SentinelThreatIntelligenceIndicator¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| DisplayName | Key | String | The display name of the indicator | |
| SubscriptionId | Write | String | The name of the resource group. The name is case insensitive. | |
| ResourceGroupName | Write | String | The name of the resource group. The name is case insensitive. | |
| WorkspaceName | Write | String | The name of the workspace. | |
| Id | Write | String | The unique id of the indicator. | |
| Description | Write | String | The name of the workspace. | |
| PatternType | Write | String | Pattern type of a threat intelligence entity | |
| Pattern | Write | String | Pattern of a threat intelligence entity | |
| Revoked | Write | String | Is threat intelligence entity revoked | |
| ValidFrom | Write | String | Valid from | |
| ValidUntil | Write | String | Valid until | |
| Source | Write | String | Source type. | |
| Labels | Write | StringArray[] | Labels of threat intelligence entity | |
| ThreatIntelligenceTags | Write | StringArray[] | List of tags | |
| ThreatTypes | Write | StringArray[] | Threat types | |
| KillChainPhases | Write | StringArray[] | Kill chain phases | |
| Confidence | Write | UInt32 | Confidence of threat intelligence entity | |
| Ensure | Write | String | Present ensures the instance exists, absent ensures it is removed. | Absent, Present |
| Credential | Write | PSCredential | Credentials of the workload's Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
Description¶
Configures threat intelligence indicators in Azure Sentinel.
Permissions¶
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator"
{
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
DisplayName = "MyIndicator";
Ensure = "Present";
Labels = @("Tag1", "Tag2");
Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']";
PatternType = "ipv6-addr";
ResourceGroupName = "MyResourceGroup";
Source = "Microsoft Sentinel";
SubscriptionId = "12345-12345-12345-12345-12345";
TenantId = $TenantId;
ThreatIntelligenceTags = @();
ValidFrom = "2024-10-21T19:03:57.24Z";
ValidUntil = "2024-10-21T19:03:57.24Z";
WorkspaceName = "SentinelWorkspace";
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator"
{
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
DisplayName = "MyIndicator";
Ensure = "Present";
Labels = @("Tag1", "Tag2", "Tag3"); #Drift
Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']";
PatternType = "ipv6-addr";
ResourceGroupName = "MyResourceGroup";
Source = "Microsoft Sentinel";
SubscriptionId = "12345-12345-12345-12345-12345";
TenantId = $TenantId;
ThreatIntelligenceTags = @();
ValidFrom = "2024-10-21T19:03:57.24Z";
ValidUntil = "2024-10-21T19:03:57.24Z";
WorkspaceName = "SentinelWorkspace";
}
}
}
Example 3¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelThreatIntelligenceIndicator "SentinelThreatIntelligenceIndicator-ipv6-addr Indicator"
{
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
DisplayName = "MyIndicator";
Ensure = "Absent";
Labels = @("Tag1", "Tag2");
Pattern = "[ipv6-addr:value = '2607:fa49:d340:f600:c8d5:6961:247f:a238']";
PatternType = "ipv6-addr";
ResourceGroupName = "MyResourceGroup";
Source = "Microsoft Sentinel";
SubscriptionId = "12345-12345-12345-12345-12345";
TenantId = $TenantId;
ThreatIntelligenceTags = @();
ValidFrom = "2024-10-21T19:03:57.24Z";
ValidUntil = "2024-10-21T19:03:57.24Z";
WorkspaceName = "SentinelWorkspace";
}
}
}