Microsoft Graph Security (Preview)
The Microsoft Graph Security connector helps to connect different Microsoft and partner security products and services, using a unified schema, to streamline security operations, and improve threat protection, detection, and response capabilities. Learn more about integrating with the Microsoft Graph Security API at https://aka.ms/graphsecuritydocs
This connector is available in the following products and regions:
Service | Class | Regions |
---|---|---|
Logic Apps | Standard | All Logic Apps regions except the following: - Azure Government regions - Azure China regions - US Department of Defense (DoD) |
Power Automate | Premium | All Power Automate regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
Power Apps | Premium | All Power Apps regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
Contact | |
---|---|
Name | Microsoft |
URL | Microsoft LogicApps Support Microsoft Power Automate Support Microsoft Power Apps Support |
[email protected] |
Connector Metadata | |
---|---|
Publisher | Microsoft |
Website | https://www.microsoft.com/security/business/graph-security-api |
Prerequisites to connect with The Microsoft Graph Security connector
Read more about Microsoft Graph Security API.
To use the Microsoft Graph Security connector action, start with a trigger, such as the Recurrence trigger.
To use the Microsoft Graph Security connector, Microsoft Entra ID tenant administrator consent needs to be provided as part of Microsoft Graph Security Authentication requirements.
The Microsoft Graph Security connector application ID and name (for Microsoft Entra ID in https://portal.azure.com) is as follows for Microsoft Entra ID administrator consent:
- Application Name - MicrosoftGraphSecurityConnector
- Application ID - c4829704-0edc-4c3d-a347-7c4a67586f3c
- Tenant administrator can either follow steps outlined in granting tenant administrator consent for Microsoft Entra ID applications to the above mentioned application or can grant permissions upon initial run of a workflow using the Microsoft Graph Security connector per the application consent experience.
You are now ready to use the Microsoft Graph Security connector!
Connector in-depth
For more information about the connector, see the in-depth section.
Throttling Limits
Name | Calls | Renewal Period |
---|---|---|
API calls per connection | 100 | 60 seconds |
Actions
Create subscriptions |
Create Microsoft Graph webhook subscriptions. |
Create ti |
Create a new threat intelligence indicator by posting to the tiIndicators collection. |
Delete multiple ti |
Delete multiple threat intelligence indicators corresponding to the specified external IDs. |
Delete multiple ti |
Delete multiple threat intelligence indicators corresponding to the specified IDs. |
Delete subscriptions |
Delete the specific Microsoft Graph Webhook subscription. |
Delete ti |
Delete a threat intelligence indicator corresponding to the specified ID. |
Get active subscriptions |
Get the list of unexpired subscriptions for this Microsoft Entra ID tenant. |
Get alert by ID |
Get a security alert corresponding to the specified ID. |
Get alerts |
Get a list of security alerts for this Microsoft Entra ID tenant. Use with different query parameters. |
Get ti |
Get a threat intelligence indicator corresponding to the specified ID. |
Get ti |
Get a list of threat intelligence indicators for this Microsoft Entra ID tenant. Use with different query parameters. |
Submit multiple ti |
Create new threat intelligence indicators by posting a tiIndicators collection. Required fields for each tiIndicator are: action, azureTenantId, description, expirationDateTime, targetProduct, threatType, tlpLevel. |
Update alert |
Update specific properties of a security alert. |
Update multiple ti |
Update specific properties of multiple threat intelligence indicators. Required fields for each tiIndicator are: Id, expirationDateTime, and targetProduct. |
Update subscription |
Renew a Microsoft Graph webhook subscription by updating its expiration time. |
Update ti |
Update specific properties of a threat intelligence indicator. Required fields for the tiIndicator are: Id, expirationDateTime, and targetProduct. |
Create subscriptions
Create Microsoft Graph webhook subscriptions.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Resource URL
|
resource | True | string |
Specify the resource that will be monitored for changes. Do not include base URL (https://graph.microsoft.com/v1.0/). Include security/alerts followed by the odata query. For e.g. security/alerts?$filter=status eq �New� |
Change type
|
changeType | True | string |
Specify the property type that should raise a notification when changed on the subscribed resource. |
Client state
|
clientState | string |
Specify the client state to confirm the notification origination source. |
|
Notification URL
|
notificationUrl | True | string |
Specify a well-formed URL of the endpoint that will receive notifications. |
Expiration date time
|
expirationDateTime | True | date-time |
Specify the date time when the webhook subscription expires; needs to be a date time greater than current time and within 30 days. |
Returns
A single subscription entity returned
- Subscription
- Subscription
Create tiIndicator
Create a new threat intelligence indicator by posting to the tiIndicators collection.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Action
|
action | True | string |
The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert). |
Activity group names
|
activityGroupNames | array of string |
The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator. |
|
Additional information
|
additionalInformation | string |
Extra data from the indicator not covered by the other tiIndicator properties may be placed |
|
Azure Tenant ID
|
azureTenantId | string |
The Microsoft Entra ID tenant id of submitting client. |
|
Confidence
|
confidence | integer |
Confidence of the detection logic (percentage between 0-100). |
|
Description
|
description | True | string |
TiIndicator description (100 charactes or less). |
Diamond model
|
diamondModel | string |
The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim). |
|
Expiration date time
|
expirationDateTime | True | date-time |
Time at which the the Indicator expires (UTC). |
External ID
|
