Connectors Reference
The Microsoft Graph Security connector helps to connect different Microsoft and partner security products and services, using a unified schema, to streamline security operations, and improve threat protection, detection, and response capabilities. Learn more about integrating with the Microsoft Graph Security API at https://aka.ms/graphsecuritydocs
|
Status: Preview |
Tier: Premium |
Version: beta |
|
Name |
Summary |
|
Get alerts |
|
|
Get alert by ID |
|
|
UpdateAlert (string alert-id, UpdateAlertParameterBody body) |
Update alert |
|
Get active subscriptions |
|
|
Create subscriptions |
|
|
Delete subscriptions |
|
|
UpdateSubscription (string Subscription Id, [Optional]UpdateSubscriptionParameterBody body) |
Update subscription |
|
Get tiIndicators |
|
|
Create tiIndicator |
|
|
Get tiIndicator by ID |
|
|
Delete tiIndicator by ID |
|
|
UpdateTiIndicator (string indicator-id, UpdateTiIndicatorParameterBody body) |
Update tiIndicator |
|
SubmitTiIndicators ([advanced]SubmitTiIndicatorsParameterBody body) |
Submit multiple tiIndicators |
|
Update multiple tiIndicators |
|
|
Delete multiple tiIndicators by IDs |
|
|
DeleteTiIndicatorsByExternalId (DeleteTiIndicatorsByExternalIdParameterBody body) |
Delete multiple tiIndicators by external IDs |
|
Name |
Summary |
|
On all new alerts |
|
|
OnNewHighSeverityAlerts ([internal][Optional]string $filter) |
On new high severity alerts |
|
Name |
Summary |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Summary: Get alerts
Description: Get a list of security alerts for this Azure Active Directory tenant. Use with different query parameters.
Syntax:
MicrosoftGraphSecurity.GetAlerts ([Optional]string $filter, [Optional]integer $top, [advanced][Optional]string $select, [advanced][Optional]string $orderby, [advanced][Optional]integer $skip, [advanced][Optional]string $count)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
$filter |
string (Filter alerts) |
Specify filtering condition for alerts like Severity eq "High". |
False |
|
|
$top |
integer(int32) (Top alerts) |
Specify the recent most top number of alerts to retrieve from each provider. |
False |
|
|
$select |
string (Select alert properties) |
Specify alert properties to include in the results. |
False |
|
|
$orderby |
string (Sorting order) |
Specify sorting order for the results. |
False |
|
|
$skip |
integer(int32) (Skips "n" results) |
Specify number of results to skip. Useful for pagination. |
False |
|
|
$count |
string (Include count of alerts returned)Values: [true, false] |
Specify to include the number of alerts returned in the response |
False |
Returns:
Type:GetAlertsResponse
Summary: Get alert by ID
Description: Get a security alert corresponding to the specified ID.
Syntax:
MicrosoftGraphSecurity.GetAlertById (string alert-id)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
alert-id |
string (Alert ID) |
Specify alert ID. |
True |
Returns:
Type:AlertAlert
Title: Alert
Description: A single alert entity returned
Summary: Update alert
Description: Update specific properties of a security alert.
Syntax:
MicrosoftGraphSecurity.UpdateAlert (string alert-id, UpdateAlertParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
alert-id |
string (Alert ID) |
Specify alert ID. |
True |
|
|
body |
|
|
True |
Returns:
Summary: Get active subscriptions
Description: Get the list of unexpired subscriptions for this Azure Active Directory tenant.
Syntax:
MicrosoftGraphSecurity.GetActiveSubscriptions ()
Returns:
Type:GetActiveSubscriptionsResponse
Summary: Create subscriptions
Description: Create Microsoft Graph webhook subscriptions.
Syntax:
MicrosoftGraphSecurity.CreateSubscriptions (CreateSubscriptionsParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
body |
CreateSubscriptionsParameterBody
|
|
True |
Returns:
Type:SubscriptionSubscription
Title: Subscription
Description: A single subscription entity returned
Summary: Delete subscriptions
Description: Delete the specific Microsoft Graph Webhook subscription.
Syntax:
MicrosoftGraphSecurity.DeleteSubscription (string Subscription Id)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Subscription Id |
string (Subscription ID) |
Specify the Microsoft Graph Webhook Subscription ID. |
True |
Returns:
Summary: Update subscription
Description: Renew a Microsoft Graph webhook subscription by updating its expiration time.
Syntax:
MicrosoftGraphSecurity.UpdateSubscription (string Subscription Id, [Optional]UpdateSubscriptionParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Subscription Id |
string (Subscription ID) |
Specify Microsoft Graph Webhook subscription ID. |
True |
|
|
body |
UpdateSubscriptionParameterBody
|
|
False |
Returns:
Type:SubscriptionSubscription
Title: Subscription
Description: A single subscription entity returned
Summary: Get tiIndicators
Description: Get a list of threat intelligence indicators for this Azure Active Directory tenant. Use with different query parameters.
Syntax:
MicrosoftGraphSecurity.GetTiIndicators ([Optional]string $filter, [Optional]integer $top, [advanced][Optional]string $select, [advanced][Optional]string $count, [advanced][Optional]integer $skip, [advanced][Optional]string $orderby)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
$filter |
string (Filter tiIndicators) |
Specify filtering condition for threat intelligence indicators like threatType eq 'WatchList' |
False |
|
|
$top |
integer (Top tiIndicators) |
Specify the recent top number of threat intelligence indicators to be retrieved |
False |
|
|
$select |
string (Select tiIndicator properties) |
Specify threat intelligence indicator properties to include in the results. |
False |
|
|
$count |
string (Include count of tiIndicators returned)Values: [true, false] |
Specify to include the number of threat intelligence indicators returned in the response |
False |
|
|
$skip |
integer(int32) (Skips "n" results) |
Specify number of results to skip. Useful for pagination. |
False |
|
|
$orderby |
string (Sorting order) |
Specify sorting order for the results. |
False |
Returns:
Summary: Create tiIndicator
Description: Create a new threat intelligence indicator by posting to the tiIndicators collection.
