创建威胁情报指示器

项目
07/18/2022

命名空间：microsoft.graph

重要

Microsoft Graph版本下的 /beta API 可能会发生更改。不支持在生产应用程序中使用这些 API。若要确定 API 是否在 v1.0 中可用，请使用版本选择器。

创建新的 tiIndicator 对象。

权限

要调用此 API，需要以下权限之一。要了解详细信息，包括如何选择权限的信息，请参阅权限。

权限类型	权限（从最低特权到最高特权）
委派（工作或学校帐户）	ThreatIndicators.ReadWrite.OwnedBy
委派（个人 Microsoft 帐户）	不支持。
应用程序	ThreatIndicators.ReadWrite.OwnedBy

HTTP 请求

POST /security/tiIndicators

请求标头

名称	说明
Authorization	Bearer {code}

请求正文

在请求正文中，提供tiIndicator对象的 JSON 表示形式，该对象包含至少一个电子邮件、文件或网络可观测对象，以及以下必填 action 字段 description expirationDateTime targetProduct threatType tlpLevel ：、。

响应

如果成功，此方法在响应正文中返回响应代码 201 Created 和 tiIndicator 对象。

示例

请求

下面展示了示例请求。

POST https://graph.microsoft.com/beta/security/tiIndicators
Content-type: application/json

{
  "action": "alert",
  "activityGroupNames": [],
  "confidence": 0,
  "description": "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
  "expirationDateTime": "2019-03-01T21:43:37.5031462+00:00",
  "externalId": "Test--8586509942679764298MS501",
  "fileHashType": "sha256",
  "fileHashValue": "aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313",
  "killChain": [],
  "malwareFamilyNames": [],
  "severity": 0,
  "tags": [],
  "targetProduct": "Azure Sentinel",
  "threatType": "WatchList",
  "tlpLevel": "green"
}


GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var tiIndicator = new TiIndicator
{
    Action = TiAction.Alert,
    ActivityGroupNames = new List<String>()
    {
    },
    Confidence = 0,
    Description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
    ExpirationDateTime = DateTimeOffset.Parse("2019-03-01T21:43:37.5031462+00:00"),
    ExternalId = "Test--8586509942679764298MS501",
    FileHashType = FileHashType.Sha256,
    FileHashValue = "aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313",
    KillChain = new List<String>()
    {
    },
    MalwareFamilyNames = new List<String>()
    {
    },
    Severity = 0,
    Tags = new List<String>()
    {
    },
    TargetProduct = "Azure Sentinel",
    ThreatType = "WatchList",
    TlpLevel = TlpLevel.Green
};

await graphClient.Security.TiIndicators
    .Request()
    .AddAsync(tiIndicator);

重要

Microsoft Graph SDK 默认使用 v1.0 版本的 API，并且不支持 beta 版本中提供的所有类型、属性和 API。有关使用 SDK 访问 beta API 的详细信息，请参阅将 Microsoft Graph SDK 与 beta API 配合使用。

有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息，请参阅 SDK 文档。


const options = {
    authProvider,
};

const client = Client.init(options);

const tiIndicator = {
  action: 'alert',
  activityGroupNames: [],
  confidence: 0,
  description: 'This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.',
  expirationDateTime: '2019-03-01T21:43:37.5031462+00:00',
  externalId: 'Test--8586509942679764298MS501',
  fileHashType: 'sha256',
  fileHashValue: 'aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313',
  killChain: [],
  malwareFamilyNames: [],
  severity: 0,
  tags: [],
  targetProduct: 'Azure Sentinel',
  threatType: 'WatchList',
  tlpLevel: 'green'
};

await client.api('/security/tiIndicators')
    .version('beta')
    .post(tiIndicator);

重要

有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息，请参阅 SDK 文档。


MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];

NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/security/tiIndicators"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];

MSGraphTiIndicator *tiIndicator = [[MSGraphTiIndicator alloc] init];
[tiIndicator setAction: [MSGraphTiAction alert]];
NSMutableArray *activityGroupNamesList = [[NSMutableArray alloc] init];
[tiIndicator setActivityGroupNames:activityGroupNamesList];
[tiIndicator setConfidence: 0];
[tiIndicator setDescription:@"This is a canary indicator for demo purpose. Take no action on any observables set in this indicator."];
[tiIndicator setExpirationDateTime: "2019-03-01T21:43:37.5031462+00:00"];
[tiIndicator setExternalId:@"Test--8586509942679764298MS501"];
[tiIndicator setFileHashType: [MSGraphFileHashType sha256]];
[tiIndicator setFileHashValue:@"aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313"];
NSMutableArray *killChainList = [[NSMutableArray alloc] init];
[tiIndicator setKillChain:killChainList];
NSMutableArray *malwareFamilyNamesList = [[NSMutableArray alloc] init];
[tiIndicator setMalwareFamilyNames:malwareFamilyNamesList];
[tiIndicator setSeverity: 0];
NSMutableArray *tagsList = [[NSMutableArray alloc] init];
[tiIndicator setTags:tagsList];
[tiIndicator setTargetProduct:@"Azure Sentinel"];
[tiIndicator setThreatType:@"WatchList"];
[tiIndicator setTlpLevel: [MSGraphTlpLevel green]];

