Submit or Update Indicator API
Applies to:
Want to experience Defender for Endpoint? Sign up for a free trial.
Note
If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.
Tip
For better performance, you can use server closer to your geo location:
- us.api.security.microsoft.com
- eu.api.security.microsoft.com
- uk.api.security.microsoft.com
- au.api.security.microsoft.com
- swa.api.security.microsoft.com
- ina.api.security.microsoft.com
API description
Submits or Updates new Indicator entity.
CIDR notation for IPs isn't supported.
Limitations
- Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.
- There's a limit of 15,000 active indicators per tenant.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Get started.
| Permission type | Permission | Permission display name |
|---|---|---|
| Application | Ti.ReadWrite | Read and write Indicators |
| Application | Ti.ReadWrite.All | Read and write All Indicators |
| Delegated (work or school account) | Ti.ReadWrite | Read and write Indicators |
HTTP request
POST https://api.securitycenter.microsoft.com/api/indicators
Request headers
| Name | Type | Description |
|---|---|---|
| Authorization | String | Bearer {token}. Required. |
| Content-Type | string | application/json. Required. |
Request body
In the request body, supply a JSON object with the following parameters:
| Parameter | Type | Description |
|---|---|---|
| indicatorValue | String | Identity of the Indicator entity. Required |
| indicatorType | Enum | Type of the indicator. Possible values are: FileSha1, FileMd5, CertificateThumbprint, FileSha256, IpAddress, DomainName, and Url. Required |
| action | Enum | The action that is taken if the indicator is discovered in the organization. Possible values are: Alert, Warn, Block, Audit, BlockAndRemediate, AlertAndBlock, and Allowed. Required. The GenerateAlert parameter must be set to TRUE when creating an action with Audit. |
| application | String | The application associated with the indicator. This field only works for new indicators. It doesn't update the value on an existing indicator. Optional |
| title | String | Indicator alert title. Required |
| description | String | Description of the indicator. Required |
| expirationTime | DateTimeOffset | The expiration time of the indicator. Optional |
| severity | Enum | The severity of the indicator. Possible values are: Informational, Low, Medium, and High. Optional |
| recommendedActions | String | TI indicator alert recommended actions. Optional |
| rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. Optional |
| educateUrl | String | Custom notification/support URL. Supported for Block and Warn action types for URL indicators. Optional |
| generateAlert | Enum | True if alert generation is required, False if this indicator shouldn't generate an alert. |
Response
- If successful, this method returns 200 - OK response code and the created / updated Indicator entity in the response body.
- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body.
Example
Request
Here's an example of the request.
POST https://api.securitycenter.microsoft.com/api/indicators
{
"indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"application": "demo-test",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "nothing",
"rbacGroupNames": ["group1", "group2"]
}
Related article
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.