Syntax:
MicrosoftGraphSecurity.CreateTiIndicator (CreateTiIndicatorParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
body |
CreateTiIndicatorParameterBody
|
|
True |
Returns:
Type:TiIndicatorTiIndicator
Title: TiIndicator
Description: A single TiIndicator entity returned
Summary: Get tiIndicator by ID
Description: Get a threat intelligence indicator corresponding to the specified ID.
Syntax:
MicrosoftGraphSecurity.GetTiIndicatorbyId (string indicator-id)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
indicator-id |
string (TiIndicator ID) |
Specify threat intelligence indicator ID |
True |
Returns:
Type:TiIndicatorTiIndicator
Title: TiIndicator
Description: A single TiIndicator entity returned
Summary: Delete tiIndicator by ID
Description: Delete a threat intelligence indicator corresponding to the specified ID.
Syntax:
MicrosoftGraphSecurity.DeleteTiIndicator (string indicator-id)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
indicator-id |
string (TiIndicator ID) |
Specify threat intelligence indicator ID |
True |
Returns:
Summary: Update tiIndicator
Description: Update specific properties of a threat intelligence indicator. Required fields for the tiIndicator are: Id, expirationDateTime, and targetProduct.
Syntax:
MicrosoftGraphSecurity.UpdateTiIndicator (string indicator-id, UpdateTiIndicatorParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
indicator-id |
string (TiIndicator ID) |
Specify threat intelligence indicator ID. |
True |
|
|
body |
UpdateTiIndicatorParameterBody
|
|
True |
Returns:
Summary: Submit multiple tiIndicators
Description: Create new threat intelligence indicators by posting a tiIndicators collection. Required fields for each tiIndicator are: action, azureTenantId, description, expirationDateTime, targetProduct, threatType, tlpLevel.
Syntax:
MicrosoftGraphSecurity.SubmitTiIndicators ([advanced]SubmitTiIndicatorsParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
body |
SubmitTiIndicatorsParameterBody
|
|
True |
Returns:
Type:SubmitTiIndicatorsResponse
Summary: Update multiple tiIndicators
Description: Update specific properties of multiple threat intelligence indicators. Required fields for each tiIndicator are: Id, expirationDateTime, and targetProduct.
Syntax:
MicrosoftGraphSecurity.UpdateTiIndicators (UpdateTiIndicatorsParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
body |
UpdateTiIndicatorsParameterBody
|
|
True |
Returns:
Type:UpdateTiIndicatorsResponse
Summary: Delete multiple tiIndicators by IDs
Description: Delete multiple threat intelligence indicators corresponding to the specified IDs.
Syntax:
MicrosoftGraphSecurity.DeleteTiIndicators (DeleteTiIndicatorsParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
body |
DeleteTiIndicatorsParameterBody
|
|
True |
Returns:
Type:DeleteTiIndicatorsResponse
Summary: Delete multiple tiIndicators by external IDs
Description: Delete multiple threat intelligence indicators corresponding to the specified external IDs.
Syntax:
MicrosoftGraphSecurity.DeleteTiIndicatorsByExternalId (DeleteTiIndicatorsByExternalIdParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
body |
DeleteTiIndicatorsByExternalIdParameterBody
|
|
True |
Returns:
Type:DeleteTiIndicatorsByExternalIdResponse
Summary: On all new alerts
Description: Triggers on all new alerts
Syntax:
MicrosoftGraphSecurity.OnAllNewAlerts ([internal][Optional]string $filter)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
$filter |
string
|
|
False |
Returns:
Summary: On new high severity alerts
Description: Triggers on new high severity alerts
Syntax:
MicrosoftGraphSecurity.OnNewHighSeverityAlerts ([internal][Optional]string $filter)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
$filter |
string
|
|
False |
Returns:
Type:OnNewHighSeverityAlertsResponse
Summary:
Description: A single alert entity returned
Properties:
|
Name |
Type |
Summary |
|
azureSubscriptionId |
string
|
Azure subscription ID, present if this alert is related to an Azure resource. |
|
tags |
array of (string)
|
User-definable labels that can be applied to an alert and can serve as filter conditions (e.g. "HVA", "SAW", etc.). |
|
id |
string
|
Provider-generated GUID/unique identifier. |
|
azureTenantId |
string
|
Azure Active Directory tenant ID. |
|
activityGroupName |
string
|
Name or alias of the activity group (attacker) this alert is attributed to. |
|
assignedTo |
string
|
Name of the analyst the alert is assigned to for triage, investigation, or remediation. |
|
category |
string
|
Category of the alert (e.g. credentialTheft, ransomware, etc.). |
|
closedDateTime |
string(date-time)
|
Time at which the alert was closed (UTC). |
|
comments |
array of (string)
|
Customer-provided comments on alert (for customer alert management). |
|
confidence |
integer(int32)
|
Confidence of the detection logic (percentage between 1-100). |
|
createdDateTime |
string(date-time)
|
Time at which the alert was created (UTC). |
|
description |
string
|
Alert description. |
|
detectionIds |
array of (string)
|
Set of alerts related to this alert entity. |
|
eventDateTime |
string(date-time)
|
Time at which the event(s) that served as the trigger(s) to generate the alert occurred (UTC). |
|
feedback |
string
|
Analyst feedback on the alert. Possible values are: unknown, truePositive, falsePositive, benignPositive. Values: [unknown, truePositive, benignPositive, falsePositive] |
|
lastModifiedDateTime |
string(date-time)
|
Time at which the alert entity was last modified (UTC). |
|
recommendedActions |
array of (string)
|
Vendor/Provider recommended action/s to take as a result of the alert (e.g. isolate machine, enforce2FA, reimage host, etc.). |
|
severity |
string
|
Alert severity - set by vendor/provider. Values: (high, medium, low, Informational) where "informational" infers that the alert is not actionable. Values: [high, medium, low, informational] |