externalId | string |
An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key). |
|
Ingested date time
|
ingestedDateTime | date-time |
Time at which the the Indicator is ingested (UTC). |
|
Is active
|
isActive | boolean |
By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. |
|
Kill chain
|
killChain | array of string |
strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization). |
|
Known false positives
|
knownFalsePositives | string |
Scenarios in which the indicator may cause false positives. |
|
Last reported date time
|
lastReportedDateTime | date-time |
The last time the indicator was seen (UTC). |
|
Malware family names
|
malwareFamilyNames | array of string |
The malware family name associated with an indicator if it exists. |
|
Passive Only
|
passiveOnly | boolean |
Determines if the indicator should trigger an event that is visible to an end-user. |
|
Severity
|
severity | integer |
Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3. |
|
Tags
|
tags | array of string | ||
Target Product
|
targetProduct | True | string |
Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP. |
Threat Type
|
threatType | string |
Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList. |
|
Tlp level
|
tlpLevel | string |
Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red. |
|
Email encoding
|
emailEncoding | string |
The type of text encoding used in the email. |
|
Email language
|
emailLanguage | string |
The language of the email. |
|
Email recipient
|
emailRecipient | string |
Recipient email address. |
|
Email sender address
|
emailSenderAddress | string |
Email address of the attacker|victim. |
|
Email sender name
|
emailSenderName | string |
Displayed name of the attacker|victim. |
|
Email source domain
|
emailSourceDomain | string |
Domain used in the email. |
|
Email source Ip address
|
emailSourceIpAddress | string |
Source IP address of email. |
|
Email subject
|
emailSubject | string |
Subject line of email. |
|
Email XMailer
|
emailXMailer | string |
X-Mailer value used in the email. |
|
File compile date time
|
fileCompileDateTime | date-time |
DateTime when the file was compiled. |
|
File created date time
|
fileCreatedDateTime | date-time |
DateTime when the file was created. |
|
File hash type
|
fileHashType | string |
The type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph. |
|
File hash value
|
fileHashValue | string |
The file hash value. |
|
File mutex name
|
fileMutexName | string |
Mutex name used in file-based detections. |
|
File name
|
fileName | string |
Name of the file if the indicator is file-based. |
|
File packer
|
filePacker | string |
The packer used to build the file in question. |
|
File path
|
filePath | string |
Path of file indicating compromise. May be a Windows or *nix style path. |
|
File size
|
fileSize | integer |
Size of the file in bytes. |
|
File type
|
fileType | string |
Text description of the type of file. For example, “Word Document” or “Binary”. |
|
Domain name
|
domainName | string |
Domain name associated with this indicator. |
|
Network cidr block
|
networkCidrBlock | string |
CIDR Block notation representation of the network referenced in this indicator. |
|
Network destination Asn
|
networkDestinationAsn | integer |
The destination autonomous system identifier of the network referenced in the indicator. |
|
Network destination cidr block
|
networkDestinationCidrBlock | string |
CIDR Block notation representation of the destination network in this indicator. |
|
Network destination IPv4
|
networkDestinationIPv4 | string |
IPv4 IP address destination. |
|
Network destination IPv6
|
networkDestinationIPv6 | string |
IPv6 IP address destination. |
|
Network destination port
|
networkDestinationPort | integer |
TCP port destination. |
|
Network IPv4
|
networkIPv4 | string |
IPv4 IP address. |
|
Network IPv6
|
networkIPv6 | string |
IPv6 IP address. |
|
Network port
|
networkPort | integer |
TCP port. |
|
Network protocol
|
networkProtocol | integer |
Decimal representation of the protocol field in the IPv4 header. |
|
Network source Asn
|
networkSourceAsn | integer |
The source autonomous system identifier of the network referenced in the indicator. |
|
Network source cidr block
|
networkSourceCidrBlock | string |
CIDR Block notation representation of the source network in this indicator. |
|
Network source IPv4
|
networkSourceIPv4 | string |
IPv4 IP address source. |
|
Network destination IPv6
|
networkSourceIPv6 | string |
IPv6 IP address source. |
|
Network source port
|
networkSourcePort | integer |
TCP port source. |
|
Url
|
url | string |
Uniform Resource Locator. |
|
User agent
|
userAgent | string |
User-Agent string from a web request that could indicate compromise. |
Returns
A single TiIndicator entity returned
- TiIndicator
- TiIndicator
Delete multiple tiIndicators by external IDs
Delete multiple threat intelligence indicators corresponding to the specified external IDs.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
value
|
value | array of string |
Returns
Name | Path | Type | Description |
---|---|---|---|
value
|
value | array of object | |
code
|
value.code | integer |
The result code |
message
|
value.message | string |
The message |
subcode
|
value.subcode | integer |
The result sub-code |
Delete multiple tiIndicators by IDs
Delete multiple threat intelligence indicators corresponding to the specified IDs.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
value
|
value | array of string |
Returns
Name | Path | Type | Description |
---|---|---|---|
value
|
value | array of object | |
code
|
value.code | integer |
The result code |
message
|
value.message | string |
The message |
subcode
|
value.subcode | integer |
The result sub-code |
Delete subscriptions
Delete the specific Microsoft Graph Webhook subscription.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Subscription ID
|
Subscription Id | True | string |
Specify the Microsoft Graph Webhook Subscription ID. |
Delete tiIndicator by ID
Delete a threat intelligence indicator corresponding to the specified ID.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
TiIndicator ID
|
indicator-id | True | string |
Specify threat intelligence indicator ID |
Get active subscriptions
Get the list of unexpired subscriptions for this Microsoft Entra ID tenant.
