tiIndicator: submitTiIndicators

Artikel
07/20/2022
6 menit untuk membaca

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Upload multiple threat intelligence (TI) indicators in one request instead of multiple requests.

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	ThreatIndicators.ReadWrite.OwnedBy
Delegated (personal Microsoft account)	Not supported.
Application	ThreatIndicators.ReadWrite.OwnedBy

HTTP request

POST /security/tiIndicators/submitTiIndicators

Request headers

Name	Description
Authorization	Bearer {code}

Request body

In the request body, provide a JSON object with the following parameters.

Parameter	Type	Description
value	tiIndicator collection	JSON collection of tiIndicators to be created.

For each tiIndicator, supply a JSON representation of a tiIndicator object containing at least one email, file, or network observable, and the following required fields: action, description, expirationDateTime, targetProduct, threatType, tlpLevel.

Response

If successful, this method returns a 200 OK response code and a collection of tiIndicator objects in the response body. If there is an error, this method returns a 206 Partial Content response code. See Errors for more information.

Examples

The following example shows how to call this API.

Request

The following is an example of the request.

POST https://graph.microsoft.com/beta/security/tiIndicators/submitTiIndicators
Content-Type: application/json

{
  "value": [
    {
      "activityGroupNames": [],
      "confidence": 0,
      "description": "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
      "expirationDateTime": "2019-03-01T21:44:03.1668987+00:00",
      "externalId": "Test--8586509942423126760MS164-0",
      "fileHashType": "sha256",
      "fileHashValue": "b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6",
      "killChain": [],
      "malwareFamilyNames": [],
      "severity": 0,
      "tags": [],
      "targetProduct": "Azure Sentinel",
      "threatType": "WatchList",
      "tlpLevel": "green",
    },
    {
      "activityGroupNames": [],
      "confidence": 0,
      "description": "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
      "expirationDateTime": "2019-03-01T21:44:03.1748779+00:00",
      "externalId": "Test--8586509942423126760MS164-1",
      "fileHashType": "sha256",
      "fileHashValue": "1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b",
      "killChain": [],
      "malwareFamilyNames": [],
      "severity": 0,
      "tags": [],
      "targetProduct": "Azure Sentinel",
      "threatType": "WatchList",
      "tlpLevel": "green",
    }
  ]
}


GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var value = new List<TiIndicator>()
{
	new TiIndicator
	{
		ActivityGroupNames = new List<String>()
		{
		},
		Confidence = 0,
		Description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
		ExpirationDateTime = DateTimeOffset.Parse("2019-03-01T21:44:03.1668987+00:00"),
		ExternalId = "Test--8586509942423126760MS164-0",
		FileHashType = FileHashType.Sha256,
		FileHashValue = "b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6",
		KillChain = new List<String>()
		{
		},
		MalwareFamilyNames = new List<String>()
		{
		},
		Severity = 0,
		Tags = new List<String>()
		{
		},
		TargetProduct = "Azure Sentinel",
		ThreatType = "WatchList",
		TlpLevel = TlpLevel.Green
	},
	new TiIndicator
	{
		ActivityGroupNames = new List<String>()
		{
		},
		Confidence = 0,
		Description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
		ExpirationDateTime = DateTimeOffset.Parse("2019-03-01T21:44:03.1748779+00:00"),
		ExternalId = "Test--8586509942423126760MS164-1",
		FileHashType = FileHashType.Sha256,
		FileHashValue = "1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b",
		KillChain = new List<String>()
		{
		},
		MalwareFamilyNames = new List<String>()
		{
		},
		Severity = 0,
		Tags = new List<String>()
		{
		},
		TargetProduct = "Azure Sentinel",
		ThreatType = "WatchList",
		TlpLevel = TlpLevel.Green
	}
};

await graphClient.Security.TiIndicators
	.SubmitTiIndicators(value)
	.Request()
	.PostAsync();

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


const options = {
	authProvider,
};

const client = Client.init(options);

const tiIndicator = {
  value: [
    {
      activityGroupNames: [],
      confidence: 0,
      description: 'This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.',
      expirationDateTime: '2019-03-01T21:44:03.1668987+00:00',
      externalId: 'Test--8586509942423126760MS164-0',
      fileHashType: 'sha256',
      fileHashValue: 'b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6',
      killChain: [],
      malwareFamilyNames: [],
      severity: 0,
      tags: [],
      targetProduct: 'Azure Sentinel',
      threatType: 'WatchList',
      tlpLevel: 'green',
    },
    {
      activityGroupNames: [],
      confidence: 0,
      description: 'This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.',
      expirationDateTime: '2019-03-01T21:44:03.1748779+00:00',
      externalId: 'Test--8586509942423126760MS164-1',
      fileHashType: 'sha256',
      fileHashValue: '1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b',
      killChain: [],
      malwareFamilyNames: [],
      severity: 0,
      tags: [],
      targetProduct: 'Azure Sentinel',
      threatType: 'WatchList',
      tlpLevel: 'green',
    }
  ]
};

await client.api('/security/tiIndicators/submitTiIndicators')
	.version('beta')
	.post(tiIndicator);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