|
sourceMaterials |
array of (string)
|
Hyperlinks (URIs) to the source material related to the alert, e.g. provider investigation UI, etc. |
|
status |
string
|
Alert lifecycle status (stage). Values: (unknown, newAlert, inProgress, resolved). Values: [unknown, newAlert, inProgress, resolved] |
|
title |
string
|
Alert title. |
|
vendorInformation |
|
Complex Type containing details about the Security product/service vendor, provider, and sub-provider. |
|
cloudAppStates |
array of (CloudAppStatesItem)
|
Security-related stateful information generated by the provider about the cloud application/s related to this alert. |
|
fileStates |
array of (FileStatesItem)
|
Security-related stateful information generated by the provider about the file(s) related to this alert. |
|
hostStates |
array of (HostStatesItem)
|
Security-related stateful information generated by the provider about the host(s) related to this alert. |
|
malwareStates |
array of (MalwareStatesItem)
|
Security-related stateful information generated by the provider about the malware related to this alert. |
|
networkConnections |
array of (NetworkConnectionsItem)
|
Security-related stateful information generated by the provider about the file(s) related to this alert. |
|
processes |
array of (ProcessesItem)
|
Security-related stateful information generated by the provider about the process or processes related to this alert. |
|
registryKeyStates |
array of (RegistryKeyStatesItem)
|
Security-related stateful information generated by the provider about the registry keys related to this alert. |
|
triggers |
array of (TriggersItem)
|
Security-related information about the specific properties that triggered the alert (properties appearing in the alert). Alerts might contain information about multiple users, hosts, files, ip addresses. This field indicates which properties triggered the alert generation. |
|
userStates |
array of (UserStatesItem)
|
Security-related stateful information generated by the provider about the logged-on user or users related to this alert. |
|
vulnerabilityStates |
array of (VulnerabilityStatesItem)
|
Threat intelligence pertaining to one or more vulnerabilities related to this alert. |
Summary:
Description: Complex Type containing details about the Security product/service vendor, provider, and sub-provider.
Properties:
|
Name |
Type |
Summary |
|
provider |
string
|
Specific provider (product/service - not vendor company); for example, WindowsDefenderATP. |
|
providerVersion |
string
|
Version of the provider or subprovider. |
|
subProvider |
string
|
Specific subprovider (under aggregating provider); for example, WindowsDefenderATP.SmartScreen. |
|
vendor |
string
|
Name of the alert vendor (for example, Microsoft, Dell, FireEye). |
Summary:
Description: Complex type containing stateful information about the cloud application (destinationServiceName, destinationServiceIp).
Properties:
|
Name |
Type |
Summary |
|
destinationServiceIp |
string
|
Destination IP address of the connection to cloud app/service. |
|
destinationServiceName |
string
|
Destination cloud app/service name. |
|
riskScore |
string
|
Provider-generated/calculated risk score of the Cloud Application/Service. |
Summary:
Description: Complex type containing information about the file (not process) related to the alert.
Properties:
|
Name |
Type |
Summary |
|
name |
string
|
File Name (without path). |
|
path |
string
|
Full file path of the file/imageFile. |
|
riskScore |
string
|
Provider generated/calculated risk score of the alert file. |
|
fileHash |
|
Complex type containing file hashes (cryptographic and location-sensitive). |
Summary:
Description: Complex type containing file hashes (cryptographic and location-sensitive).
Properties:
|
Name |
Type |
Summary |
|
type |
string
|
File hash type. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph, peSha1, peSha256. Values: [Sha1, Sha256, MD5, authenticodeHash256, LsHash, CTPH, peSha1, peSha256] |
|
value |
string
|
Value of the file hash. |
Summary:
Description: Complex type containing stateful information about the host (includes devices, machines, firewalls, etc.).
Properties:
|
Name |
Type |
Summary |
|
fqdn |
string
|
Host FQDN (Fully Qualified Domain Name). |
|
isAzureAdJoined |
boolean
|
True if the host is domain joined to Azure Active Directory Domain Services. |
|
isAzureAdRegistered |
boolean
|
True if the host registered with Azure Active Directory Device Registration (e.g. BYOD) - not fully managed by enterprise. |
|
isHybridAzureDomainJoined |
boolean
|
True if the host is domain joined to an on-premises Active Directory domain. |
|
netBiosName |
string
|
Local host name without DNS domain name. |
|
os |
string
|
Host Operating System. |
|
privateIpAddress |
string
|
Private (not routable) IPv4 or IPv6 Address at the time of the alert. |
|
publicIpAddress |
string
|
Publicly routable IPv4 or IPv6 Address at time of the alert. |
|
riskScore |
string
|
Provider-generated/calculated risk score of the host. |
Summary:
Description: Contains stateful information about the malware entity.
Properties:
|
Name |
Type |
Summary |
|
category |
string
|
Provider-generated malware category (e.g. trojan, ransomware, etc.). |
|
family |
string
|
Provider-generated malware family (e.g. "wannacry", "notpetya", etc.). |
|
name |
string
|
Provider-generated malware variant name (e.g. Trojan:Win32/Powessere.H). |
|
severity |
string
|
Provider-determined severity of this malware. |
|
wasRunning |
boolean
|
Indicates whether the detected file (malware/vulnerability) was running at the time of detection or was detected at rest on the disk. |
Summary:
Description: Complex type containing stateful information about the network connection related to the alert.