Returns
Name | Path | Type | Description |
---|---|---|---|
Existing subcriptions count
|
@odata.count | integer |
The number of subcriptions returned |
Subscription
|
value | array of Subscription |
The subscription entities returned |
Next link
|
@odata.nextLink | string |
A link to get the next results in case there are more results than requested |
Get alert by ID
Get a security alert corresponding to the specified ID.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Alert ID
|
alert-id | True | string |
Specify alert ID. |
Returns
A single alert entity returned
- Alert
- Alert
Get alerts
Get a list of security alerts for this Microsoft Entra ID tenant. Use with different query parameters.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Filter alerts
|
$filter | string |
Specify filtering condition for alerts like Severity eq "High". |
|
Top alerts
|
$top | integer |
Specify the recent most top number of alerts to retrieve from each provider. |
|
Select alert properties
|
$select | string |
Specify alert properties to include in the results. |
|
Sorting order
|
$orderby | string |
Specify sorting order for the results. |
|
Skips "n" results
|
$skip | integer |
Specify number of results to skip. Useful for pagination. |
|
Include count of alerts returned
|
$count | string |
Specify to include the number of alerts returned in the response |
Returns
Name | Path | Type | Description |
---|---|---|---|
Alerts count
|
@odata.count | integer |
The number of alerts returned |
Alerts
|
value | array of Alert |
The alerts returned |
Next link
|
@odata.nextLink | string |
A link to get the next results in case there are more results than requested |
Get tiIndicator by ID
Get a threat intelligence indicator corresponding to the specified ID.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
TiIndicator ID
|
indicator-id | True | string |
Specify threat intelligence indicator ID |
Returns
A single TiIndicator entity returned
- TiIndicator
- TiIndicator
Get tiIndicators
Get a list of threat intelligence indicators for this Microsoft Entra ID tenant. Use with different query parameters.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Filter tiIndicators
|
$filter | string |
Specify filtering condition for threat intelligence indicators like threatType eq 'WatchList' |
|
Top tiIndicators
|
$top | integer |
Specify the recent top number of threat intelligence indicators to be retrieved |
|
Select tiIndicator properties
|
$select | string |
Specify threat intelligence indicator properties to include in the results. |
|
Include count of tiIndicators returned
|
$count | string |
Specify to include the number of threat intelligence indicators returned in the response |
|
Skips "n" results
|
$skip | integer |
Specify number of results to skip. Useful for pagination. |
|
Sorting order
|
$orderby | string |
Specify sorting order for the results. |
Returns
Name | Path | Type | Description |
---|---|---|---|
TiIndicator count
|
@odata.count | integer |
The number of TiIndicator returned |
TiIndicators
|
value | array of TiIndicator |
The TiIndicator returned |
Next link
|
@odata.nextLink | string |
A link to get the next results in case there are more results than requested |
Submit multiple tiIndicators
Create new threat intelligence indicators by posting a tiIndicators collection. Required fields for each tiIndicator are: action, azureTenantId, description, expirationDateTime, targetProduct, threatType, tlpLevel.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Action
|
action | True | string |
The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert). |
Activity group names
|
activityGroupNames | array of string |
The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator. |
|
Additional information
|
additionalInformation | string |
Extra data from the indicator not covered by the other tiIndicator properties may be placed |
|
Azure Tenant ID
|
azureTenantId | string |
The Microsoft Entra ID tenant id of submitting client. |
|
Confidence
|
confidence | integer |
Confidence of the detection logic (percentage between 0-100). |
|
Description
|
description | True | string |
TiIndicator description (100 charactes or less). |
Diamond model
|
diamondModel | string |
The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim). |
|
Expiration date time
|
expirationDateTime | True | date-time |
Time at which the the Indicator expires (UTC). |
External ID
|
externalId | string |
An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key). |
|
Ingested date time
|
ingestedDateTime | date-time |
Time at which the the Indicator is ingested (UTC). |
|
Is active
|
isActive | boolean |
By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. |
|
Kill chain
|
killChain | array of string |
strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization). |
|
Known false positives
|
knownFalsePositives | string |
Scenarios in which the indicator may cause false positives. |
|
Last reported date time
|
lastReportedDateTime | date-time |
The last time the indicator was seen (UTC). |
|
Malware family names
|
malwareFamilyNames | array of string |
The malware family name associated with an indicator if it exists. |
|
Passive Only
|
passiveOnly | boolean |
Determines if the indicator should trigger an event that is visible to an end-user. |
|
Severity
|
severity | integer |
Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3. |
|
Tags
|
tags | array of string | ||
Target Product
|
targetProduct | True | string |
Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP. |
Threat Type
|
threatType | string |
Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList. |
|
Tlp level
|
tlpLevel | string |
Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red. |
|
Email encoding
|
emailEncoding | string |
The type of text encoding used in the email. |
|
Email language
|
emailLanguage | string |
The language of the email. |
|
Email recipient
|
emailRecipient | string |
Recipient email address. |
|
Email sender address
|
emailSenderAddress | string |
Email address of the attacker|victim. |
|
Email sender name
|
emailSenderName | string |
Displayed name of the attacker|victim. |
|
Email source domain
|
emailSourceDomain | string |
Domain used in the email. |
|
Email source Ip address
|
emailSourceIpAddress | string |
Source IP address of email. |
|
Email subject
|
emailSubject | string |
Subject line of email. |
|
Email XMailer
|
emailXMailer | string |
X-Mailer value used in the email. |
|
File compile date time
|
