az sentinel threat-indicator
Note
This reference is part of the sentinel extension for the Azure CLI (version 2.37.0 or higher). The extension will automatically install the first time you run an az sentinel threat-indicator command. Learn more about extensions.
Manage threat intelligence indicator with sentinel.
| Name | Description | Type | Status |
|---|---|---|---|
| az sentinel threat-indicator append-tag |
Append tags to a threat intelligence indicator. |
Extension | Experimental |
| az sentinel threat-indicator create |
Create a new threat intelligence indicator. |
Extension | Experimental |
| az sentinel threat-indicator delete |
Delete a threat intelligence indicator. |
Extension | Experimental |
| az sentinel threat-indicator list |
Get all threat intelligence indicators. |
Extension | Experimental |
| az sentinel threat-indicator metric |
Manage threat intelligence indicator metric with sentinel. |
Extension | GA |
| az sentinel threat-indicator metric list |
Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source). |
Extension | GA |
| az sentinel threat-indicator query |
Query threat intelligence indicators as per filtering criteria. |
Extension | Experimental |
| az sentinel threat-indicator replace-tag |
Replace tags added to a threat intelligence indicator. |
Extension | Experimental |
| az sentinel threat-indicator show |
View a threat intelligence indicator by name. |
Extension | Experimental |
| az sentinel threat-indicator update |
Update a threat Intelligence indicator. |
Extension | Experimental |
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Append tags to a threat intelligence indicator.
az sentinel threat-indicator append-tag --name
--resource-group
--workspace-name
[--intelligence-tags]Threat intelligence indicator name field.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
List of tags to be appended. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Create a new threat intelligence indicator.
az sentinel threat-indicator create --resource-group
--workspace-name
[--confidence]
[--created]
[--created-by-ref]
[--defanged {0, 1, f, false, n, no, t, true, y, yes}]
[--description]
[--display-name]
[--etag]
[--external-id]
[--external-references]
[--external-updated-time]
[--granular-markings]
[--indicator-types]
[--kill-chain-phases]
[--labels]
[--language]
[--last-updated-time]
[--modified]
[--object-marking-refs]
[--parsed-pattern]
[--pattern]
[--pattern-type]
[--pattern-version]
[--revoked {0, 1, f, false, n, no, t, true, y, yes}]
[--source]
[--threat-tags]
[--threat-types]
[--valid-from]
[--valid-until]Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Confidence of threat intelligence entity.
Created by.
Created by reference of threat intelligence entity.
Is threat intelligence entity defanged.
Description of a threat intelligence entity.
Display name of a threat intelligence entity.
Etag of the azure resource.
External ID of threat intelligence entity.
External References Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
External last updated time in UTC.
Granular Markings Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Indicator types of threat intelligence entities Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Kill chain phases Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Labels of threat intelligence entity Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Language of threat intelligence entity.
Last updated time in UTC.
Modified by.
Threat intelligence entity object marking references Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Parsed patterns Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Pattern of a threat intelligence entity.
Pattern type of a threat intelligence entity.
Pattern version of a threat intelligence entity.
Is threat intelligence entity revoked.
Source of a threat intelligence entity.
List of tags Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Threat types Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Valid from.
Valid until.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Delete a threat intelligence indicator.
az sentinel threat-indicator delete [--ids]
[--name]
[--resource-group]
[--subscription]
[--workspace-name]
[--yes]One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Threat intelligence indicator name field.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
The name of the workspace.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Get all threat intelligence indicators.
az sentinel threat-indicator list --resource-group
--workspace-name
[--filter]
[--orderby]
[--skip-token]
[--top]Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Filters the results, based on a Boolean condition. Optional.
Sorts the results. Optional.
Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional.
Returns only the first n results. Optional.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Query threat intelligence indicators as per filtering criteria.
az sentinel threat-indicator query --resource-group
--workspace-name
[--ids]
[--include-disabled {0, 1, f, false, n, no, t, true, y, yes}]
[--keywords]
[--max-confidence]
[--max-valid-until]
[--min-confidence]
[--min-valid-until]
[--page-size]
[--pattern-types]
[--skip-token]
[--sort-by]
[--sources]
[--threat-types]Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Ids of threat intelligence indicators Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Parameter to include/exclude disabled indicators.
