Upload multiple threat intelligence (TI) indicators in one request instead of multiple requests.
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
In the request body, provide a JSON object with the following parameters.
The following example shows how to call this API.
The following example shows a request.
POST https://graph.microsoft.com/beta/security/tiIndicators/submitTiIndicators
Content-Type: application/json
{
"value": [
{
"activityGroupNames": [],
"confidence": 0,
"description": "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
"expirationDateTime": "2019-03-01T21:44:03.1668987+00:00",
"externalId": "Test--8586509942423126760MS164-0",
"fileHashType": "sha256",
"fileHashValue": "b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6",
"killChain": [],
"malwareFamilyNames": [],
"severity": 0,
"tags": [],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "green",
},
{
"activityGroupNames": [],
"confidence": 0,
"description": "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
"expirationDateTime": "2019-03-01T21:44:03.1748779+00:00",
"externalId": "Test--8586509942423126760MS164-1",
"fileHashType": "sha256",
"fileHashValue": "1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b",
"killChain": [],
"malwareFamilyNames": [],
"severity": 0,
"tags": [],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "green",
}
]
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Security.TiIndicators.SubmitTiIndicators;
using Microsoft.Graph.Beta.Models;
var requestBody = new SubmitTiIndicatorsPostRequestBody
{
Value = new List<TiIndicator>
{
new TiIndicator
{
ActivityGroupNames = new List<string>
{
},
Confidence = 0,
Description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
ExpirationDateTime = DateTimeOffset.Parse("2019-03-01T21:44:03.1668987+00:00"),
ExternalId = "Test--8586509942423126760MS164-0",
FileHashType = FileHashType.Sha256,
FileHashValue = "b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6",
KillChain = new List<string>
{
},
MalwareFamilyNames = new List<string>
{
},
Severity = 0,
Tags = new List<string>
{
},
TargetProduct = "Azure Sentinel",
ThreatType = "WatchList",
TlpLevel = TlpLevel.Green,
},
new TiIndicator
{
ActivityGroupNames = new List<string>
{
},
Confidence = 0,
Description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
ExpirationDateTime = DateTimeOffset.Parse("2019-03-01T21:44:03.1748779+00:00"),
ExternalId = "Test--8586509942423126760MS164-1",
FileHashType = FileHashType.Sha256,
FileHashValue = "1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b",
KillChain = new List<string>
{
},
MalwareFamilyNames = new List<string>
{
},
Severity = 0,
Tags = new List<string>
{
},
TargetProduct = "Azure Sentinel",
ThreatType = "WatchList",
TlpLevel = TlpLevel.Green,
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.TiIndicators.SubmitTiIndicators.PostAsSubmitTiIndicatorsPostResponseAsync(requestBody);
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta security ti-indicators submit-ti-indicators post --body '{\
"value": [\
{\
"activityGroupNames": [],\
"confidence": 0,\
"description": "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",\
"expirationDateTime": "2019-03-01T21:44:03.1668987+00:00",\
"externalId": "Test--8586509942423126760MS164-0",\
"fileHashType": "sha256",\
"fileHashValue": "b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6",\
"killChain": [],\
"malwareFamilyNames": [],\
"severity": 0,\
"tags": [],\
"targetProduct": "Azure Sentinel",\
"threatType": "WatchList",\
"tlpLevel": "green",\
},\
{\
"activityGroupNames": [],\
"confidence": 0,\
"description": "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",\
"expirationDateTime": "2019-03-01T21:44:03.1748779+00:00",\
"externalId": "Test--8586509942423126760MS164-1",\
"fileHashType": "sha256",\
"fileHashValue": "1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b",\
"killChain": [],\
"malwareFamilyNames": [],\
"severity": 0,\
"tags": [],\
"targetProduct": "Azure Sentinel",\
"threatType": "WatchList",\
"tlpLevel": "green",\
}\
]\
}\
'
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphsecurity "github.com/microsoftgraph/msgraph-beta-sdk-go/security"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
requestBody := graphsecurity.NewSubmitTiIndicatorsPostRequestBody()
tiIndicator := graphmodels.NewTiIndicator()
activityGroupNames := []string {
}
tiIndicator.SetActivityGroupNames(activityGroupNames)
confidence := int32(0)
tiIndicator.SetConfidence(&confidence)
description := "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator."