Properties:
|
Name |
Type |
Summary |
|
applicationName |
string
|
Name of the application managing the network connection (e.g. Facebook, SMTP, etc.). |
|
destinationAddress |
string
|
Destination IP address of the network connection. |
|
destinationDomain |
string
|
Destination domain portion of the destination URL.(for example "www.contoso.com"). |
|
destinationPort |
string
|
Destination port of the network connection. |
|
destinationUrl |
string
|
Network connection URL/URI string - excluding parameters. |
|
direction |
string
|
Network connection direction. Possible values are: unknown, inbound, outbound. Values: [inbound, outbound] |
|
domainRegisteredDateTime |
string(date-time)
|
Date the destination domain was registered (UTC). |
|
localDnsName |
string
|
The local DNS name resolution as it appears in the host local DNS cache (e.g. in case the "hosts" file was tampered with). |
|
natDestinationAddress |
string
|
Network Address Translation destination IP address. |
|
natDestinationPort |
string
|
Network Address Translation destination port. |
|
natSourceAddress |
string
|
Network Address Translation source IP address. |
|
natSourcePort |
string
|
Network Address Translation source port. |
|
protocol |
string
|
Network protocol. Possible values are: unknown, ip, icmp, igmp, ggp, ipv4, tcp, pup, udp, idp, ipv6, ipv6RoutingHeader, ipv6FragmentHeader, ipSecEncapsulatingSecurityPayload, ipSecAuthenticationHeader, icmpV6, ipv6NoNextHeader, ipv6DestinationOptions, nd, raw, ipx, spx, spxII. Values: [ip, imp, igmp, ggp, tcp, pup, udp, idp, ipv6, ipv6routingheader, ipv6fragmentheader, ipsecencapsulatingsecuritypayload, ipsecauthenticationheader, icmpv6, ipv6nonextheader, ipv6destinationoptions, nd, raw, ipx, spx, spxii] |
|
riskScore |
string
|
Provider generated/calculated risk score of the network connection. |
|
sourceAddress |
string
|
Source (i.e. origin) IP address of the network connection. |
|
sourcePort |
string
|
Source (i.e. origin) IP port of the network connection. |
|
status |
string
|
Network connection status. Possible values are: unknown, attempted, succeeded, blocked, failed. Values: [attempted, succeeded, blocked, failed] |
|
urlParameters |
string
|
Parameters (suffix) of the destination URL as a string. |
Summary:
Description: Complex Type containing stateful information about the process related to the alert.
Properties:
|
Name |
Type |
Summary |
|
accountName |
string
|
User account identifier (user account context the process ran under) e.g. AccountName, SID, etc. |
|
commandLine |
string
|
The full process invocation commandline including all parameters. |
|
createdDateTime |
string(date-time)
|
DateTime at which the parent process was started (UTC). |
|
integrityLevel |
string
|
The integrity level of the process. Possible values are: unknown, untrusted, low, medium, high, system. Values: [unknown, untrusted, low, medium, high, system] |
|
isElevated |
boolean
|
True if the process is elevated. |
|
name |
string
|
The name of the process Image file. |
|
parentProcessCreatedDateTime |
string(date-time)
|
Time at which the process was started (UTC). |
|
parentProcessId |
integer(int32)
|
The Process ID (PID) of the parent process. |
|
parentProcessName |
string
|
The name of the image file of the parent process. |
|
path |
string
|
Full path, including filename. |
|
processId |
integer(int32)
|
The Process ID (PID) of the process. |
|
fileHash |
|
Complex type containing file hashes (cryptographic and location-sensitive). |
Summary:
Description: Complex type containing file hashes (cryptographic and location-sensitive).
Properties:
|
Name |
Type |
Summary |
|
type |
string
|
File hash type. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph, peSha1, peSha256. Values: [Sha1, Sha256, MD5, authenticodeHash256, LsHash, CTPH] |
|
value |
string
|
Value of the file hash. |
Summary:
Description: Complex type containing information about registry key changes related to the alert, and the process that changed the registry keys.
Properties:
|
Name |
Type |
Summary |
|
process |
string
|
Process ID (PID) of the process that modified the registry key (process details will appear in the alert "processes" collection). |
|
operation |
string
|
Operation that changed the registry key name and/or value (add, modify, delete). Values: [add, modify, delete] |
|
valueType |
string
|
Registry key value type. Possible values are: unknown, binary, dword, dwordLittleEndian, dwordBigEndian, expandSz, link, multiSz, none, qword, qwordlittleEndian, sz. Values: [unknown, binary, dword, dwordLittleEndian, dwordBigEndian, expandSz, link, multiSz, none, qword, qwordlittleEndian, sz] |
|
hive |
string
|
Windows registry hive. Possible values are: unknown, currentConfig, currentUser, localMachineSam, localMachineSamSoftware, localMachineSystem, usersDefault. Values: [unknown, currentConfig, currentUser, localMachineSam, localMachineSamSoftware, localMachineSystem, usersDefault] |
|
key |
string
|
Current (i.e. changed) registry key (excludes HIVE). |
|
valueName |
string
|
Current (i.e. changed) registry key value name. |
|
valueData |
string
|
Current (i.e. changed) registry key value data (contents). |
|
oldKey |
string
|
Previous (i.e. before changed) registry key (excludes HIVE). |
|
oldValueName |
string
|
Previous (i.e. before changed) registry key value name. |
|
oldValueData |
string
|
Previous (i.e. before changed) registry key value data (contents). |
Summary:
Description: Contains information about the attribute that triggered a detection (properties exists in the alert entity).
Properties:
|
Name |
Type |
Summary |
|
name |
string
|
Name of the property serving as a detection trigger. |
|
type |
string
|
Type of the attribute in the key:value pair for interpretation, e.g. String, Boolean, etc. |
|
value |
string
|
Value of the attribute serving as a detection trigger. |
Summary:
Description: Contains stateful information about the user account.
