tiIndicator resource type (deprecated)
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Note
The tiIndicator entity is deprecated and will be removed by April 2026.
Represents data used to identify malicious activities.
If your organization works with threat indicators, either by generating your own, obtaining them from open source feeds, sharing with partner organizations or communities, or by purchasing feeds of data, you might want to use these indicators in various security tools for matching with log data. The tiIndicators entity allows you to upload your threat indicators to Microsoft security tools for the actions of allow, block, or alert.
Threat indicators uploaded via tiIndicator are used with Microsoft threat intelligence to provide a customized security solution for your organization. When using the tiIndicator entity, specify the Microsoft security solution you want to utilize the indicators via the targetProduct property, and specify the action (allow, block, or alert) to which the security solution should apply the indicators via the action property.
Currently, targetProduct supports the following products:
Microsoft Defender for Endpoint – Supports the following tiIndicators methods:
Note
The following indicator types are supported by Microsoft Defender for Endpoint targetProduct:
- Files
- IP addresses: Microsoft Defender for Endpoint supports destination IPv4/IPv6 only – set property in networkDestinationIPv4 or networkDestinationIPv6 properties in Microsoft Graph Security API tiIndicator.
- URLs/domains
There's a limit of 15,000 indicators per tenant for Microsoft Defender for Endpoint.
Microsoft Sentinel – Only existing customers can use the tiIndicator API to send threat intelligence indicators to Microsoft Sentinel. For the most up-to-date, detailed instructions on how to send threat intelligent indicators to Microsoft Sentinel, see Connect your threat intelligence platform to Microsoft Sentinel.
For details about the types of indicators supported and limits on indicator counts per tenant, see Manage indicators.
Methods
| Method | Return Type | Description |
|---|---|---|
| Get | tiIndicator | Read properties and relationships of tiIndicator object. |
| Create | tiIndicator | Create a new tiIndicator by posting to the tiIndicators collection. |
| List | tiIndicator collection | Get a tiIndicator object collection. |
| Update | tiIndicator | Update tiIndicator object. |
| Delete | None | Delete tiIndicator object. |
| Delete multiple | None | Delete multiple tiIndicator objects. |
| Delete multiple by external ID | None | Delete multiple tiIndicator objects by the externalId property. |
| Submit multiple | tiIndicator collection | Create new tiIndicators by posting a tiIndicators collection. |
| Update multiple | tiIndicator collection | Update multiple tiIndicator objects. |
Methods supported by each target product
| Method | Azure Sentinel | Microsoft Defender for Endpoint |
|---|---|---|
| Create tiIndicator | Required fields are: action, azureTenantId, description, expirationDateTime, targetProduct, threatType, tlpLevel, and at least one email, network, or file observable. |
Required fields are: action, and one of these following values: domainName, url, networkDestinationIPv4, networkDestinationIPv6, fileHashValue (must supply fileHashType in case of fileHashValue). |
| Submit tiIndicators | Refer to the Create tiIndicator method for required fields for each tiIndicator. There's a limit of 100 tiIndicators per request. | Refer to the Create tiIndicator method for required fields for each tiIndicator. There's a limit of 100 tiIndicators per request. |
| Update tiIndicator | Required fields are: id, expirationDateTime, targetProduct. Editable fields are: action, activityGroupNames, additionalInformation, confidence, description, diamondModel, expirationDateTime, externalId, isActive, killChain, knownFalsePositives, lastReportedDateTime, malwareFamilyNames, passiveOnly, severity, tags, tlpLevel. |
Required fields are: id, expirationDateTime, targetProduct. Editable fields are: expirationDateTime, severity, description. |
| Update tiIndicators | Refer to the Update tiIndicator method for required and editable fields for each tiIndicator. | |
| Delete tiIndicator | Required field is: id. |
Required field is: id. |
| Delete tiIndicators | Refer to the Delete tiIndicator method above for required field for each tiIndicator. |
Properties
| Property | Type | Description |
|---|---|---|
| action | string | The action to apply if the indicator is matched from within the targetProduct security tool. Possible values are: unknown, allow, block, alert. Required. |
| activityGroupNames | String collection | The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator. |
| additionalInformation | String | A catchall area for extra data from the indicator that is not specifically covered by other tiIndicator properties. The security tool specified by targetProduct typically does not utilize this data. |
| azureTenantId | String | Stamped by the system when the indicator is ingested. The Microsoft Entra tenant id of submitting client. Required. |
| confidence | Int32 | An integer representing the confidence the data within the indicator accurately identifies malicious behavior. Acceptable values are 0 – 100 with 100 being the highest. |
| description | String | Brief description (100 characters or less) of the threat represented by the indicator. Required. |
| diamondModel | diamondModel | The area of the Diamond Model in which this indicator exists. Possible values are: unknown, adversary, capability, infrastructure, victim. |
| expirationDateTime | DateTimeOffset | DateTime string indicating when the Indicator expires. All indicators must have an expiration date to avoid stale indicators persisting in the system. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required. |
