Edit

Share via

Update tiIndicator

  • Article

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Update the properties of a tiIndicator object.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) ThreatIndicators.ReadWrite.OwnedBy Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application ThreatIndicators.ReadWrite.OwnedBy Not available.

HTTP request

PATCH /security/tiIndicators/{id}

Request headers

Name Description
Authorization Bearer {code} Required
Prefer return=representation

Request body

In the request body, supply the values for relevant fields that should be updated. Existing properties that aren't included in the request body maintains their previous values or be recalculated based on changes to other property values. For best performance, don't include existing values that haven't changed. Required fields are: id, expirationDateTime, targetProduct.

Property Type Description
action string The action to apply if the indicator is matched from within the targetProduct security tool. Possible values are: unknown, allow, block, alert.
activityGroupNames String collection The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator.
additionalInformation String A catchall area into which extra data from the indicator not covered by the other tiIndicator properties may be placed. Data placed into additionalInformation will typically not be utilized by the targetProduct security tool.
confidence Int32 An integer representing the confidence the data within the indicator accurately identifies malicious behavior. Acceptable values are 0 – 100 with 100 being the highest.
description String Brief description (100 characters or less) of the threat represented by the indicator.
diamondModel diamondModel The area of the Diamond Model in which this indicator exists. Possible values are: unknown, adversary, capability, infrastructure, victim.
expirationDateTime DateTimeOffset DateTime string indicating when the Indicator expires. All indicators must have an expiration date to avoid stale indicators persisting in the system. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
externalId String An identification number that ties the indicator back to the indicator provider’s system (for example, a foreign key).
isActive Boolean Used to deactivate indicators within system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system.
killChain killChain collection A JSON array of strings that describes which point or points on the Kill Chain this indicator targets. See "killChain values" below for exact values.
knownFalsePositives String Scenarios in which the indicator may cause false positives. This should be human-readable text.
lastReportedDateTime DateTimeOffset The last time the indicator was seen. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
malwareFamilyNames String collection The malware family name associated with an indicator if it exists. Microsoft prefers the Microsoft malware family name if at all possible that can be found via the Windows Defender Security Intelligence threat encyclopedia.
passiveOnly Boolean Determines if the indicator should trigger an event that is visible to an end-user. When set to ‘true,’ security tools won't notify the end user that a ‘hit’ has occurred. This is most often treated as audit or silent mode by security products where they'll log that a match occurred but won't perform the action. Default value is false.
severity Int32 An integer representing the severity of the malicious behavior identified by the data within the indicator. Acceptable values are 0 – 5 where 5 is the most severe and zero isn't severe at all. Default value is 3.
tags String collection A JSON array of strings that stores arbitrary tags/keywords.
tlpLevel tlpLevel Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red.

Response

If successful, this method returns a 204 No Content response code.

If the optional request header is used, the method returns a 200 OK response code and the updated tiIndicator object in the response body.

Examples

Example 1: Request without Prefer header

Request

The following example shows a request without the Prefer header.

PATCH https://graph.microsoft.com/beta/security/tiIndicators/{id}
Content-type: application/json

{
  "description": "description-updated",
}

Response

The following example shows the response.

HTTP/1.1 204 No Content

Example 2: Request with Prefer header

Request

The following example shows a request that includes the Prefer header.

PATCH https://graph.microsoft.com/beta/security/tiIndicators/{id}
Content-type: application/json
Prefer: return=representation

{
  "additionalInformation": "additionalInformation-after-update",
  "confidence": 42,
  "description": "description-after-update",
}

Response

The following example shows the response.

Note

The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#Security/tiIndicators/$entity",
    "id": "e58c072b-c9bb-a5c4-34ce-eb69af44fb1e",
    "azureTenantId": "XXXXXXXXXXXXXXXXXXXXXXXXX",
    "action": null,
    "additionalInformation": "additionalInformation-after-update",
    "activityGroupNames": [],
    "confidence": 42,
    "description": "description-after-update",
}