Properties:
|
Name |
Type |
Summary |
|
aadUserId |
string
|
AAD User object identifier (GUID) - represents the physical/multi-account user entity. |
|
accountName |
string
|
Account name of user account (without Active Directory Domain or DNS Domain) - (also called "mailNickName"). |
|
domainName |
string
|
NetBIOS/Active Directory Domain of user account �(i.e. domain\account format). |
|
emailRole |
string
|
For email-related alerts - user account email role. Values: [sender, recipient] |
|
isVpn |
boolean
|
Indicates whether the user logged on through a VPN. |
|
logonDateTime |
string(date-time)
|
Time at which the logon occurred (UTC). |
|
logonId |
string
|
User sign-in ID. |
|
logonIp |
string
|
IP Address the logon request orginated from. |
|
logonLocation |
string
|
Location (by IP address mapping) associated with a user sign-in event by this user. |
|
logonType |
string
|
Method of user sign in. Possible values are: unknown, interactive, remoteInteractive, network, batch, service. Values: [unknown, interactive, remoteInteractive, network, batch, service] |
|
onPremisesSecurityIdentifier |
string
|
Active Directory (on-premises) Security Identifier (SID) of the user. |
|
riskScore |
string
|
Provider-generated/calculated risk score of the user account. |
|
userAccountType |
string
|
User account type (group membership), per Windows definition. Possible values are: unknown, standard, power, administrator. Values: [unknown, standard, power, administrator] |
|
userPrincipalName |
string
|
User sign-in name - internet format: <user account name>@<user account DNS domain name>. |
Summary:
Description: Contains stateful information about the vulnerability.
Properties:
|
Name |
Type |
Summary |
|
cve |
string
|
Common Vulnerabilities and Exposures (CVE) for the vulnerability. |
|
wasRunning |
boolean
|
Indicates whether the detected vulnerability (file) was running at the time of detection or was the file detected at rest on the disk. |
|
severity |
string
|
Base Common Vulnerability Scoring System (CVSS) severity score for this vulnerability. |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
resource |
string
|
Specify the resource that will be monitored for changes. Do not include base URL (https://graph.microsoft.com/v1.0/). Include security/alerts followed by the odata query. For e.g. security/alerts?$filter=status eq �New� |
|
changeType |
string
|
Specify the property type that should raise a notification when changed on the subscribed resource. |
|
clientState |
string
|
Specify the client state to confirm the notification origination source. |
|
notificationUrl |
string
|
Specify a well-formed URL of the endpoint that will receive notifications. |
|
expirationDateTime |
string(date-time)
|
Specify the date time when the webhook subscription expires; needs to be a date time greater than current time and within 30 days. Values: [@{addDays(utcnow(), 29)}] |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
action |
string
|
The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert). Values: [unknown, allow, block, alert] |
|
activityGroupNames |
array of (string)
|
The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator. |
|
additionalInformation |
string
|
Extra data from the indicator not covered by the other tiIndicator properties may be placed |
|
azureTenantId |
string
|
The Azure Active Directory tenant id of submitting client. |
|
confidence |
integer(int32)
|
Confidence of the detection logic (percentage between 0-100). |
|
description |
string
|
TiIndicator description (100 charactes or less). |
|
diamondModel |
string
|
The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim). Values: [unknown, adversary, capability, infrastructure, victim] |
|
expirationDateTime |
string(date-time)
|
Time at which the the Indicator expires (UTC). |
|
externalId |
string
|
An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key). |
|
ingestedDateTime |
string(date-time)
|
Time at which the the Indicator is ingested (UTC). |
|
isActive |
boolean
|
By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. |
|
killChain |
array of (string)
|
strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization). |
|
knownFalsePositives |
string
|
Scenarios in which the indicator may cause false positives. |
|
lastReportedDateTime |
string(date-time)
|
The last time the indicator was seen (UTC). |
|
malwareFamilyNames |
array of (string)
|
The malware family name associated with an indicator if it exists. |
|
passiveOnly |
boolean
|
Determines if the indicator should trigger an event that is visible to an end-user. |
|
severity |
integer(int32)
|
Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3. |
|
tags |
array of (string)
|
|
|
targetProduct |
string
|
Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP. Values: [Azure Sentinel, Microsoft Defender ATP] |
|
threatType |
string
|
Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList. Values: [Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList] |
|
tlpLevel |
string
|
Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red. Values: [unknown, white, green, amber, red] |
|
emailEncoding |
string
|
The type of text encoding used in the email. |
|
emailLanguage |
string
|
The language of the email. |
|
emailRecipient |
string
|
Recipient email address. |
|
emailSenderAddress |
string
|
Email address of the attacker|victim. |
|
emailSenderName |
string
|
Displayed name of the attacker|victim. |
|
emailSourceDomain |
string
|
Domain used in the email. |
|
emailSourceIpAddress |
string
|
Source IP address of email. |
|
emailSubject |
string
|
Subject line of email. |
|
emailXMailer |
string
|
X-Mailer value used in the email. |
|
fileCompileDateTime |
string(date-time)
|
DateTime when the file was compiled. |
|
fileCreatedDateTime |
string(date-time)
|
DateTime when the file was created. |
|
fileHashType |
string
|
The type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph. Values: [unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph] |
|
fileHashValue |
string
|
The file hash value. |
|
fileMutexName |
string
|
Mutex name used in file-based detections. |
|
fileName |
string
|
Name of the file if the indicator is file-based. |
|
filePacker |
string
|
The packer used to build the file in question. |
|
filePath |
string
|
Path of file indicating compromise. May be a Windows or *nix style path. |
|
fileSize |
integer(int64)
|
Size of the file in bytes. |
|
fileType |
string
|
Text description of the type of file. For example, “Word Document” or “Binary”. |
|
domainName |
string
|
Domain name associated with this indicator. |
|
networkCidrBlock |
string
|
CIDR Block notation representation of the network referenced in this indicator. |
|
networkDestinationAsn |
integer(int32)
|
The destination autonomous system identifier of the network referenced in the indicator. |
|
networkDestinationCidrBlock |
string
|
CIDR Block notation representation of the destination network in this indicator. |
|
networkDestinationIPv4 |
string
|
