Share via

New-MgBetaSecurityTiIndicator

Module:
Microsoft.Graph.Beta.Security Module

Create a new tiIndicator object.

Syntax

CreateExpanded (Default) 

New-MgBetaSecurityTiIndicator
    [-ResponseHeadersVariable <string>]
    [-Action <string>]
    [-ActivityGroupNames <string[]>]
    [-AdditionalInformation <string>]
    [-AdditionalProperties <hashtable>]
    [-AzureTenantId <string>]
    [-Confidence <int>]
    [-Description <string>]
    [-DiamondModel <string>]
    [-DomainName <string>]
    [-EmailEncoding <string>]
    [-EmailLanguage <string>]
    [-EmailRecipient <string>]
    [-EmailSenderAddress <string>]
    [-EmailSenderName <string>]
    [-EmailSourceDomain <string>]
    [-EmailSourceIPAddress <string>]
    [-EmailSubject <string>]
    [-EmailXMailer <string>]
    [-ExpirationDateTime <datetime>]
    [-ExternalId <string>]
    [-FileCompileDateTime <datetime>]
    [-FileCreatedDateTime <datetime>]
    [-FileHashType <string>]
    [-FileHashValue <string>]
    [-FileMutexName <string>]
    [-FileName <string>]
    [-FilePacker <string>]
    [-FilePath <string>]
    [-FileSize <long>]
    [-FileType <string>]
    [-Id <string>]
    [-IngestedDateTime <datetime>]
    [-IsActive]
    [-KillChain <string[]>]
    [-KnownFalsePositives <string>]
    [-LastReportedDateTime <datetime>]
    [-MalwareFamilyNames <string[]>]
    [-NetworkCidrBlock <string>]
    [-NetworkDestinationAsn <long>]
    [-NetworkDestinationCidrBlock <string>]
    [-NetworkDestinationIPv4 <string>]
    [-NetworkDestinationIPv6 <string>]
    [-NetworkDestinationPort <int>]
    [-NetworkIPv4 <string>]
    [-NetworkIPv6 <string>]
    [-NetworkPort <int>]
    [-NetworkProtocol <int>]
    [-NetworkSourceAsn <long>]
    [-NetworkSourceCidrBlock <string>]
    [-NetworkSourceIPv4 <string>]
    [-NetworkSourceIPv6 <string>]
    [-NetworkSourcePort <int>]
    [-PassiveOnly]
    [-Severity <int>]
    [-Tags <string[]>]
    [-TargetProduct <string>]
    [-ThreatType <string>]
    [-TlpLevel <string>]
    [-Url <string>]
    [-UserAgent <string>]
    [-Break]
    [-Headers <IDictionary>]
    [-HttpPipelineAppend <SendAsyncStep[]>]
    [-HttpPipelinePrepend <SendAsyncStep[]>]
    [-Proxy <uri>]
    [-ProxyCredential <pscredential>]
    [-ProxyUseDefaultCredentials]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Create 

New-MgBetaSecurityTiIndicator
    -BodyParameter <IMicrosoftGraphTiIndicator>
    [-ResponseHeadersVariable <string>]
    [-Break]
    [-Headers <IDictionary>]
    [-HttpPipelineAppend <SendAsyncStep[]>]
    [-HttpPipelinePrepend <SendAsyncStep[]>]
    [-Proxy <uri>]
    [-ProxyCredential <pscredential>]
    [-ProxyUseDefaultCredentials]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Examples

Example 1: Code snippet


Import-Module Microsoft.Graph.Beta.Security

$params = @{
	action = "alert"
	activityGroupNames = @(
	)
	confidence = 0
	description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator."
	expirationDateTime = [System.DateTime]::Parse("2019-03-01T21:43:37.5031462+00:00")
	externalId = "Test--8586509942679764298MS501"
	fileHashType = "sha256"
	fileHashValue = "aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313"
	killChain = @(
	)
	malwareFamilyNames = @(
	)
	severity = 0
	tags = @(
	)
	targetProduct = "Azure Sentinel"
	threatType = "WatchList"
	tlpLevel = "green"
}

New-MgBetaSecurityTiIndicator -BodyParameter $params

This example shows how to use the New-MgBetaSecurityTiIndicator Cmdlet.

Parameters

-Action

tiAction

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ActivityGroupNames

The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator.

Parameter properties

Type:

System.String[]

Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AdditionalInformation

A catchall area for extra data from the indicator that is not specifically covered by other tiIndicator properties. The security tool specified by targetProduct typically does not utilize this data.

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AdditionalProperties

Additional Parameters

Parameter properties

Type:System.Collections.Hashtable
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AzureTenantId

Stamped by the system when the indicator is ingested. The Microsoft Entra tenant id of submitting client. Required.

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-BodyParameter

tiIndicator To construct, see NOTES section for BODYPARAMETER properties and create a hash table.

