| title | tiIndicator: submitTiIndicators (deprecated) |
|---|---|
| description | Upload multiple threat intelligence (TI) indicators in one request instead of multiple requests. |
| ms.localizationpriority | medium |
| author | preetikr |
| ms.subservice | security |
| doc_type | apiPageType |
| ms.date | 08/13/2024 |
| ROBOTS | NOINDEX |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
[!INCLUDE security-tiindicator-deprecation]
Upload multiple threat intelligence (TI) indicators in one request instead of multiple requests.
[!INCLUDE national-cloud-support]
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
POST /security/tiIndicators/submitTiIndicators| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
In the request body, provide a JSON object with the following parameters.
| Parameter | Type | Description |
|---|---|---|
| value | tiIndicator collection | JSON collection of tiIndicators to be created. |
For each tiIndicator, supply a JSON representation of a tiIndicator object containing at least one email, file, or network observable, and the following required fields: action, description, expirationDateTime, targetProduct, threatType, tlpLevel.
If successful, this method returns a 200 OK response code and a collection of tiIndicator objects in the response body. If there is an error, this method returns a 206 Partial Content response code. See Errors for more information.
The following example shows how to call this API.
The following example shows a request.
POST https://graph.microsoft.com/beta/security/tiIndicators/submitTiIndicators
Content-Type: application/json
{
"value": [
{
"activityGroupNames": [],
"confidence": 0,
"description": "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
"expirationDateTime": "2019-03-01T21:44:03.1668987+00:00",
"externalId": "Test--8586509942423126760MS164-0",
"fileHashType": "sha256",
"fileHashValue": "b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6",
"killChain": [],
"malwareFamilyNames": [],
"severity": 0,
"tags": [],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "green",
},
{
"activityGroupNames": [],
"confidence": 0,
"description": "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
"expirationDateTime": "2019-03-01T21:44:03.1748779+00:00",
"externalId": "Test--8586509942423126760MS164-1",
"fileHashType": "sha256",
"fileHashValue": "1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b",
"killChain": [],
"malwareFamilyNames": [],
"severity": 0,
"tags": [],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "green",
}
]
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note
The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"value": [
{
"@odata.type": "#microsoft.graph.tiIndicator",
"id": "c6fb948b-89c5-3bba-a2cd-a9d9a1e430e4",
"azureTenantId": "XXXXXXXXXXXXXXXXXXXXX",
"action": null,
"additionalInformation": null,
"activityGroupNames": [],
"confidence": 0,
"description": "This is a test indicator for demo purpose. Take no action on any observables set in this indicator.",
}
]
}