IPv4 IP address destination. |
|
networkDestinationIPv6 |
string
|
IPv6 IP address destination. |
|
networkDestinationPort |
integer(int32)
|
TCP port destination. |
|
networkIPv4 |
string
|
IPv4 IP address. |
|
networkIPv6 |
string
|
IPv6 IP address. |
|
networkPort |
integer(int32)
|
TCP port. |
|
networkProtocol |
integer(int32)
|
Decimal representation of the protocol field in the IPv4 header. |
|
networkSourceAsn |
integer(int32)
|
The source autonomous system identifier of the network referenced in the indicator. |
|
networkSourceCidrBlock |
string
|
CIDR Block notation representation of the source network in this indicator. |
|
networkSourceIPv4 |
string
|
IPv4 IP address source. |
|
networkSourceIPv6 |
string
|
IPv6 IP address source. |
|
networkSourcePort |
integer(int32)
|
TCP port source. |
|
url |
string
|
Uniform Resource Locator. |
|
userAgent |
string
|
User-Agent string from a web request that could indicate compromise. |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
value |
array of (string)
|
|
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
value |
array of (ValueItem)
|
|
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
code |
integer(int32)
|
The result code |
|
message |
string
|
The message |
|
subcode |
integer(int32)
|
The result sub-code |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
value |
array of (string)
|
|
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
value |
array of (ValueItem)
|
|
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
code |
integer(int32)
|
The result code |
|
message |
string
|
The message |
|
subcode |
integer(int32)
|
The result sub-code |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
@odata.count |
integer(int32)
|
The number of subcriptions returned |
|
value |
array of (Subscription)
|
The subscription entities returned |
|
@odata.nextLink |
string
|
A link to get the next results in case there are more results than requested |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
@odata.count |
integer(int32)
|
The number of alerts returned |
|
value |
array of (Alert)
|
The alerts returned |
|
@odata.nextLink |
string
|
A link to get the next results in case there are more results than requested |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
@odata.count |
integer(int32)
|
The number of TiIndicator returned |
|
value |
array of (TiIndicator)
|
The TiIndicator returned |
|
@odata.nextLink |
string
|
A link to get the next results in case there are more results than requested |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
@odata.count |
integer(int32)
|
The number of alerts returned |
|
value |
array of (Alert)
|
The alerts returned |
|
@odata.nextLink |
string
|
A link to get the next results in case there are more results than requested |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
@odata.count |
integer(int32)
|
The number of alerts returned |
|
value |
array of (Alert)
|
The alerts returned |
|
@odata.nextLink |
string
|
A link to get the next results in case there are more results than requested |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
value |
array of (ValueItem)
|
value of the request body |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
action |
string
|
The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert). Values: [unknown, allow, block, alert] |
|
activityGroupNames |
array of (string)
|
The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator. |
|
additionalInformation |
string
|
Extra data from the indicator not covered by the other tiIndicator properties may be placed |
|
azureTenantId |
string
|
The Azure Active Directory tenant id of submitting client. |
|
confidence |
integer(int32)
|
Confidence of the detection logic (percentage between 0-100). |
|
description |
string
|
TiIndicator description (100 charactes or less). |
|
diamondModel |
string
|
The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim). Values: [unknown, adversary, capability, infrastructure, victim] |
|
expirationDateTime |
string(date-time)
|
Time at which the the Indicator expires (UTC). |
|
externalId |
string
|
An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key). |
|
ingestedDateTime |
string(date-time)
|
Time at which the the Indicator is ingested (UTC). |
|
isActive |
boolean
|
By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. |
|
killChain |
array of (string)
|
strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization). |
|
knownFalsePositives |
string
|
Scenarios in which the indicator may cause false positives. |
|
lastReportedDateTime |
string(date-time)
|
The last time the indicator was seen (UTC). |
|
malwareFamilyNames |
array of (string)
|
The malware family name associated with an indicator if it exists. |
|
passiveOnly |
boolean
|
Determines if the indicator should trigger an event that is visible to an end-user. |
|
severity |
integer(int32)
|
Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3. |
|
tags |
array of (string)
|
|
|
targetProduct |
string
|
Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP. Values: [Azure Sentinel, Microsoft Defender ATP] |
|
threatType |
string
|
Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList. Values: [Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList] |
|
tlpLevel |
string
|
Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red. Values: [unknown, white, green, amber, red] |
|
emailEncoding |
string
|
The type of text encoding used in the email. |
|
emailLanguage |
string
|
The language of the email. |
|
emailRecipient |
string
|
Recipient email address. |
|
emailSenderAddress |
string
|
Email address of the attacker|victim. |
|
emailSenderName |
string
|
Displayed name of the attacker|victim. |
|
emailSourceDomain |
string
|
Domain used in the email. |
|
emailSourceIpAddress |
string
|
Source IP address of email. |
|
emailSubject |
string
|
Subject line of email. |
|
emailXMailer |
string
|
X-Mailer value used in the email. |
|
fileCompileDateTime |
string(date-time)
|
DateTime when the file was compiled. |
|
fileCreatedDateTime |
string(date-time)
|
DateTime when the file was created. |
|
fileHashType |
string
|
The type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph. Values: [unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph] |
|
fileHashValue |
string
|
The file hash value. |
|
fileMutexName |
string
|
Mutex name used in file-based detections. |
|
fileName |
string
|
Name of the file if the indicator is file-based. |
|
filePacker |
string
|
The packer used to build the file in question. |
|
filePath |
string
|
Path of file indicating compromise. May be a Windows or *nix style path. |
|
fileSize |
integer(int64)
|
Size of the file in bytes. |
|
fileType |
string
|
Text description of the type of file. For example, “Word Document” or “Binary”. |
|
domainName |
string
|
Domain name associated with this indicator. |
|
networkCidrBlock |
string
|
CIDR Block notation representation of the network referenced in this indicator. |
|
networkDestinationAsn |
