intelligence indicator name field.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Optional Parameters
Confidence of threat intelligence entity.
Created by.
Created by reference of threat intelligence entity.
Is threat intelligence entity defanged.
Description of a threat intelligence entity.
Display name of a threat intelligence entity.
Etag of the azure resource.
External ID of threat intelligence entity.
External References Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
External last updated time in UTC.
Granular Markings Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Indicator types of threat intelligence entities Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
List of tags Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Kill chain phases Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Labels of threat intelligence entity Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Language of threat intelligence entity.
Last updated time in UTC.
Modified by.
Threat intelligence entity object marking references Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Parsed patterns Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Pattern of a threat intelligence entity.
Pattern type of a threat intelligence entity.
Pattern version of a threat intelligence entity.
Is threat intelligence entity revoked.
Source of a threat intelligence entity.
Threat types Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Valid from.
Valid until.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel threat-indicator show
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
View a threat intelligence indicator by name.
az sentinel threat-indicator show [--ids]
[--name]
[--resource-group]
[--subscription]
[--workspace-name]Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Threat intelligence indicator name field.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
The name of the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az sentinel threat-indicator update
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Update a threat Intelligence indicator.
az sentinel threat-indicator update [--confidence]
[--created]
[--created-by-ref]
[--defanged {0, 1, f, false, n, no, t, true, y, yes}]
[--description]
[--display-name]
[--etag]
[--external-id]
[--external-references]
[--external-updated-time]
[--granular-markings]
[--ids]
[--indicator-types]
[--kill-chain-phases]
[--labels]
[--language]
[--last-updated-time]
[--modified]
[--name]
[--object-marking-refs]
[--parsed-pattern]
[--pattern]
[--pattern-type]
[--pattern-version]
[--resource-group]
[--revoked {0, 1, f, false, n, no, t, true, y, yes}]
[--source]
[--subscription]
[--threat-tags]
[--threat-types]
[--valid-from]
[--valid-until]
[--workspace-name]Optional Parameters
Confidence of threat intelligence entity.
Created by.
Created by reference of threat intelligence entity.
Is threat intelligence entity defanged.
Description of a threat intelligence entity.
Display name of a threat intelligence entity.
Etag of the azure resource.
External ID of threat intelligence entity.
External References Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
External last updated time in UTC.
Granular Markings Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Indicator types of threat intelligence entities Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Kill chain phases Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Labels of threat intelligence entity Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Language of threat intelligence entity.
Last updated time in UTC.
Modified by.
Threat intelligence indicator name field.
Threat intelligence entity object marking references Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Parsed patterns Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Pattern of a threat intelligence entity.
Pattern type of a threat intelligence entity.
Pattern version of a threat intelligence entity.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Is threat intelligence entity revoked.
Source of a threat intelligence entity.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
List of tags Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Threat types Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Valid from.
Valid until.
The name of the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for