| externalId | String | An identification number that ties the indicator back to the indicator provider’s system (for example, a foreign key). |
| id | String | Created by the system when the indicator is ingested. Generated GUID/unique identifier. Read-only. |
| ingestedDateTime | DateTimeOffset | Stamped by the system when the indicator is ingested. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| isActive | Boolean | Used to deactivate indicators within system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. |
| killChain | killChain collection | A JSON array of strings that describes which point or points on the Kill Chain this indicator targets. See ‘killChain values’ below for exact values. |
| knownFalsePositives | String | Scenarios in which the indicator may cause false positives. This should be human-readable text. |
| lastReportedDateTime | DateTimeOffset | The last time the indicator was seen. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| malwareFamilyNames | String collection | The malware family name associated with an indicator if it exists. Microsoft prefers the Microsoft malware family name if at all possible that can be found via the Windows Defender Security Intelligence threat encyclopedia. |
| passiveOnly | Boolean | Determines if the indicator should trigger an event that is visible to an end-user. When set to ‘true,’ security tools won't notify the end user that a ‘hit’ has occurred. This is most often treated as audit or silent mode by security products where they'll simply log that a match occurred but won't perform the action. Default value is false. |
| severity | Int32 | An integer representing the severity of the malicious behavior identified by the data within the indicator. Acceptable values are 0 – 5 where 5 is the most severe and zero isn't severe at all. Default value is 3. |
| tags | String collection | A JSON array of strings that stores arbitrary tags/keywords. |
| targetProduct | String | A string value representing a single security product to which the indicator should be applied. Acceptable values are: Azure Sentinel, Microsoft Defender ATP. Required |
| threatType | threatType | Each indicator must have a valid Indicator Threat Type. Possible values are: Botnet, C2, CryptoMining, Darknet, DDoS, MaliciousUrl, Malware, Phishing, Proxy, PUA, WatchList. Required. |
| tlpLevel | tlpLevel | Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red. Required. |
Indicator observables - email
| Property | Type | Description |
|---|---|---|
| emailEncoding | String | The type of text encoding used in the email. |
| emailLanguage | String | The language of the email. |
| emailRecipient | String | Recipient email address. |
| emailSenderAddress | String | Email address of the attacker|victim. |
| emailSenderName | String | Displayed name of the attacker|victim. |
| emailSourceDomain | String | Domain used in the email. |
| emailSourceIpAddress | String | Source IP address of email. |
| emailSubject | String | Subject line of email. |
| emailXMailer | String | X-Mailer value used in the email. |
Indicator observables - file
| Property | Type | Description |
|---|---|---|
| fileCompileDateTime | DateTimeOffset | DateTime when the file was compiled. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| fileCreatedDateTime | DateTimeOffset | DateTime when the file was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| fileHashType | string | The type of hash stored in fileHashValue. Possible values are: unknown, sha1, sha256, md5, authenticodeHash256, lsHash, ctph. |
| fileHashValue | String | The file hash value. |
| fileMutexName | String | Mutex name used in file-based detections. |
| fileName | String | Name of the file if the indicator is file-based. Multiple file names may be delimited by commas. |
| filePacker | String | The packer used to build the file in question. |
| filePath | String | Path of file indicating compromise. May be a Windows or *nix style path. |
| fileSize | Int64 | Size of the file in bytes. |
| fileType | String | Text description of the type of file. For example, “Word Document” or “Binary”. |
Indicator observables - network
| Property | Type | Description |
|---|---|---|
| domainName | String | Domain name associated with this indicator. Should be of the format subdomain.domain.topleveldomain (For example, baddomain.domain.net) |
| networkCidrBlock | String | CIDR Block notation representation of the network referenced in this indicator. Use only if the Source and Destination can't be identified. |
| networkDestinationAsn | Int32 | The destination autonomous system identifier of the network referenced in the indicator. |
| networkDestinationCidrBlock | String | CIDR Block notation representation of the destination network in this indicator. |
| networkDestinationIPv4 | String | IPv4 IP address destination. |
| networkDestinationIPv6 | String | IPv6 IP address destination. |
| networkDestinationPort | Int32 | TCP port destination. |
| networkIPv4 | String | IPv4 IP address. Use only if the Source and Destination can't be identified. |
| networkIPv6 | String | IPv6 IP address. Use only if the Source and Destination can't be identified. |
| networkPort | Int32 | TCP port. Use only if the Source and Destination can't be identified. |
| networkProtocol | Int32 | Decimal representation of the protocol field in the IPv4 header. |
| networkSourceAsn | Int32 | The source autonomous system identifier of the network referenced in the indicator. |
| networkSourceCidrBlock | String | CIDR Block notation representation of the source network in this indicator |
| networkSourceIPv4 | String | IPv4 IP Address source. |
| networkSourceIPv6 | String | IPv6 IP Address source. |
| networkSourcePort | Int32 | TCP port source. |
| url | String | Uniform Resource Locator. This URL must comply with RFC 1738. |
| userAgent | String | User-Agent string from a web request that could indicate compromise. |
diamondModel values
For information about this model, see The Diamond Model.