fileCompileDateTime | date-time |
DateTime when the file was compiled. |
|
File created date time
|
fileCreatedDateTime | date-time |
DateTime when the file was created. |
|
File hash type
|
fileHashType | string |
The type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph. |
|
File hash value
|
fileHashValue | string |
The file hash value. |
|
File mutex name
|
fileMutexName | string |
Mutex name used in file-based detections. |
|
File name
|
fileName | string |
Name of the file if the indicator is file-based. |
|
File packer
|
filePacker | string |
The packer used to build the file in question. |
|
File path
|
filePath | string |
Path of file indicating compromise. May be a Windows or *nix style path. |
|
File size
|
fileSize | integer |
Size of the file in bytes. |
|
File type
|
fileType | string |
Text description of the type of file. For example, “Word Document” or “Binary”. |
|
Domain name
|
domainName | string |
Domain name associated with this indicator. |
|
Network cidr block
|
networkCidrBlock | string |
CIDR Block notation representation of the network referenced in this indicator. |
|
Network destination Asn
|
networkDestinationAsn | integer |
The destination autonomous system identifier of the network referenced in the indicator. |
|
Network destination cidr block
|
networkDestinationCidrBlock | string |
CIDR Block notation representation of the destination network in this indicator. |
|
Network destination IPv4
|
networkDestinationIPv4 | string |
IPv4 IP address destination. |
|
Network destination IPv6
|
networkDestinationIPv6 | string |
IPv6 IP address destination. |
|
Network destination port
|
networkDestinationPort | integer |
TCP port destination. |
|
Network IPv4
|
networkIPv4 | string |
IPv4 IP address. |
|
Network IPv6
|
networkIPv6 | string |
IPv6 IP address. |
|
Network port
|
networkPort | integer |
TCP port. |
|
Network protocol
|
networkProtocol | integer |
Decimal representation of the protocol field in the IPv4 header. |
|
Network source Asn
|
networkSourceAsn | integer |
The source autonomous system identifier of the network referenced in the indicator. |
|
Network source cidr block
|
networkSourceCidrBlock | string |
CIDR Block notation representation of the source network in this indicator. |
|
Network source IPv4
|
networkSourceIPv4 | string |
IPv4 IP address source. |
|
Network destination IPv6
|
networkSourceIPv6 | string |
IPv6 IP address source. |
|
Network source port
|
networkSourcePort | integer |
TCP port source. |
|
Url
|
url | string |
Uniform Resource Locator. |
|
User agent
|
userAgent | string |
User-Agent string from a web request that could indicate compromise. |
Returns
Name | Path | Type | Description |
---|---|---|---|
TiIndicators
|
value | array of TiIndicator |
The TiIndicators submitted |
Update alert
Update specific properties of a security alert.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Alert ID
|
alert-id | True | string |
Specify alert ID. |
Assigned to
|
assignedTo | string |
Specify the name of the analyst the alert is assigned to for triage, investigation, or remediation. |
|
Closed dateTime
|
closedDateTime | string |
Specify the time at which the alert was closed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. |
|
comments
|
comments | array of string |
Comments |
|
Tags
|
tags | array of string |
Specify any user-definable labels that can be applied to an alert and can serve as filter conditions (for example "HVA", "SAW", etc.). |
|
Feedback
|
feedback | string |
Specify analyst feedback on the alert. |
|
Status
|
status | string |
Specify status to track alert lifecycle status (stage). |
|
Provider name
|
provider | True | string |
Specific provider (product/service - not vendor company); for example, WindowsDefenderATP. |
Provider version
|
providerVersion | string |
Specify version of the provider or subprovider, if it exists, that generated the alert. |
|
Sub Provider name
|
subProvider | string |
Specific subprovider (under aggregating provider); for example, WindowsDefenderATP.SmartScreen. |
|
Vendor name
|
vendor | True | string |
Specify name of the alert vendor (for example, Microsoft, Dell, FireEye). |
Update multiple tiIndicators
Update specific properties of multiple threat intelligence indicators. Required fields for each tiIndicator are: Id, expirationDateTime, and targetProduct.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
id
|
id | True | string |
TiIndicator-id |
Action
|
action | string |
The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert). |
|
Activity group names
|
activityGroupNames | array of string |
The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator. |
|
Additional information
|
additionalInformation | string |
Extra data from the indicator not covered by the other tiIndicator properties may be placed |
|
Confidence
|
confidence | integer |
Confidence of the detection logic (percentage between 0-100). |
|
Description
|
description | string |
TiIndicator description (100 charactes or less). |
|
Diamond model
|
diamondModel | string |
The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim). |
|
Expiration date time
|
expirationDateTime | True | date-time |
Time at which the the Indicator expires (UTC). |
Target Product
|
targetProduct | True | string |
Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP. |
External ID
|
externalId | string |
An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key). |
|
Is active
|
isActive | boolean |
By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. |
|
Kill chain
|
killChain | array of string |
strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization). |
|
Known false positives
|
knownFalsePositives | string |
Scenarios in which the indicator may cause false positives. |
|
Last reported date time
|
lastReportedDateTime | date-time |
The last time the indicator was seen (UTC). |
|
Malware family names
|
malwareFamilyNames | array of string |
The malware family name associated with an indicator if it exists. |
|
Passive Only
|
passiveOnly | boolean |
Determines if the indicator should trigger an event that is visible to an end-user. |
|
Severity
|
severity | integer |
Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3. |
|
Tags
|
tags | array of string | ||
Tlp level
|
tlpLevel | string |
Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red. |
Returns
Name | Path | Type | Description |
---|---|---|---|
TiIndicators
|
value | array of TiIndicator |
The TiIndicators updated |
Update subscription
