id: c14fb5ea-7499-44f9-a319-98c2c9f242d9 Function: Title: Parser for ThreatIntelIndicators Version: '1.0.0' LastUpdated: '2025-03-20' Category: Microsoft Sentinel Parser FunctionName: ThreatIntelIndicatorsv2 FunctionAlias: ThreatIntelIndicatorsv2 FunctionQuery: | ThreatIntelIndicators | extend NetworkIP = iff(ObservableKey == 'ipv4-addr:value', ObservableValue, ''), NetworkSourceIP = iff(ObservableKey == 'network-traffic:src_ref.value', ObservableValue, ''), NetworkDestinationIP = iff(ObservableKey == 'network-traffic:dst_ref.value', ObservableValue, ''), EmailSourceIpAddress = iff(ObservableKey == 'network-traffic:src_ref.value', ObservableValue, ''), NetworkCidrBlock = iff(ObservableKey == 'network-traffic:src_ref.value', ObservableValue, ''), DomainName = iff(ObservableKey == 'domain-name:value', ObservableValue, ''), EmailAddress = iff(ObservableKey == 'email-addr:value', ObservableValue, ''), EmailRecipient = iff(ObservableKey == 'email-addr:value', ObservableValue, ''), EmailSenderAddress = iff(ObservableKey == 'email-addr:value', ObservableValue, ''), EmailSourceDomain = iff(ObservableKey == 'domain-name:value', ObservableValue, ''), EmailSubject = tostring(Data.description), ExpirationDateTime = ValidUntil, FileHashType = case(ObservableKey has 'MD5', 'MD5', ObservableKey has 'SHA-1', 'SHA-1', ObservableKey has 'SHA-256', 'SHA-256', ''), FileHashValue = iff(ObservableKey has 'file:hashes', ObservableValue, ''), Active = IsActive, Url = iff(ObservableKey == 'url:value', ObservableValue, ''), x509Certificate = iff(ObservableKey has 'x509-certificate:hashes.', ObservableValue, ''), x509Issuer = iff(ObservableKey has 'x509-certificate:issuer', ObservableValue, ''), x509CertificateNumber = iff(ObservableKey == 'x509-certificate:serial_number', ObservableValue, ''), Description = tostring(Data.description), CreatedByRef = Data.created_by_ref, Extensions = Data.extensions, ExternalReferences = Data.references, GranularMarkings = Data.granular_markings, ExternalIndicatorId = tostring(Data.id), IndicatorId = Id, ThreatType = tostring(Data.indicator_types[0]), Severity = tostring(parse_json(tostring(parse_json(tostring(Data.extensions)).["sentinel-ext"])).severity), KillChainPhases = Data.kill_chain_phases, Labels = Data.labels, Lang = Data.lang, Name = Data.name, ObjectMarkingRefs = Data.object_marking_refs, PatternType = Data.pattern_type, PatternVersion = Data.pattern_version, Revoked = Data.revoked, SpecVersion = Data.spec_version | project-reorder TimeGenerated, WorkspaceId, AzureTenantId, ThreatType, ObservableKey, ObservableValue, Confidence, Name, Description, LastUpdateMethod, SourceSystem, Severity, Created, Modified, ValidFrom, ValidUntil, IsDeleted, Tags, AdditionalFields, CreatedByRef, Extensions, ExternalReferences, GranularMarkings, ExternalIndicatorId, IndicatorId, KillChainPhases, Labels, Lang, ObjectMarkingRefs, Pattern, PatternType, PatternVersion, Revoked, SpecVersion, NetworkIP, NetworkDestinationIP, NetworkSourceIP, DomainName, EmailAddress, FileHashType, FileHashValue, Url, x509Certificate, x509Issuer, x509CertificateNumber, Data