tiIndicator.SetDescription(&description)
expirationDateTime , err := time.Parse(time.RFC3339, "2019-03-01T21:44:03.1668987+00:00")
tiIndicator.SetExpirationDateTime(&expirationDateTime)
externalId := "Test--8586509942423126760MS164-0"
tiIndicator.SetExternalId(&externalId)
fileHashType := graphmodels.SHA256_FILEHASHTYPE
tiIndicator.SetFileHashType(&fileHashType)
fileHashValue := "b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6"
tiIndicator.SetFileHashValue(&fileHashValue)
killChain := []string {
}
tiIndicator.SetKillChain(killChain)
malwareFamilyNames := []string {
}
tiIndicator.SetMalwareFamilyNames(malwareFamilyNames)
severity := int32(0)
tiIndicator.SetSeverity(&severity)
tags := []string {
}
tiIndicator.SetTags(tags)
targetProduct := "Azure Sentinel"
tiIndicator.SetTargetProduct(&targetProduct)
threatType := "WatchList"
tiIndicator.SetThreatType(&threatType)
tlpLevel := graphmodels.GREEN_TLPLEVEL
tiIndicator.SetTlpLevel(&tlpLevel)
tiIndicator1 := graphmodels.NewTiIndicator()
activityGroupNames := []string {
}
tiIndicator1.SetActivityGroupNames(activityGroupNames)
confidence := int32(0)
tiIndicator1.SetConfidence(&confidence)
description := "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator."
tiIndicator1.SetDescription(&description)
expirationDateTime , err := time.Parse(time.RFC3339, "2019-03-01T21:44:03.1748779+00:00")
tiIndicator1.SetExpirationDateTime(&expirationDateTime)
externalId := "Test--8586509942423126760MS164-1"
tiIndicator1.SetExternalId(&externalId)
fileHashType := graphmodels.SHA256_FILEHASHTYPE
tiIndicator1.SetFileHashType(&fileHashType)
fileHashValue := "1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b"
tiIndicator1.SetFileHashValue(&fileHashValue)
killChain := []string {
}
tiIndicator1.SetKillChain(killChain)
malwareFamilyNames := []string {
}
tiIndicator1.SetMalwareFamilyNames(malwareFamilyNames)
severity := int32(0)
tiIndicator1.SetSeverity(&severity)
tags := []string {
}
tiIndicator1.SetTags(tags)
targetProduct := "Azure Sentinel"
tiIndicator1.SetTargetProduct(&targetProduct)
threatType := "WatchList"
tiIndicator1.SetThreatType(&threatType)
tlpLevel := graphmodels.GREEN_TLPLEVEL
tiIndicator1.SetTlpLevel(&tlpLevel)
value := []graphmodels.TiIndicatorable {
tiIndicator,
tiIndicator1,
}
requestBody.SetValue(value)
submitTiIndicators, err := graphClient.Security().TiIndicators().SubmitTiIndicators().PostAsSubmitTiIndicatorsPostResponse(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.beta.security.tiindicators.submittiindicators.SubmitTiIndicatorsPostRequestBody submitTiIndicatorsPostRequestBody = new com.microsoft.graph.beta.security.tiindicators.submittiindicators.SubmitTiIndicatorsPostRequestBody();
LinkedList<TiIndicator> value = new LinkedList<TiIndicator>();
TiIndicator tiIndicator = new TiIndicator();
LinkedList<String> activityGroupNames = new LinkedList<String>();
tiIndicator.setActivityGroupNames(activityGroupNames);
tiIndicator.setConfidence(0);
tiIndicator.setDescription("This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.");
OffsetDateTime expirationDateTime = OffsetDateTime.parse("2019-03-01T21:44:03.1668987+00:00");
tiIndicator.setExpirationDateTime(expirationDateTime);
tiIndicator.setExternalId("Test--8586509942423126760MS164-0");
tiIndicator.setFileHashType(FileHashType.Sha256);
tiIndicator.setFileHashValue("b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6");
LinkedList<String> killChain = new LinkedList<String>();
tiIndicator.setKillChain(killChain);
LinkedList<String> malwareFamilyNames = new LinkedList<String>();
tiIndicator.setMalwareFamilyNames(malwareFamilyNames);
tiIndicator.setSeverity(0);
LinkedList<String> tags = new LinkedList<String>();
tiIndicator.setTags(tags);
tiIndicator.setTargetProduct("Azure Sentinel");
tiIndicator.setThreatType("WatchList");
tiIndicator.setTlpLevel(TlpLevel.Green);
value.add(tiIndicator);
TiIndicator tiIndicator1 = new TiIndicator();
LinkedList<String> activityGroupNames1 = new LinkedList<String>();
tiIndicator1.setActivityGroupNames(activityGroupNames1);
tiIndicator1.setConfidence(0);
tiIndicator1.setDescription("This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.");
OffsetDateTime expirationDateTime1 = OffsetDateTime.parse("2019-03-01T21:44:03.1748779+00:00");
tiIndicator1.setExpirationDateTime(expirationDateTime1);
tiIndicator1.setExternalId("Test--8586509942423126760MS164-1");
tiIndicator1.setFileHashType(FileHashType.Sha256);
tiIndicator1.setFileHashValue("1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b");
LinkedList<String> killChain1 = new LinkedList<String>();
tiIndicator1.setKillChain(killChain1);
LinkedList<String> malwareFamilyNames1 = new LinkedList<String>();
tiIndicator1.setMalwareFamilyNames(malwareFamilyNames1);
tiIndicator1.setSeverity(0);
LinkedList<String> tags1 = new LinkedList<String>();
tiIndicator1.setTags(tags1);
tiIndicator1.setTargetProduct("Azure Sentinel");
tiIndicator1.setThreatType("WatchList");
tiIndicator1.setTlpLevel(TlpLevel.Green);
value.add(tiIndicator1);
submitTiIndicatorsPostRequestBody.setValue(value);
var result = graphClient.security().tiIndicators().submitTiIndicators().post(submitTiIndicatorsPostRequestBody);
const options = {
authProvider,
};
const client = Client.init(options);
const tiIndicator = {
value: [
{
activityGroupNames: [],
confidence: 0,
description: 'This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.',
expirationDateTime: '2019-03-01T21:44:03.1668987+00:00',
externalId: 'Test--8586509942423126760MS164-0',
fileHashType: 'sha256',
fileHashValue: 'b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6',
killChain: [],
malwareFamilyNames: [],
severity: 0,
tags: [],
targetProduct: 'Azure Sentinel',
threatType: 'WatchList',
tlpLevel: 'green',
},
{
activityGroupNames: [],
confidence: 0,
description: 'This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.',
expirationDateTime: '2019-03-01T21:44:03.1748779+00:00',
externalId: 'Test--8586509942423126760MS164-1',
fileHashType: 'sha256',
fileHashValue: '1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b',
killChain: [],
malwareFamilyNames: [],
severity: 0,
tags: [],
targetProduct: 'Azure Sentinel',
threatType: 'WatchList',
tlpLevel: 'green',
}
]
};
await client.api('/security/tiIndicators/submitTiIndicators')
.version('beta')
.post(tiIndicator);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\SubmitTiIndicatorsPostRequestBody;
use Microsoft\Graph\Generated\Models\TiIndicator;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new SubmitTiIndicatorsPostRequestBody();
$valueTiIndicator1 = new TiIndicator();
$valueTiIndicator1->setActivityGroupNames([ ]);
$valueTiIndicator1->setConfidence(0);
$valueTiIndicator1->setDescription('This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.');
$valueTiIndicator1->setExpirationDateTime(new \DateTime('2019-03-01T21:44:03.1668987+00:00'));
$valueTiIndicator1->setExternalId('Test--8586509942423126760MS164-0');
$valueTiIndicator1->setFileHashType(new FileHashType('sha256'));
$valueTiIndicator1->setFileHashValue('b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6');
$valueTiIndicator1->setKillChain([ ]);
$valueTiIndicator1->setMalwareFamilyNames([ ]);
$valueTiIndicator1->setSeverity(0);
$valueTiIndicator1->setTags([ ]);
$valueTiIndicator1->setTargetProduct('Azure Sentinel');
$valueTiIndicator1->setThreatType('WatchList');
$valueTiIndicator1->setTlpLevel(new TlpLevel('green'));