Renew a Microsoft Graph webhook subscription by updating its expiration time.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Subscription ID
|
Subscription Id | True | string |
Specify Microsoft Graph Webhook subscription ID. |
Expiration date time
|
expirationDateTime | string |
Specify the date and time, in UTC format, of when the Microsoft Graph webhook subscription expires. The maximum expiration time for security alerts is 43200 minutes (under 30 days). |
Returns
A single subscription entity returned
- Subscription
- Subscription
Update tiIndicator
Update specific properties of a threat intelligence indicator. Required fields for the tiIndicator are: Id, expirationDateTime, and targetProduct.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
TiIndicator ID
|
indicator-id | True | string |
Specify threat intelligence indicator ID. |
Action
|
action | string |
The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert). |
|
Activity group names
|
activityGroupNames | array of string |
The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator. |
|
Additional information
|
additionalInformation | string |
Extra data from the indicator not covered by the other tiIndicator properties may be placed |
|
Confidence
|
confidence | integer |
Confidence of the detection logic (percentage between 0-100). |
|
Description
|
description | string |
TiIndicator description (100 charactes or less). |
|
Diamond model
|
diamondModel | string |
The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim). |
|
Expiration date time
|
expirationDateTime | True | date-time |
Time at which the the Indicator expires (UTC format. For example, 2020-03-01T00:00:00Z). |
External ID
|
externalId | string |
An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key). |
|
Is active
|
isActive | boolean |
By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. |
|
Kill chain
|
killChain | array of string |
strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization). |
|
Known false positives
|
knownFalsePositives | string |
Scenarios in which the indicator may cause false positives. |
|
Last reported date time
|
lastReportedDateTime | date-time |
The last time the indicator was seen (UTC). |
|
Malware family names
|
malwareFamilyNames | array of string |
The malware family name associated with an indicator if it exists. |
|
Passive Only
|
passiveOnly | boolean |
Determines if the indicator should trigger an event that is visible to an end-user. |
|
Severity
|
severity | integer |
Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3. |
|
Tags
|
tags | array of string | ||
Tlp level
|
tlpLevel | string |
Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red. |
|
Target Product
|
targetProduct | True | string |
Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP. |
Triggers
On all new alerts |
Triggers on all new alerts |
On new high severity alerts |
Triggers on new high severity alerts |
On all new alerts
Triggers on all new alerts
Returns
Name | Path | Type | Description |
---|---|---|---|
Alerts count
|
@odata.count | integer |
The number of alerts returned |
Alerts
|
value | array of Alert |
The alerts returned |
Next link
|
@odata.nextLink | string |
A link to get the next results in case there are more results than requested |
On new high severity alerts
Triggers on new high severity alerts
Returns
Name | Path | Type | Description |
---|---|---|---|
Alerts count
|
@odata.count | integer |
The number of alerts returned |
Alerts
|
value | array of Alert |
The alerts returned |
Next link
|
@odata.nextLink | string |
A link to get the next results in case there are more results than requested |
Definitions
Alert
A single alert entity returned
Name | Path | Type | Description |
---|---|---|---|
Azure subscription ID
|
azureSubscriptionId | string |
Azure subscription ID, present if this alert is related to an Azure resource. |
Tags
|
tags | array of string |
User-definable labels that can be applied to an alert and can serve as filter conditions (e.g. "HVA", "SAW", etc.). |
ID
|
id | string |
Provider-generated GUID/unique identifier. |
Azure tenant ID
|
azureTenantId | string |
Microsoft Entra ID tenant ID. |
Activity group name
|
activityGroupName | string |
Name or alias of the activity group (attacker) this alert is attributed to. |
Assigned to
|
assignedTo | string |
Name of the analyst the alert is assigned to for triage, investigation, or remediation. |
Category
|
category | string |
Category of the alert (e.g. credentialTheft, ransomware, etc.). |
Closed date time
|
closedDateTime | date-time |
Time at which the alert was closed (UTC). |
Comments
|
comments | array of string |
Customer-provided comments on alert (for customer alert management). |
Confidence
|
confidence | integer |
Confidence of the detection logic (percentage between 1-100). |
Created date time
|
createdDateTime | date-time |
Time at which the alert was created (UTC). |
Description
|
description | string |
Alert description. |
Detection Ids
|
detectionIds | array of string |
Set of alerts related to this alert entity. |
Event date time
|
eventDateTime | date-time |
Time at which the event(s) that served as the trigger(s) to generate the alert occurred (UTC). |
Feedback
|
feedback | string |
Analyst feedback on the alert. Possible values are: unknown, truePositive, falsePositive, benignPositive. |
Last modified date time
|
lastModifiedDateTime | date-time |
Time at which the alert entity was last modified (UTC). |
Recommended actions
|
recommendedActions | array of string |
Vendor/Provider recommended action/s to take as a result of the alert (e.g. isolate machine, enforce2FA, reimage host, etc.). |
Severity
|
severity | string |
Alert severity - set by vendor/provider. Values: (high, medium, low, Informational) where "informational" infers that the alert is not actionable. |
Source materials
|
sourceMaterials | array of string |
Hyperlinks (URIs) to the source material related to the alert, e.g. provider investigation UI, etc. |
Status
|
status | string |
Alert lifecycle status (stage). Values: (unknown, newAlert, inProgress, resolved). |
Title
|
title | string |
Alert title. |
Provider name
|
vendorInformation.provider | string |
Specific provider (product/service - not vendor company); for example, WindowsDefenderATP. |
Provider version
|
vendorInformation.providerVersion | string |
Version of the provider or subprovider. |
Sub provider name
|
vendorInformation.subProvider | string |
Specific subprovider (under aggregating provider); for example, WindowsDefenderATP.SmartScreen. |
Vendor name
|
vendorInformation.vendor | string |
Name of the alert vendor (for example, Microsoft, Dell, FireEye). |
Cloud app states
|
cloudAppStates | array of object |
Security-related stateful information generated by the provider about the cloud application/s related to this alert. |
Destination service IP
|
cloudAppStates.destinationServiceIp | string |
Destination IP address of the connection to cloud app/service. |
Destination service name
|
cloudAppStates.destinationServiceName | string |
Destination cloud app/service name. |
Risk score
|
cloudAppStates.riskScore | string |
Provider-generated/calculated risk score of the Cloud Application/Service. |
File states
|
fileStates | array of object |
Security-related stateful information generated by the provider about the file(s) related to this alert. |
Name
|
fileStates.name | string |
File Name (without path). |
Path
|
fileStates.path | string |
Full file path of the file/imageFile. |
Risk score
|
fileStates.riskScore | string |
Provider generated/calculated risk score of the alert file. |
Type
|
fileStates.fileHash.type | string |
File hash type. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph, peSha1, peSha256. |
Value
|
fileStates.fileHash.value | string |
Value of the file hash. |
Host states
|
hostStates | array of object |
Security-related stateful information generated by the provider about the host(s) related to this alert. |
Fully qualified domain name
|
hostStates.fqdn | string |
Host FQDN (Fully Qualified Domain Name). |
Is azureAd joined
|
hostStates.isAzureAdJoined | boolean |
True if the host is domain joined to Microsoft Entra ID Domain Services. |
Is azureAd registered
|
hostStates.isAzureAdRegistered | boolean |
True if the host registered with Microsoft Entra ID Device Registration (e.g. BYOD) - not fully managed by enterprise. |
Is hybrid azure domain joined
|
hostStates.isHybridAzureDomainJoined | boolean |
True if the host is domain joined to an on-premises Microsoft Entra ID domain. |
Net bios name
|
hostStates.netBiosName | string |
Local host name without DNS domain name. |
Operating system name
|
hostStates.os | string |
Host Operating System. |
Private IP address
|
hostStates.privateIpAddress | string |
Private (not routable) IPv4 or IPv6 Address at the time of the alert. |
Public IP address
|
hostStates.publicIpAddress | string |
Publicly routable IPv4 or IPv6 Address at time of the alert. |
Risk score
|
hostStates.riskScore | string |
Provider-generated/calculated risk score of the host. |
Malware states
|
malwareStates | array of object |
Security-related stateful information generated by the provider about the malware related to this alert. |
Category
|
malwareStates.category | string |
Provider-generated malware category (e.g. trojan, ransomware, etc.). |
Family
|
malwareStates.family | string |
Provider-generated malware family (e.g. "wannacry", "notpetya", etc.). |
Name
|
malwareStates.name | string |
Provider-generated malware variant name (e.g. Trojan:Win32/Powessere.H). |
Severity
|
malwareStates.severity | string |
Provider-determined severity of this malware. |
Was running
|
malwareStates.wasRunning | boolean |
Indicates whether the detected file (malware/vulnerability) was running at the time of detection or was detected at rest on the disk. |
Network connections
|
networkConnections | array of object |
Security-related stateful information generated by the provider about the file(s) related to this alert. |
Application name
|
networkConnections.applicationName | string |
Name of the application managing the network connection (e.g. Facebook, SMTP, etc.). |
Destination address
|
networkConnections.destinationAddress | string |
Destination IP address of the network connection. |
Destination domain
|
networkConnections.destinationDomain | string |
Destination domain portion of the destination URL.(for example "www.contoso.com"). |
Destination port
|
networkConnections.destinationPort | string |
Destination port of the network connection. |
Destination url
|
networkConnections.destinationUrl | string |
Network connection URL/URI string - excluding parameters. |
Direction
|
networkConnections.direction | string |
Network connection direction. Possible values are: unknown, inbound, outbound. |
Domain registered dateTime
|
networkConnections.domainRegisteredDateTime | date-time |
Date the destination domain was registered (UTC). |
Local dns name
|
networkConnections.localDnsName | string |
The local DNS name resolution as it appears in the host local DNS cache (e.g. in case the "hosts" file was tampered with). |
Nat destination address
|
networkConnections.natDestinationAddress | string |
Network Address Translation destination IP address. |
Nat destination port
|
networkConnections.natDestinationPort | string |
Network Address Translation destination port. |
Nat source address
|
networkConnections.natSourceAddress | string |
Network Address Translation source IP address. |
Nat source port
|
networkConnections.natSourcePort | string |
Network Address Translation source port. |
Protocol
|
networkConnections.protocol | string |
Network protocol. Possible values are: unknown, ip, icmp, igmp, ggp, ipv4, tcp, pup, udp, idp, ipv6, ipv6RoutingHeader, ipv6FragmentHeader, ipSecEncapsulatingSecurityPayload, ipSecAuthenticationHeader, icmpV6, ipv6NoNextHeader, ipv6DestinationOptions, nd, raw, ipx, spx, spxII. |
Risk score
|
networkConnections.riskScore | string |
Provider generated/calculated risk score of the network connection. |
Source address
|
networkConnections.sourceAddress | string |
Source (i.e. origin) IP address of the network connection. |
Source port
|
networkConnections.sourcePort | string |
Source (i.e. origin) IP port of the network connection. |
Status
|
networkConnections.status | string |
Network connection status. Possible values are: unknown, attempted, succeeded, blocked, failed. |
Url parameters
|
networkConnections.urlParameters | string |
Parameters (suffix) of the destination URL as a string. |
Processes
|
processes | array of object |
Security-related stateful information generated by the provider about the process or processes related to this alert. |
Account name
|
processes.accountName | string |
User account identifier (user account context the process ran under) e.g. AccountName, SID, etc. |
Command line
|
processes.commandLine | string |
The full process invocation commandline including all parameters. |
Created date time
|
processes.createdDateTime | date-time |
DateTime at which the parent process was started (UTC). |
Integrity level
|
processes.integrityLevel | string |
The integrity level of the process. Possible values are: unknown, untrusted, low, medium, high, system. |
Is elevated
|
processes.isElevated | boolean |
True if the process is elevated. |
Name
|
processes.name | string |
The name of the process Image file. |
Parent process created date time
|
processes.parentProcessCreatedDateTime | date-time |
Time at which the process was started (UTC). |
Parent process ID
|
processes.parentProcessId | integer |
The Process ID (PID) of the parent process. |
Parent process name
|
processes.parentProcessName | string |
The name of the image file of the parent process. |
Path
|
processes.path | string |
Full path, including filename. |
Process Id
|
processes.processId | integer |
The Process ID (PID) of the process. |
Type
|
processes.fileHash.type | string |
File hash type. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph, peSha1, peSha256. |
Value
|
processes.fileHash.value | string |
Value of the file hash. |
Registry key states
|
registryKeyStates | array of object |
Security-related stateful information generated by the provider about the registry keys related to this alert. |
Process
|
registryKeyStates.process | string |
Process ID (PID) of the process that modified the registry key (process details will appear in the alert "processes" collection). |
Operation
|
registryKeyStates.operation | string |
Operation that changed the registry key name and/or value (add, modify, delete). |
Value Type
|
registryKeyStates.valueType | string |
Registry key value type. Possible values are: unknown, binary, dword, dwordLittleEndian, dwordBigEndian, expandSz, link, multiSz, none, qword, qwordlittleEndian, sz. |
Registry hive
|
registryKeyStates.hive | string |
Windows registry hive. Possible values are: unknown, currentConfig, currentUser, localMachineSam, localMachineSamSoftware, localMachineSystem, usersDefault. |
Key
|
registryKeyStates.key | string |
Current (i.e. changed) registry key (excludes HIVE). |
Value name
|
registryKeyStates.valueName | string |
Current (i.e. changed) registry key value name. |
Value data
|
registryKeyStates.valueData | string |
Current (i.e. changed) registry key value data (contents). |
Old key
|
registryKeyStates.oldKey | string |
Previous (i.e. before changed) registry key (excludes HIVE). |
Old value name
|
registryKeyStates.oldValueName | string |
Previous (i.e. before changed) registry key value name. |
Old value data
|
registryKeyStates.oldValueData | string |
Previous (i.e. before changed) registry key value data (contents). |
Triggers
|
triggers | array of object |
Security-related information about the specific properties that triggered the alert (properties appearing in the alert). Alerts might contain information about multiple users, hosts, files, ip addresses. This field indicates which properties triggered the alert generation. |
Name
|
triggers.name | string |
Name of the property serving as a detection trigger. |
Type
|
triggers.type | string |
Type of the attribute in the key:value pair for interpretation, e.g. String, Boolean, etc. |
Value
|
triggers.value | string |
Value of the attribute serving as a detection trigger. |
User states
|
userStates | array of object |
Security-related stateful information generated by the provider about the logged-on user or users related to this alert. |
Microsoft Entra ID user ID
|
userStates.aadUserId | string |
Microsoft Entra ID User object identifier (GUID) - represents the physical/multi-account user entity. |
Account name
|
userStates.accountName | string |
Account name of user account (without Microsoft Entra ID Domain or DNS Domain) - (also called "mailNickName"). |
Domain name
|
userStates.domainName | string |
NetBIOS/Microsoft Entra ID Domain of user account �(i.e. domain\account format). |
Email role
|
userStates.emailRole | string |
For email-related alerts - user account email role. |
Is Vpn
|
userStates.isVpn | boolean |
Indicates whether the user logged on through a VPN. |
Logon date time
|
userStates.logonDateTime | date-time |
Time at which the logon occurred (UTC). |
Logon ID
|
userStates.logonId | string |
User sign-in ID. |
Logon IP
|
userStates.logonIp | string |
IP Address the logon request orginated from. |
Logon location
|
userStates.logonLocation | string |
Location (by IP address mapping) associated with a user sign-in event by this user. |
Logon type
|
userStates.logonType | string |
Method of user sign in. Possible values are: unknown, interactive, remoteInteractive, network, batch, service. |
On premises security identifier
|
userStates.onPremisesSecurityIdentifier | string |
Microsoft Entra ID (on-premises) Security Identifier (SID) of the user. |
Risk score
|
userStates.riskScore | string |
Provider-generated/calculated risk score of the user account. |
User account type
|
userStates.userAccountType | string |
User account type (group membership), per Windows definition. Possible values are: unknown, standard, power, administrator. |
User principal name
|
userStates.userPrincipalName | string |
User sign-in name - internet format: @. |
Vulnerability states
|
vulnerabilityStates | array of object |
Threat intelligence pertaining to one or more vulnerabilities related to this alert. |
Cve
|
vulnerabilityStates.cve | string |
Common Vulnerabilities and Exposures (CVE) for the vulnerability. |
Was running
|
vulnerabilityStates.wasRunning | boolean |
Indicates whether the detected vulnerability (file) was running at the time of detection or was the file detected at rest on the disk. |
Severity
|
vulnerabilityStates.severity | string |
Base Common Vulnerability Scoring System (CVSS) severity score for this vulnerability. |
Subscription
A single subscription entity returned
Name | Path | Type | Description |
---|---|---|---|
ID
|
id | string |
Unique identifier for the subscription. |
Resource
|
resource | string |
Specifies the resource that will be monitored for changes. |
Application Id
|
applicationId | string |
Identifier of the application used to create the subscription. |
Change type
|
changeType | string |
Indicates the type of change in the subscribed resource that will raise a notification. |
Client state
|
clientState | string |
Specifies the value of the clientState property sent by the service in each notification. The maximum length is 128 characters. The client can check that the notification came from the service by comparing the value of the clientState property sent with the subscription with the value of the clientState property received with each notification. |