NSError *error;
NSData *tiIndicatorData = [tiIndicator getSerializedDataWithError:&error];
[urlRequest setHTTPBody:tiIndicatorData];

MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest 
    completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {

        //Request Completed

}];

[meDataTask execute];

重要

有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息，请参阅 SDK 文档。


GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

TiIndicator tiIndicator = new TiIndicator();
tiIndicator.action = TiAction.ALERT;
LinkedList<String> activityGroupNamesList = new LinkedList<String>();
tiIndicator.activityGroupNames = activityGroupNamesList;
tiIndicator.confidence = 0;
tiIndicator.description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.";
tiIndicator.expirationDateTime = OffsetDateTimeSerializer.deserialize("2019-03-01T21:43:37.5031462+00:00");
tiIndicator.externalId = "Test--8586509942679764298MS501";
tiIndicator.fileHashType = FileHashType.SHA256;
tiIndicator.fileHashValue = "aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313";
LinkedList<String> killChainList = new LinkedList<String>();
tiIndicator.killChain = killChainList;
LinkedList<String> malwareFamilyNamesList = new LinkedList<String>();
tiIndicator.malwareFamilyNames = malwareFamilyNamesList;
tiIndicator.severity = 0;
LinkedList<String> tagsList = new LinkedList<String>();
tiIndicator.tags = tagsList;
tiIndicator.targetProduct = "Azure Sentinel";
tiIndicator.threatType = "WatchList";
tiIndicator.tlpLevel = TlpLevel.GREEN;

graphClient.security().tiIndicators()
    .buildRequest()
    .post(tiIndicator);

重要

有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息，请参阅 SDK 文档。


//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)

requestBody := msgraphsdk.NewTiIndicator()
action := "alert"
requestBody.SetAction(&action)
requestBody.SetActivityGroupNames( []string {
}
confidence := int32(0)
requestBody.SetConfidence(&confidence)
description := "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator."
requestBody.SetDescription(&description)
expirationDateTime, err := time.Parse(time.RFC3339, "2019-03-01T21:43:37.5031462+00:00")
requestBody.SetExpirationDateTime(&expirationDateTime)
externalId := "Test--8586509942679764298MS501"
requestBody.SetExternalId(&externalId)
fileHashType := "sha256"
requestBody.SetFileHashType(&fileHashType)
fileHashValue := "aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313"
requestBody.SetFileHashValue(&fileHashValue)
requestBody.SetKillChain( []string {
}
requestBody.SetMalwareFamilyNames( []string {
}
severity := int32(0)
requestBody.SetSeverity(&severity)
requestBody.SetTags( []string {
}
targetProduct := "Azure Sentinel"
requestBody.SetTargetProduct(&targetProduct)
threatType := "WatchList"
requestBody.SetThreatType(&threatType)
tlpLevel := "green"
requestBody.SetTlpLevel(&tlpLevel)
result, err := graphClient.Security().TiIndicators().Post(requestBody)

重要

有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息，请参阅 SDK 文档。


Import-Module Microsoft.Graph.Security

$params = @{
    Action = "alert"
    ActivityGroupNames = @(
    )
    Confidence = 0
    Description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator."
    ExpirationDateTime = [System.DateTime]::Parse("2019-03-01T21:43:37.5031462+00:00")
    ExternalId = "Test--8586509942679764298MS501"
    FileHashType = "sha256"
    FileHashValue = "aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313"
    KillChain = @(
    )
    MalwareFamilyNames = @(
    )
    Severity = 0
    Tags = @(
    )
    TargetProduct = "Azure Sentinel"
    ThreatType = "WatchList"
    TlpLevel = "green"
}

New-MgSecurityTiIndicator -BodyParameter $params

重要

有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息，请参阅 SDK 文档。

响应

下面展示了示例响应。

备注

为了提高可读性，可能缩短了此处显示的响应对象。

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#Security/tiIndicators/$entity",
    "id": "e58c072b-c9bb-a5c4-34ce-eb69af44fb1e",
    "azureTenantId": "XXXXXXXXXXXXXXXXXXXX",
    "action": "alert",
    "additionalInformation": null,
    "activityGroupNames": [],
    "confidence": 0,
    "description": "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
}

创建威胁情报指示器

权限

HTTP 请求

请求标头

请求正文

响应

示例

请求

响应

反馈