integer(int32)
|
The destination autonomous system identifier of the network referenced in the indicator. |
|
networkDestinationCidrBlock |
string
|
CIDR Block notation representation of the destination network in this indicator. |
|
networkDestinationIPv4 |
string
|
IPv4 IP address destination. |
|
networkDestinationIPv6 |
string
|
IPv6 IP address destination. |
|
networkDestinationPort |
integer(int32)
|
TCP port destination. |
|
networkIPv4 |
string
|
IPv4 IP address. |
|
networkIPv6 |
string
|
IPv6 IP address. |
|
networkPort |
integer(int32)
|
TCP port. |
|
networkProtocol |
integer(int32)
|
Decimal representation of the protocol field in the IPv4 header. |
|
networkSourceAsn |
integer(int32)
|
The source autonomous system identifier of the network referenced in the indicator. |
|
networkSourceCidrBlock |
string
|
CIDR Block notation representation of the source network in this indicator. |
|
networkSourceIPv4 |
string
|
IPv4 IP address source. |
|
networkSourceIPv6 |
string
|
IPv6 IP address source. |
|
networkSourcePort |
integer(int32)
|
TCP port source. |
|
url |
string
|
Uniform Resource Locator. |
|
userAgent |
string
|
User-Agent string from a web request that could indicate compromise. |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
value |
array of (TiIndicator)
|
The TiIndicators submitted |
Summary:
Description: A single subscription entity returned
Properties:
|
Name |
Type |
Summary |
|
id |
string
|
Unique identifier for the subscription. |
|
resource |
string
|
Specifies the resource that will be monitored for changes. |
|
applicationId |
string
|
Identifier of the application used to create the subscription. |
|
changeType |
string
|
Indicates the type of change in the subscribed resource that will raise a notification. |
|
clientState |
string
|
Specifies the value of the clientState property sent by the service in each notification. The maximum length is 128 characters. The client can check that the notification came from the service by comparing the value of the clientState property sent with the subscription with the value of the clientState property received with each notification. |
|
notificationUrl |
string
|
The URL of the endpoint that will receive the notifications. This URL must make use of the HTTPS protocol. |
|
expirationDateTime |
string
|
Specifies the date and time when the webhook subscription expires (UTC). |
|
creatorId |
string
|
Identifier of the user or service principal that created the subscription. If the app used delegated permissions to create the subscription, this field contains the id of the signed-in user the app called on behalf of. If the app used application permissions, this field contains the id of the service principal corresponding to the app. |
Summary:
Description: A single TiIndicator entity returned
Properties:
|
Name |
Type |
Summary |
|
action |
string
|
The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert). Values: [unknown, allow, block, alert] |
|
activityGroupNames |
array of (string)
|
The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator. |
|
additionalInformation |
string
|
Extra data from the indicator not covered by the other tiIndicator properties may be placed |
|
azureTenantId |
string
|
The Azure Active Directory tenant id of submitting client. |
|
confidence |
integer(int32)
|
Confidence of the detection logic (percentage between 0-100). |
|
description |
string
|
TiIndicator description (100 charactes or less). |
|
diamondModel |
string
|
The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim). Values: [unknown, adversary, capability, infrastructure, victim] |
|
expirationDateTime |
string(date-time)
|
Time at which the the Indicator expires (UTC). |
|
externalId |
string
|
An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key). |
|
id |
string
|
Created by the system when the indicator is ingested. Generated GUID/unique identifier. |
|
ingestedDateTime |
string(date-time)
|
Time at which the the Indicator is ingested (UTC). |
|
isActive |
boolean
|
By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. |
|
killChain |
array of (string)
|
strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization). |
|
knownFalsePositives |
string
|
Scenarios in which the indicator may cause false positives. |
|
lastReportedDateTime |
string(date-time)
|
The last time the indicator was seen (UTC). |
|
malwareFamilyNames |
array of (string)
|
The malware family name associated with an indicator if it exists. |
|
passiveOnly |
boolean
|
Determines if the indicator should trigger an event that is visible to an end-user. |
|
severity |
integer(int32)
|
Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3. |
|
tags |
array of (string)
|
|
|
targetProduct |
string
|
Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP. Values: [Azure Sentinel, Microsoft Defender ATP] |
|
threatType |
string
|
Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList. Values: [Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList] |
|
tlpLevel |
string
|
Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red. Values: [unknown, white, green, amber, red] |
|
emailEncoding |
string
|
The type of text encoding used in the email. |
|
emailLanguage |
string
|
The language of the email. |
|
emailRecipient |
string
|
Recipient email address. |
|
emailSenderAddress |
string
|
Email address of the attacker|victim. |
|
emailSenderName |
string
|
Displayed name of the attacker|victim. |
|
emailSourceDomain |
string
|
Domain used in the email. |
|
emailSourceIpAddress |
string
|
Source IP address of email. |
|
emailSubject |
string
|
Subject line of email. |
|
emailXMailer |
string
|
X-Mailer value used in the email. |
|
fileCompileDateTime |
string(date-time)
|
DateTime when the file was compiled. |
|
fileCreatedDateTime |
string(date-time)
|
DateTime when the file was created. |
|
fileHashType |
string
|
The type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph. Values: [unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph] |
|
fileHashValue |
string
|
The file hash value. |
|
fileMutexName |
string
|
Mutex name used in file-based detections. |
|
fileName |
string
|
Name of the file if the indicator is file-based. |
|
filePacker |
string
|
The packer used to build the file in question. |
|
filePath |
string
|
Path of file indicating compromise. May be a Windows or *nix style path. |
|
fileSize |
integer(int64)
|
Size of the file in bytes. |
|
fileType |
string
|
Text description of the type of file. For example, “Word Document” or “Binary”. |
|
domainName |
string
|
Domain name associated with this indicator. |
|
networkCidrBlock |
string
|
CIDR Block notation representation of the network referenced in this indicator. |
|
networkDestinationAsn |
integer(int32)
|
The destination autonomous system identifier of the network referenced in the indicator. |
|
networkDestinationCidrBlock |
string
|
CIDR Block notation representation of the destination network in this indicator. |
|
networkDestinationIPv4 |
string
|