Notification URL
|
notificationUrl | string |
The URL of the endpoint that will receive the notifications. This URL must make use of the HTTPS protocol. |
Expiration date time
|
expirationDateTime | string |
Specifies the date and time when the webhook subscription expires (UTC). |
Creator Id
|
creatorId | string |
Identifier of the user or service principal that created the subscription. If the app used delegated permissions to create the subscription, this field contains the id of the signed-in user the app called on behalf of. If the app used application permissions, this field contains the id of the service principal corresponding to the app. |
TiIndicator
A single TiIndicator entity returned
Name | Path | Type | Description |
---|---|---|---|
Action
|
action | string |
The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert). |
Activity group names
|
activityGroupNames | array of string |
The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator. |
Additional information
|
additionalInformation | string |
Extra data from the indicator not covered by the other tiIndicator properties may be placed |
Azure Tenant ID
|
azureTenantId | string |
The Microsoft Entra ID tenant id of submitting client. |
Confidence
|
confidence | integer |
Confidence of the detection logic (percentage between 0-100). |
Description
|
description | string |
TiIndicator description (100 charactes or less). |
Diamond model
|
diamondModel | string |
The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim). |
Expiration date time
|
expirationDateTime | date-time |
Time at which the the Indicator expires (UTC). |
External ID
|
externalId | string |
An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key). |
ID
|
id | string |
Created by the system when the indicator is ingested. Generated GUID/unique identifier. |
Ingested date time
|
ingestedDateTime | date-time |
Time at which the the Indicator is ingested (UTC). |
Is active
|
isActive | boolean |
By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. |
Kill chain
|
killChain | array of string |
strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization). |
Known false positives
|
knownFalsePositives | string |
Scenarios in which the indicator may cause false positives. |
Last reported date time
|
lastReportedDateTime | date-time |
The last time the indicator was seen (UTC). |
Malware family names
|
malwareFamilyNames | array of string |
The malware family name associated with an indicator if it exists. |
Passive Only
|
passiveOnly | boolean |
Determines if the indicator should trigger an event that is visible to an end-user. |
Severity
|
severity | integer |
Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3. |
Tags
|
tags | array of string | |
Target Product
|
targetProduct | string |
Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP. |
Threat Type
|
threatType | string |
Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList. |
Tlp level
|
tlpLevel | string |
Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red. |
Email encoding
|
emailEncoding | string |
The type of text encoding used in the email. |
Email language
|
emailLanguage | string |
The language of the email. |
Email recipient
|
emailRecipient | string |
Recipient email address. |
Email sender address
|
emailSenderAddress | string |
Email address of the attacker|victim. |
Email sender name
|
emailSenderName | string |
Displayed name of the attacker|victim. |
Email source domain
|
emailSourceDomain | string |
Domain used in the email. |
Email source Ip address
|
emailSourceIpAddress | string |
Source IP address of email. |
Email subject
|
emailSubject | string |
Subject line of email. |
Email XMailer
|
emailXMailer | string |
X-Mailer value used in the email. |
File compile date time
|
fileCompileDateTime | date-time |
DateTime when the file was compiled. |
File created date time
|
fileCreatedDateTime | date-time |
DateTime when the file was created. |
File hash type
|
fileHashType | string |
The type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph. |
File hash value
|
fileHashValue | string |
The file hash value. |
File mutex name
|
fileMutexName | string |
Mutex name used in file-based detections. |
File name
|
fileName | string |
Name of the file if the indicator is file-based. |
File packer
|
filePacker | string |
The packer used to build the file in question. |
File path
|
filePath | string |
Path of file indicating compromise. May be a Windows or *nix style path. |
File size
|
fileSize | integer |
Size of the file in bytes. |
File type
|
fileType | string |
Text description of the type of file. For example, “Word Document” or “Binary”. |
Domain name
|
domainName | string |
Domain name associated with this indicator. |
Network cidr block
|
networkCidrBlock | string |
CIDR Block notation representation of the network referenced in this indicator. |
Network destination Asn
|
networkDestinationAsn | integer |
The destination autonomous system identifier of the network referenced in the indicator. |
Network destination cidr block
|
networkDestinationCidrBlock | string |
CIDR Block notation representation of the destination network in this indicator. |
Network destination IPv4
|
networkDestinationIPv4 | string |
IPv4 IP address destination. |
Network destination IPv6
|
networkDestinationIPv6 | string |
IPv6 IP address destination. |
Network destination port
|
networkDestinationPort | integer |
TCP port destination. |
Network IPv4
|
networkIPv4 | string |
IPv4 IP address. |
Network IPv6
|
networkIPv6 | string |
IPv6 IP address. |
Network port
|
networkPort | integer |
TCP port. |
Network protocol
|
networkProtocol | integer |
Decimal representation of the protocol field in the IPv4 header. |
Network source Asn
|
networkSourceAsn | integer |
The source autonomous system identifier of the network referenced in the indicator. |
Network source cidr block
|
networkSourceCidrBlock | string |
CIDR Block notation representation of the source network in this indicator. |
Network source IPv4
|
networkSourceIPv4 | string |
IPv4 IP address source. |
Network destination IPv6
|
networkSourceIPv6 | string |
IPv6 IP address source. |
Network source port
|
networkSourcePort | integer |
TCP port source. |
Url
|
url | string |
Uniform Resource Locator. |
User agent
|
userAgent | string |
User-Agent string from a web request that could indicate compromise. |