Parameter properties

Type:Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphTiIndicator
Supports wildcards:False
DontShow:False

Parameter sets

Create
Position:Named
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:False
Value from remaining arguments:False

-Break

Wait for .NET debugger to attach

Parameter properties

Type:System.Management.Automation.SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Confidence

An integer representing the confidence the data within the indicator accurately identifies malicious behavior. Acceptable values are 0 – 100 with 100 being the highest.

Parameter properties

Type:System.Int32
Default value:0
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:System.Management.Automation.SwitchParameter
Supports wildcards:False
DontShow:False
Aliases:cf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Description

Brief description (100 characters or less) of the threat represented by the indicator. Required.

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DiamondModel

diamondModel

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DomainName

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EmailEncoding

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EmailLanguage

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EmailRecipient

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EmailSenderAddress

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EmailSenderName

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EmailSourceDomain

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EmailSourceIPAddress

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EmailSubject

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-EmailXMailer

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ExpirationDateTime

DateTime string indicating when the Indicator expires. All indicators must have an expiration date to avoid stale indicators persisting in the system. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required.

Parameter properties

Type:System.DateTime
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ExternalId

An identification number that ties the indicator back to the indicator provider’s system (for example, a foreign key).

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-FileCompileDateTime

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.DateTime
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-FileCreatedDateTime

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.DateTime
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-FileHashType

fileHashType

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-FileHashValue

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-FileMutexName

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-FileName

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-FilePacker

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-FilePath

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-FileSize

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.Int64
Default value:0
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-FileType

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Headers

Optional headers that will be added to the request.

Parameter properties

Type:System.Collections.IDictionary
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:True
Value from pipeline by property name:False
Value from remaining arguments:False

-HttpPipelineAppend

SendAsync Pipeline Steps to be appended to the front of the pipeline

Parameter properties

Type:

Microsoft.Graph.Beta.PowerShell.Runtime.SendAsyncStep[]

Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-HttpPipelinePrepend

SendAsync Pipeline Steps to be prepended to the front of the pipeline

Parameter properties

Type:

Microsoft.Graph.Beta.PowerShell.Runtime.SendAsyncStep[]

Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Id

The unique identifier for an entity. Read-only.

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-IngestedDateTime

Stamped by the system when the indicator is ingested. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z

Parameter properties

Type:System.DateTime
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-IsActive

Used to deactivate indicators within system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.

Parameter properties

Type:System.Management.Automation.SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-KillChain

A JSON array of strings that describes which point or points on the Kill Chain this indicator targets. See ‘killChain values’ below for exact values.

Parameter properties

Type:

System.String[]

Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-KnownFalsePositives

Scenarios in which the indicator may cause false positives. This should be human-readable text.

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-LastReportedDateTime

The last time the indicator was seen. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z

Parameter properties

Type:System.DateTime
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-MalwareFamilyNames

The malware family name associated with an indicator if it exists. Microsoft prefers the Microsoft malware family name if at all possible that can be found via the Windows Defender Security Intelligence threat encyclopedia.

Parameter properties

Type:

System.String[]

Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkCidrBlock

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkDestinationAsn

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.Int64
Default value:0
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkDestinationCidrBlock

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkDestinationIPv4

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkDestinationIPv6

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkDestinationPort

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.Int32
Default value:0
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkIPv4

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkIPv6

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkPort

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.Int32
Default value:0
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkProtocol

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.Int32
Default value:0
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkSourceAsn

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.Int64
Default value:0
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkSourceCidrBlock

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkSourceIPv4

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkSourceIPv6

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NetworkSourcePort

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.Int32
Default value:0
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PassiveOnly

Determines if the indicator should trigger an event that is visible to an end-user. When set to ‘true,’ security tools won't notify the end user that a ‘hit’ has occurred. This is most often treated as audit or silent mode by security products where they'll simply log that a match occurred but won't perform the action. Default value is false.

Parameter properties

Type:System.Management.Automation.SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Proxy

The URI for the proxy server to use

Parameter properties

Type:System.Uri
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ProxyCredential

Credentials for a proxy server to use for the remote call

Parameter properties

Type:System.Management.Automation.PSCredential
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ProxyUseDefaultCredentials

Use the default credentials for the proxy

Parameter properties

Type:System.Management.Automation.SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ResponseHeadersVariable

Optional Response Headers Variable.

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False
Aliases:RHV

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Severity

An integer representing the severity of the malicious behavior identified by the data within the indicator. Acceptable values are 0 – 5 where 5 is the most severe and zero isn't severe at all. Default value is 3.

Parameter properties

Type:System.Int32
Default value:0
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Tags

A JSON array of strings that stores arbitrary tags/keywords.

Parameter properties

Type:

System.String[]

Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-TargetProduct

A string value representing a single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP. Required

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ThreatType

Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList. Required.