| Member | Value | Description |
|---|---|---|
| unknown | 0 | |
| adversary | 1 | The indicator describes the adversary. |
| capability | 2 | Indicator is a capability of the adversary. |
| infrastructure | 3 | The indicator describes infrastructure of the adversary. |
| victim | 4 | The indicator describes the victim of the adversary. |
| unknownFutureValue | 127 |
killChain values
| Member | Description |
|---|---|
| Actions | Indicates that the attacker is using the compromised system to take actions such as a distributed denial of service attack. |
| C2 | Represents the control channel by which a compromised system is manipulated. |
| Delivery | The process of distributing the exploit code to victims (for example USB, email, websites). |
| Exploitation | The exploit code taking advantage of vulnerabilities (for example, code execution). |
| Installation | Installing malware after a vulnerability has been exploited. |
| Reconnaissance | Indicator is evidence of an activity group harvesting information to be used in a future attack. |
| Weaponization | Turning a vulnerability into exploit code (for example, malware). |
threatType values
| Member | Description |
|---|---|
| Botnet | Indicator is detailing a botnet node/member. |
| C2 | Indicator is detailing a Command & Control node of a botnet. |
| CryptoMining | Traffic involving this network address / URL is an indication of CyrptoMining / Resource abuse. |
| Darknet | Indicator is that of a Darknet node/network. |
| DDoS | Indicators relating to an active or upcoming DDoS campaign. |
| MaliciousUrl | URL that is serving malware. |
| Malware | Indicator describing a malicious file or files. |
| Phishing | Indicators relating to a phishing campaign. |
| Proxy | Indicator is that of a proxy service. |
| PUA | Potentially Unwanted Application. |
| WatchList | This is the generic bucket for indicators for which the threat cannot be determined or which require manual interpretation. Partners submitting data into the system should not use this property. |
tlpLevel values
Every indicator must also have a Traffic Light Protocol value when it's submitted. This value represents the sensitivity and sharing scope of a given indicator.
| Member | Description |
|---|---|
| White | Sharing scope: Unlimited. Indicators can be shared freely, without restriction. |
| Green | Sharing scope: Community. Indicators may be shared with the security community. |
| Amber | Sharing scope: Limited. This is the default setting for indicators and restricts sharing to only those with a ‘need-to-know’ being 1) Services and service operators that implement threat intelligence 2) Customers whose system(s) exhibit behavior consistent with the indicator. |
| Red | Sharing scope: Personal. These indicators are to only be shared directly and, preferably, in person. Typically, TLP Red indicators aren't ingested due to their predefined restrictions. If TLP Red indicators are submitted, the “PassiveOnly” property should be set to True as well. |
Relationships
None.
JSON representation
The following JSON representation shows the resource type.
{
"action": "string",
"activityGroupNames": ["String"],
"additionalInformation": "String",
"azureTenantId": "String",
"confidence": 1024,
"description": "String",
"diamondModel": "string",
"domainName": "String",
"emailEncoding": "String",
"emailLanguage": "String",
"emailRecipient": "String",
"emailSenderAddress": "String",
"emailSenderName": "String",
"emailSourceDomain": "String",
"emailSourceIpAddress": "String",
"emailSubject": "String",
"emailXMailer": "String",
"expirationDateTime": "String (timestamp)",
"externalId": "String",
"fileCompileDateTime": "String (timestamp)",
"fileCreatedDateTime": "String (timestamp)",
"fileHashType": "string",
"fileHashValue": "String",
"fileMutexName": "String",
"fileName": "String",
"filePacker": "String",
"filePath": "String",
"fileSize": 1024,
"fileType": "String",
"id": "String (identifier)",
"ingestedDateTime": "String (timestamp)",
"isActive": true,
"killChain": ["String"],
"knownFalsePositives": "String",
"lastReportedDateTime": "String (timestamp)",
"malwareFamilyNames": ["String"],
"networkCidrBlock": "String",
"networkDestinationAsn": 1024,
"networkDestinationCidrBlock": "String",
"networkDestinationIPv4": "String",
"networkDestinationIPv6": "String",
"networkDestinationPort": 1024,
"networkIPv4": "String",
"networkIPv6": "String",
"networkPort": 1024,
"networkProtocol": 1024,
"networkSourceAsn": 1024,
"networkSourceCidrBlock": "String",
"networkSourceIPv4": "String",
"networkSourceIPv6": "String",
"networkSourcePort": 1024,
"passiveOnly": true,
"severity": 1024,
"tags": ["String"],
"targetProduct": "String",
"threatType": "String",
"tlpLevel": "string",
"url": "String",
"userAgent": "String"
}