Create Threat Intel Indicator Azure Sentinel

description creates a threat intelligence indicator in azure sentinel, including threat type, target product, and tlp level endpoint url /beta/security/tiindicators method post inputs json body (object) – required json body action (string) – required the action to apply if the indicator is matched from within the targetproduct security tool possible values are unknown , allow , block or alert activitygroupnames (array) the cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator additionalinformation (string) a catchall area into which extra data from the indicator not covered by the other tiindicator properties may be placed data placed into additionalinformation will typically not be utilized by the targetproduct security tool azuretenantid (string) – required stamped by the system when the indicator is ingested the azure active directory tenant id of submitting client confidence (number) an integer representing the confidence the data within the indicator accurately identifies malicious behavior acceptable values are 0 100 with 100 being the highest description (string) – required brief description (100 characters or less) of the threat represented by the indicator diamondmodel (string) the area of the diamond model in which this indicator exists possible values are unknown , adversary , capability , infrastructure and victim domainname (string) domain name associated with this indicator should be of the format subdomain domain topleveldomain (for example, baddomain domain net) emailencoding (string) the type of text encoding used in the email emaillanguage (string) the language of the email emailrecipient (string) email recipient address emailsenderaddress (string) email sender address emailsendername (string) email sender name emailsourcedomain (string) emailsourceipaddress (string) emailsubject (string) emailxmailer (string) x mailer value used in the email expirationdatetime (string) – required the timestamp type represents date and time information using iso 8601 format and is always in utc time externalid (string) filecompiledatetime (string) the timestamp type represents date and time information using iso 8601 format and is always in utc time filecreateddatetime (string) the timestamp type represents date and time information using iso 8601 format and is always in utc time filehashtype (string) the type of hash stored in filehashvalue possible values are unknown , sha1 , sha256 , md5 , authenticodehash256 , lshash , ctph filehashvalue (string) filemutexname (string) filename (string) filepacker (string) filepath (string) path of file indicating compromise may be a windows or nix style path filesize (number) size of the file in bytes filetype (string) text description of the type of file for example word document or binary isactive (string) used to deactivate indicators within system by default, any indicator submitted is set as active however, providers may submit existing indicators with this set to false to deactivate indicators in the system killchain (array) a json array of strings that describes which point or points on the kill chain this indicator targets possible values are actions , c2 , delivery , exploitation , installation , reconnaissance , weaponization knownfalsepositives (string) scenarios in which the indicator may cause false positives this should be human readable text lastreporteddatetime (string) the last time the indicator was seen the timestamp type represents date and time information using iso 8601 format and is always in utc time malwarefamilynames (string) the malware family name associated with an indicator if it exists microsoft prefers the microsoft malware family name if at all possible which can be found via the windows defender security intelligence threat encyclopedia networkcidrblock (string) cidr block notation representation of the network referenced in this indicator use only if the source and destination cannot be identified networkdestinationasn (number) the destination autonomous system identifier of the network referenced in the indicator networkdestinationcidrblock (string) cidr block notation representation of the destination network in this indicator networkdestinationipv4 (string) networkdestinationipv6 (string) networkdestinationport (number) networkipv4 (string) ipv4 ip address use only if the source and destination cannot be identified networkipv6 (string) ipv6 ip address use only if the source and destination cannot be identified networkport (number) tcp port use only if the source and destination cannot be identified networkprotocol (number) decimal representation of the protocol field in the ipv4 header networksourceasn (number) the source autonomous system identifier of the network referenced in the indicator networksourcecidrblock (string) cidr block notation representation of the source network in this indicator networksourceipv4 (string) networksourceipv6 (string) networksourceport (number) passiveonly (string) determines if the indicator should trigger an event that is visible to an end user when set to true security tools will not notify the end user that a hit has occurred this is most often treated as audit or silent mode by security products where they will simply log that a match occurred but will not perform the action default value is false severity (number) an integer representing the severity of the malicious behavior identified by the data within the indicator acceptable values are 0–5 where 5 is the most severe and 0 is not severe at all default value is 3 tags (array) a json array of strings that stores arbitrary tags/keywords targetproduct (string) – required a string value representing a single security product to which the indicator should be applied acceptable values are azure sentinel , `` threattype (string) – required each indicator must have a valid indicator threat type possible values are botnet , c2 , cryptomining , darknet , ddos , maliciousurl , malware , phishing , proxy , pua , watchlist tlplevel (string) – required traffic light protocol value for the indicator possible values are unknown , white , green , amber , red url (string) uniform resource locator this url must comply with rfc 1738 useragent (string) user agent string from a web request that could indicate compromise output output parameters status code (number) reason (string) json body (object) @odata context (string) id (string) azuretenantid (string) action (string) additionalinformation (object) activitygroupnames (array) file name (string) – required file (string) – required confidence (object) description (string) diamondmodel (object) emailencoding (object) emaillanguage (object) emailrecipient (object) emailsenderaddress (object) emailsendername (object) emailsourcedomain (object) emailsourceipaddress (object) emailsubject (object) emailxmailer (object) expirationdatetime (string) externalid (object) filecompiledatetime (object) filecreateddatetime (object) filehashtype (object) filehashvalue (object) filemutexname (object) filename (object) filepacker (object) filepath (object) filesize (object) filetype (object) domainname (object) ingesteddatetime (string) isactive (boolean) killchain (array) file name (string) – required file (string) – required knownfalsepositives (object) lastreporteddatetime (object) malwarefamilynames (array) file name (string) – required file (string) – required networkcidrblock (object) networkdestinationasn (object) networkdestinationcidrblock (object) networkdestinationipv4 (string) networkdestinationipv6 (object) networkdestinationport (object) networkipv4 (object) networkipv6 (object) networkport (object) networkprotocol (object) networksourceasn (object) networksourcecidrblock (object) networksourceipv4 (object) networksourceipv6 (object) networksourceport (object) passiveonly (object) severity (object) tags (array) file name (string) – required file (string) – required targetproduct (string) threattype (string) tlplevel (string) url (object) useragent (object) vendorinformation (object) response headers header type cache control string transfer encoding string content type string content encoding string location string vary string strict transport security string request id string client request id string x ms ags diagnostic string odata version string date string