Keywords for searching threat intelligence indicators Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Maximum confidence.
End time for ValidUntil filter.
Minimum confidence.
Start time for ValidUntil filter.
Page size.
Pattern types Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Skip token.
Columns to sort by and sorting order Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Sources of threat intelligence indicators Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Threat types of threat intelligence indicators Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Replace tags added to a threat intelligence indicator.
az sentinel threat-indicator replace-tag --name
--resource-group
--workspace-name
[--confidence]
[--created]
[--created-by-ref]
[--defanged {0, 1, f, false, n, no, t, true, y, yes}]
[--description]
[--display-name]
[--etag]
[--external-id]
[--external-references]
[--external-updated-time]
[--granular-markings]
[--indicator-types]
[--intelligence-tags]
[--kill-chain-phases]
[--labels]
[--language]
[--last-updated-time]
[--modified]
[--object-marking-refs]
[--parsed-pattern]
[--pattern]
[--pattern-type]
[--pattern-version]
[--revoked {0, 1, f, false, n, no, t, true, y, yes}]
[--source]
[--threat-types]
[--valid-from]
[--valid-until]Threat intelligence indicator name field.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
The name of the workspace.
Confidence of threat intelligence entity.
Created by.
Created by reference of threat intelligence entity.
Is threat intelligence entity defanged.
Description of a threat intelligence entity.
Display name of a threat intelligence entity.
Etag of the azure resource.
External ID of threat intelligence entity.
External References Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
External last updated time in UTC.
Granular Markings Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Indicator types of threat intelligence entities Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
List of tags Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Kill chain phases Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Labels of threat intelligence entity Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Language of threat intelligence entity.
Last updated time in UTC.
Modified by.
Threat intelligence entity object marking references Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Parsed patterns Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Pattern of a threat intelligence entity.
Pattern type of a threat intelligence entity.
Pattern version of a threat intelligence entity.
Is threat intelligence entity revoked.
Source of a threat intelligence entity.
Threat types Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Valid from.
Valid until.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
View a threat intelligence indicator by name.
az sentinel threat-indicator show [--ids]
[--name]
[--resource-group]
[--subscription]
[--workspace-name]One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Threat intelligence indicator name field.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
The name of the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
This command is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Update a threat Intelligence indicator.
az sentinel threat-indicator update [--confidence]
[--created]
[--created-by-ref]
[--defanged {0, 1, f, false, n, no, t, true, y, yes}]
[--description]
[--display-name]
[--etag]
[--external-id]
[--external-references]
[--external-updated-time]
[--granular-markings]
[--ids]
[--indicator-types]
[--kill-chain-phases]
[--labels]
[--language]
[--last-updated-time]
[--modified]
[--name]
[--object-marking-refs]
[--parsed-pattern]
[--pattern]
[--pattern-type]
[--pattern-version]
[--resource-group]
[--revoked {0, 1, f, false, n, no, t, true, y, yes}]
[--source]
[--subscription]
[--threat-tags]
[--threat-types]
[--valid-from]
[--valid-until]
[--workspace-name]Confidence of threat intelligence entity.
Created by.
Created by reference of threat intelligence entity.
Is threat intelligence entity defanged.
Description of a threat intelligence entity.
Display name of a threat intelligence entity.
Etag of the azure resource.
External ID of threat intelligence entity.
External References Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
External last updated time in UTC.
Granular Markings Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Indicator types of threat intelligence entities Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Kill chain phases Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Labels of threat intelligence entity Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Language of threat intelligence entity.
Last updated time in UTC.
Modified by.
Threat intelligence indicator name field.
Threat intelligence entity object marking references Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Parsed patterns Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Pattern of a threat intelligence entity.
Pattern type of a threat intelligence entity.
Pattern version of a threat intelligence entity.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Is threat intelligence entity revoked.
Source of a threat intelligence entity.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
List of tags Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Threat types Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Valid from.
Valid until.
The name of the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Azure CLI feedback
Azure CLI is an open source project. Select a link to provide feedback: