Edit

Invoke-AzSentinelThreatIntelligenceIndicatorQuery

  • Reference
Module:
Az.SecurityInsights

Query threat intelligence indicators as per filtering criteria.

Syntax

Invoke-AzSentinelThreatIntelligenceIndicatorQuery
      -ResourceGroupName <String>
      -WorkspaceName <String>
      [-SubscriptionId <String>]
      [-Id <String[]>]
      [-IncludeDisabled]
      [-Keyword <String[]>]
      [-MaxConfidence <Int32>]
      [-MaxValidUntil <String>]
      [-MinConfidence <Int32>]
      [-MinValidUntil <String>]
      [-PageSize <Int32>]
      [-PatternType <String[]>]
      [-SkipToken <String>]
      [-SortBy <IThreatIntelligenceSortingCriteria[]>]
      [-Source <String[]>]
      [-ThreatType <String[]>]
      [-DefaultProfile <PSObject>]
      [-Confirm]
      [-WhatIf]
      [<CommonParameters>]

Description

Query threat intelligence indicators as per filtering criteria.

Examples

Example 1: Query all Threat Intelligence Indicators

Invoke-AzSentinelThreatIntelligenceIndicatorQuery -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName"

Etag                                    Kind        Name                                    SystemDataCreatedAt SystemDataCreatedBy
----                                    ----        ----                                    ------------------- -------
"b603878e-0000-0100-0000-62d1d0010000"  indicator   f4dd9aa3-081b-2f0b-a5d7-3805954e8a39

This command queries TI indicators.

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription.

Type:PSObject
Aliases:AzureRMContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Id

Ids of threat intelligence indicators

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-IncludeDisabled

Parameter to include/exclude disabled indicators.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Keyword

Keywords for searching threat intelligence indicators

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-MaxConfidence

Maximum confidence.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-MaxValidUntil

End time for ValidUntil filter.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-MinConfidence

Minimum confidence.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-MinValidUntil

Start time for ValidUntil filter.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PageSize

Page size

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PatternType

Pattern types

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ResourceGroupName

The name of the resource group. The name is case insensitive.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-SkipToken

Skip token.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SortBy

Columns to sort by and sorting order To construct, see NOTES section for SORTBY properties and create a hash table.

Type:IThreatIntelligenceSortingCriteria[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Source

Sources of threat intelligence indicators

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SubscriptionId

The ID of the target subscription.

Type:String
Position:Named
Default value:(Get-AzContext).Subscription.Id
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ThreatType

Threat types of threat intelligence indicators

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WorkspaceName

The name of the workspace.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

Outputs

IThreatIntelligenceInformation

Notes

ALIASES

COMPLEX PARAMETER PROPERTIES

To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.

SORTBY <IThreatIntelligenceSortingCriteria[]>: Columns to sort by and sorting order

  • [ItemKey <String>]: Column name
  • [SortOrder <ThreatIntelligenceSortingCriteriaEnum?>]: Sorting order (ascending/descending/unsorted).