LinkedList<TiIndicator> valueList = new LinkedList<TiIndicator>();
TiIndicator value = new TiIndicator();
LinkedList<String> activityGroupNamesList = new LinkedList<String>();
value.activityGroupNames = activityGroupNamesList;
value.confidence = 0;
value.description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.";
value.expirationDateTime = OffsetDateTimeSerializer.deserialize("2019-03-01T21:44:03.1668987+00:00");
value.externalId = "Test--8586509942423126760MS164-0";
value.fileHashType = FileHashType.SHA256;
value.fileHashValue = "b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6";
LinkedList<String> killChainList = new LinkedList<String>();
value.killChain = killChainList;
LinkedList<String> malwareFamilyNamesList = new LinkedList<String>();
value.malwareFamilyNames = malwareFamilyNamesList;
value.severity = 0;
LinkedList<String> tagsList = new LinkedList<String>();
value.tags = tagsList;
value.targetProduct = "Azure Sentinel";
value.threatType = "WatchList";
value.tlpLevel = TlpLevel.GREEN;

valueList.add(value);
TiIndicator value1 = new TiIndicator();
LinkedList<String> activityGroupNamesList1 = new LinkedList<String>();
value1.activityGroupNames = activityGroupNamesList1;
value1.confidence = 0;
value1.description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.";
value1.expirationDateTime = OffsetDateTimeSerializer.deserialize("2019-03-01T21:44:03.1748779+00:00");
value1.externalId = "Test--8586509942423126760MS164-1";
value1.fileHashType = FileHashType.SHA256;
value1.fileHashValue = "1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b";
LinkedList<String> killChainList1 = new LinkedList<String>();
value1.killChain = killChainList1;
LinkedList<String> malwareFamilyNamesList1 = new LinkedList<String>();
value1.malwareFamilyNames = malwareFamilyNamesList1;
value1.severity = 0;
LinkedList<String> tagsList1 = new LinkedList<String>();
value1.tags = tagsList1;
value1.targetProduct = "Azure Sentinel";
value1.threatType = "WatchList";
value1.tlpLevel = TlpLevel.GREEN;

valueList.add(value1);
TiIndicatorCollectionResponse tiIndicatorCollectionResponse = new TiIndicatorCollectionResponse();
tiIndicatorCollectionResponse.value = valueList;
TiIndicatorCollectionPage tiIndicatorCollectionPage = new TiIndicatorCollectionPage(tiIndicatorCollectionResponse, null);

graphClient.security().tiIndicators()
	.submitTiIndicators(TiIndicatorSubmitTiIndicatorsParameterSet
		.newBuilder()
		.withValue(valueList)
		.build())
	.buildRequest()
	.post();

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


Import-Module Microsoft.Graph.Security

$params = @{
	Value = @(
		@{
			ActivityGroupNames = @(
			)
			Confidence = 0
			Description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator."
			ExpirationDateTime = [System.DateTime]::Parse("2019-03-01T21:44:03.1668987+00:00")
			ExternalId = "Test--8586509942423126760MS164-0"
			FileHashType = "sha256"
			FileHashValue = "b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6"
			KillChain = @(
			)
			MalwareFamilyNames = @(
			)
			Severity = 0
			Tags = @(
			)
			TargetProduct = "Azure Sentinel"
			ThreatType = "WatchList"
			TlpLevel = "green"
		}
		@{
			ActivityGroupNames = @(
			)
			Confidence = 0
			Description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator."
			ExpirationDateTime = [System.DateTime]::Parse("2019-03-01T21:44:03.1748779+00:00")
			ExternalId = "Test--8586509942423126760MS164-1"
			FileHashType = "sha256"
			FileHashValue = "1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b"
			KillChain = @(
			)
			MalwareFamilyNames = @(
			)
			Severity = 0
			Tags = @(
			)
			TargetProduct = "Azure Sentinel"
			ThreatType = "WatchList"
			TlpLevel = "green"
		}
	)
}

Submit-MgSecurityTiIndicator -BodyParameter $params

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

The following is an example of the response.

Note

The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
  "value": [
    {
      "@odata.type": "#microsoft.graph.tiIndicator",
      "id": "c6fb948b-89c5-3bba-a2cd-a9d9a1e430e4",
      "azureTenantId": "XXXXXXXXXXXXXXXXXXXXX",
      "action": null,
      "additionalInformation": null,
      "activityGroupNames": [],
      "confidence": 0,
      "description": "This is a test indicator for demo purpose. Take no action on any observables set in this indicator.",
    }
  ]
}

tiIndicator: submitTiIndicators

Permissions

HTTP request

Request headers

Request body

Response

Examples

Request

Response

Saran dan Komentar