IPv4 IP address destination. |
|
networkDestinationIPv6 |
string
|
IPv6 IP address destination. |
|
networkDestinationPort |
integer(int32)
|
TCP port destination. |
|
networkIPv4 |
string
|
IPv4 IP address. |
|
networkIPv6 |
string
|
IPv6 IP address. |
|
networkPort |
integer(int32)
|
TCP port. |
|
networkProtocol |
integer(int32)
|
Decimal representation of the protocol field in the IPv4 header. |
|
networkSourceAsn |
integer(int32)
|
The source autonomous system identifier of the network referenced in the indicator. |
|
networkSourceCidrBlock |
string
|
CIDR Block notation representation of the source network in this indicator. |
|
networkSourceIPv4 |
string
|
IPv4 IP address source. |
|
networkSourceIPv6 |
string
|
IPv6 IP address source. |
|
networkSourcePort |
integer(int32)
|
TCP port source. |
|
url |
string
|
Uniform Resource Locator. |
|
userAgent |
string
|
User-Agent string from a web request that could indicate compromise. |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
assignedTo |
string
|
Specify the name of the analyst the alert is assigned to for triage, investigation, or remediation. |
|
closedDateTime |
string
|
Specify the time at which the alert was closed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. |
|
comments |
array of (string)
|
Comments |
|
tags |
array of (string)
|
Specify any user-definable labels that can be applied to an alert and can serve as filter conditions (for example "HVA", "SAW", etc.). |
|
feedback |
string
|
Specify analyst feedback on the alert. Values: [unknown, truePositive, falsePositive, benignPositive] |
|
status |
string
|
Specify status to track alert lifecycle status (stage). Values: [unknown, newAlert, inProgress, resolved] |
|
vendorInformation |
|
vendorInformation |
Summary:
Description: vendorInformation
Properties:
|
Name |
Type |
Summary |
|
provider |
string
|
Specific provider (product/service - not vendor company); for example, WindowsDefenderATP. |
|
providerVersion |
string
|
Specify version of the provider or subprovider, if it exists, that generated the alert. |
|
subProvider |
string
|
Specific subprovider (under aggregating provider); for example, WindowsDefenderATP.SmartScreen. |
|
vendor |
string
|
Specify name of the alert vendor (for example, Microsoft, Dell, FireEye). |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
expirationDateTime |
string
|
Specify the date and time, in UTC format, of when the Microsoft Graph webhook subscription expires. The maximum expiration time for security alerts is 43200 minutes (under 30 days). |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
action |
string
|
The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert). Values: [unknown, allow, block, alert] |
|
activityGroupNames |
array of (string)
|
The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator. |
|
additionalInformation |
string
|
Extra data from the indicator not covered by the other tiIndicator properties may be placed |
|
confidence |
integer(int32)
|
Confidence of the detection logic (percentage between 0-100). |
|
description |
string
|
TiIndicator description (100 charactes or less). |
|
diamondModel |
string
|
The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim). Values: [unknown, adversary, capability, infrastructure, victim] |
|
expirationDateTime |
string(date-time)
|
Time at which the the Indicator expires (UTC format. For example, 2020-03-01T00:00:00Z). |
|
externalId |
string
|
An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key). |
|
isActive |
boolean
|
By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. |
|
killChain |
array of (string)
|
strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization). |
|
knownFalsePositives |
string
|
Scenarios in which the indicator may cause false positives. |
|
lastReportedDateTime |
string(date-time)
|
The last time the indicator was seen (UTC). |
|
malwareFamilyNames |
array of (string)
|
The malware family name associated with an indicator if it exists. |
|
passiveOnly |
boolean
|
Determines if the indicator should trigger an event that is visible to an end-user. |
|
severity |
integer(int32)
|
Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3. |
|
tags |
array of (string)
|
|
|
tlpLevel |
string
|
Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red. Values: [unknown, white, green, amber, red] |
|
targetProduct |
string
|
Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP. Values: [Azure Sentinel, Microsoft Defender ATP] |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
value |
array of (ValueItem)
|
value of the request body |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
id |
string
|
TiIndicator-id |
|
action |
string
|
The action to apply if the indicator is matched from within the targetProduct security tool. Values: (unknown, allow, block, alert). Values: [unknown, allow, block, alert] |
|
activityGroupNames |
array of (string)
|
The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator. |
|
additionalInformation |
string
|
Extra data from the indicator not covered by the other tiIndicator properties may be placed |
|
confidence |
integer(int32)
|
Confidence of the detection logic (percentage between 0-100). |
|
description |
string
|
TiIndicator description (100 charactes or less). |
|
diamondModel |
string
|
The area of the Diamond Model in which this indicator exists. Values: (unknown, adversary, capability, infrastructure, victim). Values: [unknown, adversary, capability, infrastructure, victim] |
|
expirationDateTime |
string(date-time)
|
Time at which the the Indicator expires (UTC). |
|
targetProduct |
string
|
Single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP. Values: [Azure Sentinel, Microsoft Defender ATP] |
|
externalId |
string
|
An identification number that ties the indicator back to the indicator provider’s system (e.g. a foreign key). |
|
isActive |
boolean
|
By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. |
|
killChain |
array of (string)
|
strings that describes which point or points on the Kill Chain this indicator targets. Values: (Actions, C2, Delivery, Exploitation, Installation, Reconnaissance, Weaponization). |
|
knownFalsePositives |
string
|
Scenarios in which the indicator may cause false positives. |
|
lastReportedDateTime |
string(date-time)
|
The last time the indicator was seen (UTC). |
|
malwareFamilyNames |
array of (string)
|
The malware family name associated with an indicator if it exists. |
|
passiveOnly |
boolean
|
Determines if the indicator should trigger an event that is visible to an end-user. |
|
severity |
integer(int32)
|
Severity of the malicious behavior identified by the data within the indicator. Values are from 0 – 5 with 5 being most severe. Default value is 3. |
|
tags |
array of (string)
|
|
|
tlpLevel |
string
|
Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red. Values: [unknown, white, green, amber, red] |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
value |
array of (TiIndicator)
|
The TiIndicators updated |