$valueArray []= $valueTiIndicator1;
$valueTiIndicator2 = new TiIndicator();
$valueTiIndicator2->setActivityGroupNames([ ]);
$valueTiIndicator2->setConfidence(0);
$valueTiIndicator2->setDescription('This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.');
$valueTiIndicator2->setExpirationDateTime(new \DateTime('2019-03-01T21:44:03.1748779+00:00'));
$valueTiIndicator2->setExternalId('Test--8586509942423126760MS164-1');
$valueTiIndicator2->setFileHashType(new FileHashType('sha256'));
$valueTiIndicator2->setFileHashValue('1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b');
$valueTiIndicator2->setKillChain([ ]);
$valueTiIndicator2->setMalwareFamilyNames([ ]);
$valueTiIndicator2->setSeverity(0);
$valueTiIndicator2->setTags([ ]);
$valueTiIndicator2->setTargetProduct('Azure Sentinel');
$valueTiIndicator2->setThreatType('WatchList');
$valueTiIndicator2->setTlpLevel(new TlpLevel('green'));
$valueArray []= $valueTiIndicator2;
$requestBody->setValue($valueArray);
$result = $graphServiceClient->security()->tiIndicators()->submitTiIndicators()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Security
$params = @{
value = @(
@{
activityGroupNames = @(
)
confidence = 0
description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator."
expirationDateTime = [System.DateTime]::Parse("2019-03-01T21:44:03.1668987+00:00")
externalId = "Test--8586509942423126760MS164-0"
fileHashType = "sha256"
fileHashValue = "b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6"
killChain = @(
)
malwareFamilyNames = @(
)
severity = 0
tags = @(
)
targetProduct = "Azure Sentinel"
threatType = "WatchList"
tlpLevel = "green"
}
@{
activityGroupNames = @(
)
confidence = 0
description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator."
expirationDateTime = [System.DateTime]::Parse("2019-03-01T21:44:03.1748779+00:00")
externalId = "Test--8586509942423126760MS164-1"
fileHashType = "sha256"
fileHashValue = "1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b"
killChain = @(
)
malwareFamilyNames = @(
)
severity = 0
tags = @(
)
targetProduct = "Azure Sentinel"
threatType = "WatchList"
tlpLevel = "green"
}
)
}
Submit-MgBetaSecurityTiIndicator -BodyParameter $params
from msgraph import GraphServiceClient
from msgraph.generated.models.submit_ti_indicators_post_request_body import SubmitTiIndicatorsPostRequestBody
from msgraph.generated.models.ti_indicator import TiIndicator
graph_client = GraphServiceClient(credentials, scopes)
request_body = SubmitTiIndicatorsPostRequestBody(
value = [
TiIndicator(
activity_group_names = [
],
confidence = 0,
description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
expiration_date_time = "2019-03-01T21:44:03.1668987+00:00",
external_id = "Test--8586509942423126760MS164-0",
file_hash_type = FileHashType.Sha256,
file_hash_value = "b555c45c5b1b01304217e72118d6ca1b14b7013644a078273cea27bbdc1cf9d6",
kill_chain = [
],
malware_family_names = [
],
severity = 0,
tags = [
],
target_product = "Azure Sentinel",
threat_type = "WatchList",
tlp_level = TlpLevel.Green,
),
TiIndicator(
activity_group_names = [
],
confidence = 0,
description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
expiration_date_time = "2019-03-01T21:44:03.1748779+00:00",
external_id = "Test--8586509942423126760MS164-1",
file_hash_type = FileHashType.Sha256,
file_hash_value = "1796b433950990b28d6a22456c9d2b58ced1bdfcdf5f16f7e39d6b9bdca4213b",
kill_chain = [
],
malware_family_names = [
],
severity = 0,
tags = [
],
target_product = "Azure Sentinel",
threat_type = "WatchList",
tlp_level = TlpLevel.Green,
),
],
)
result = await graph_client.security.ti_indicators.submit_ti_indicators.post(request_body)
The following example shows the response.