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-TlpLevel

tlpLevel

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Url

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-UserAgent

Create a new tiIndicator object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy,
Delegated (personal Microsoft account) Not supported
Application ThreatIndicators.ReadWrite.OwnedBy,

Parameter properties

Type:System.String
Supports wildcards:False
DontShow:False

Parameter sets

CreateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-WhatIf

Runs the command in a mode that only reports what would happen without performing the actions.

Parameter properties

Type:System.Management.Automation.SwitchParameter
Supports wildcards:False
DontShow:False
Aliases:wi

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphTiIndicator

{{ Fill in the Description }}

System.Collections.IDictionary

{{ Fill in the Description }}

Outputs

Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphTiIndicator

{{ Fill in the Description }}

Notes

COMPLEX PARAMETER PROPERTIES

To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.

BODYPARAMETER <IMicrosoftGraphTiIndicator>: tiIndicator [(Any) <Object>]: This indicates any property can be added to this object. [Id <String>]: The unique identifier for an entity. Read-only. [Action <String>]: tiAction [ActivityGroupNames <String[]>]: The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator. [AdditionalInformation <String>]: A catchall area for extra data from the indicator that is not specifically covered by other tiIndicator properties. The security tool specified by targetProduct typically does not utilize this data. [AzureTenantId <String>]: Stamped by the system when the indicator is ingested. The Microsoft Entra tenant id of submitting client. Required. [Confidence <Int32?>]: An integer representing the confidence the data within the indicator accurately identifies malicious behavior. Acceptable values are 0 – 100 with 100 being the highest. [Description <String>]: Brief description (100 characters or less) of the threat represented by the indicator. Required. [DiamondModel <String>]: diamondModel [DomainName <String>]: [EmailEncoding <String>]: [EmailLanguage <String>]: [EmailRecipient <String>]: [EmailSenderAddress <String>]: [EmailSenderName <String>]: [EmailSourceDomain <String>]: [EmailSourceIPAddress <String>]: [EmailSubject <String>]: [EmailXMailer <String>]: [ExpirationDateTime <DateTime?>]: DateTime string indicating when the Indicator expires. All indicators must have an expiration date to avoid stale indicators persisting in the system. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required. [ExternalId <String>]: An identification number that ties the indicator back to the indicator provider’s system (for example, a foreign key). [FileCompileDateTime <DateTime?>]: [FileCreatedDateTime <DateTime?>]: [FileHashType <String>]: fileHashType [FileHashValue <String>]: [FileMutexName <String>]: [FileName <String>]: [FilePacker <String>]: [FilePath <String>]: [FileSize <Int64?>]: [FileType <String>]: [IngestedDateTime <DateTime?>]: Stamped by the system when the indicator is ingested. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z [IsActive <Boolean?>]: Used to deactivate indicators within system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. [KillChain <String[]>]: A JSON array of strings that describes which point or points on the Kill Chain this indicator targets. See ‘killChain values’ below for exact values. [KnownFalsePositives <String>]: Scenarios in which the indicator may cause false positives. This should be human-readable text. [LastReportedDateTime <DateTime?>]: The last time the indicator was seen. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z [MalwareFamilyNames <String[]>]: The malware family name associated with an indicator if it exists. Microsoft prefers the Microsoft malware family name if at all possible that can be found via the Windows Defender Security Intelligence threat encyclopedia. [NetworkCidrBlock <String>]: [NetworkDestinationAsn <Int64?>]: [NetworkDestinationCidrBlock <String>]: [NetworkDestinationIPv4 <String>]: [NetworkDestinationIPv6 <String>]: [NetworkDestinationPort <Int32?>]: [NetworkIPv4 <String>]: [NetworkIPv6 <String>]: [NetworkPort <Int32?>]: [NetworkProtocol <Int32?>]: [NetworkSourceAsn <Int64?>]: [NetworkSourceCidrBlock <String>]: [NetworkSourceIPv4 <String>]: [NetworkSourceIPv6 <String>]: [NetworkSourcePort <Int32?>]: [PassiveOnly <Boolean?>]: Determines if the indicator should trigger an event that is visible to an end-user. When set to ‘true,’ security tools won't notify the end user that a ‘hit’ has occurred. This is most often treated as audit or silent mode by security products where they'll simply log that a match occurred but won't perform the action. Default value is false. [Severity <Int32?>]: An integer representing the severity of the malicious behavior identified by the data within the indicator. Acceptable values are 0 – 5 where 5 is the most severe and zero isn't severe at all. Default value is 3. [Tags <String[]>]: A JSON array of strings that stores arbitrary tags/keywords. [TargetProduct <String>]: A string value representing a single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP. Required [ThreatType <String>]: Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList. Required. [TlpLevel <String>]: tlpLevel [Url <String>]: [UserAgent <String>]: