Submit or Update Indicator API
Applies to:
Want to experience Defender for Endpoint? Sign up for a free trial.
Note
If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.
Tip
For better performance, you can use server closer to your geo location:
- us.api.security.microsoft.com
- eu.api.security.microsoft.com
- uk.api.security.microsoft.com
- au.api.security.microsoft.com
- swa.api.security.microsoft.com
- ina.api.security.microsoft.com
API description
Submits or Updates new Indicator entity.
CIDR notation for IPs isn't supported.
Limitations
- Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.
- There's a limit of 15,000 active indicators per tenant.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Get started.
Permission type | Permission | Permission display name |
---|---|---|
Application | Ti.ReadWrite | Read and write Indicators |
Application | Ti.ReadWrite.All | Read and write All Indicators |
Delegated (work or school account) | Ti.ReadWrite | Read and write Indicators |
HTTP request
POST https://api.securitycenter.microsoft.com/api/indicators
Request headers
Name | Type | Description |
---|---|---|
Authorization | String | Bearer {token}. Required. |
Content-Type | string | application/json. Required. |
Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description |
---|---|---|
indicatorValue | String | Identity of the Indicator entity. Required |
indicatorType | Enum | Type of the indicator. Possible values are: FileSha1 , FileMd5 , CertificateThumbprint , FileSha256 , IpAddress , DomainName , and Url . Required |
action | Enum | The action that is taken if the indicator is discovered in the organization. Possible values are: Alert , Warn , Block , Audit , BlockAndRemediate , AlertAndBlock , and Allowed . Required. The GenerateAlert parameter must be set to TRUE when creating an action with Audit . |
application | String | The application associated with the indicator. This field only works for new indicators. It doesn't update the value on an existing indicator. Optional |
title | String | Indicator alert title. Required |
description | String | Description of the indicator. Required |
expirationTime | DateTimeOffset | The expiration time of the indicator. Optional |
severity | Enum | The severity of the indicator. Possible values are: Informational , Low , Medium , and High . Optional |
recommendedActions | String | TI indicator alert recommended actions. Optional |
rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. Optional |
educateUrl | String | Custom notification/support URL. Supported for Block and Warn action types for URL indicators. Optional |
generateAlert | Enum | True if alert generation is required, False if this indicator shouldn't generate an alert. |
Response
- If successful, this method returns 200 - OK response code and the created / updated Indicator entity in the response body.
- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body.
Example
Request
Here's an example of the request.
POST https://api.securitycenter.microsoft.com/api/indicators
{
"indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"application": "demo-test",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "nothing",
"rbacGroupNames": ["group1", "group2"]
}
Related article
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.