Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Create a new tiIndicator object.
This API is available in the following national cloud deployments.
| Global service |
US Government L4 |
US Government L5 (DOD) |
China operated by 21Vianet |
| ✅ |
❌ |
❌ |
❌ |
Permissions
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Permission type |
Least privileged permissions |
Higher privileged permissions |
| Delegated (work or school account) |
ThreatIndicators.ReadWrite.OwnedBy |
Not available. |
| Delegated (personal Microsoft account) |
Not supported. |
Not supported. |
| Application |
ThreatIndicators.ReadWrite.OwnedBy |
Not available. |
HTTP request
POST /security/tiIndicators
Request body
In the request body, supply a JSON representation of a tiIndicator object containing at least one email, file, or network observable, and the following required fields: action, description, expirationDateTime, targetProduct, threatType, tlpLevel.
Response
If successful, this method returns 201 Created response code and a tiIndicator object in the response body.
Examples
Request
The following example shows a request.
POST https://graph.microsoft.com/beta/security/tiIndicators
Content-type: application/json
{
"action": "alert",
"activityGroupNames": [],
"confidence": 0,
"description": "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
"expirationDateTime": "2019-03-01T21:43:37.5031462+00:00",
"externalId": "Test--8586509942679764298MS501",
"fileHashType": "sha256",
"fileHashValue": "aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313",
"killChain": [],
"malwareFamilyNames": [],
"severity": 0,
"tags": [],
"targetProduct": "Azure Sentinel",
"threatType": "WatchList",
"tlpLevel": "green"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new TiIndicator
{
Action = TiAction.Alert,
ActivityGroupNames = new List<string>
{
},
Confidence = 0,
Description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
ExpirationDateTime = DateTimeOffset.Parse("2019-03-01T21:43:37.5031462+00:00"),
ExternalId = "Test--8586509942679764298MS501",
FileHashType = FileHashType.Sha256,
FileHashValue = "aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313",
KillChain = new List<string>
{
},
MalwareFamilyNames = new List<string>
{
},
Severity = 0,
Tags = new List<string>
{
},
TargetProduct = "Azure Sentinel",
ThreatType = "WatchList",
TlpLevel = TlpLevel.Green,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.TiIndicators.PostAsync(requestBody);
mgc-beta security ti-indicators create --body '{\
"action": "alert",\
"activityGroupNames": [],\
"confidence": 0,\
"description": "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",\
"expirationDateTime": "2019-03-01T21:43:37.5031462+00:00",\
"externalId": "Test--8586509942679764298MS501",\
"fileHashType": "sha256",\
"fileHashValue": "aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313",\
"killChain": [],\
"malwareFamilyNames": [],\
"severity": 0,\
"tags": [],\
"targetProduct": "Azure Sentinel",\
"threatType": "WatchList",\
"tlpLevel": "green"\
}\
'
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
"time"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewTiIndicator()
action := graphmodels.ALERT_TIACTION
requestBody.SetAction(&action)
activityGroupNames := []string {
}
requestBody.SetActivityGroupNames(activityGroupNames)
confidence := int32(0)
requestBody.SetConfidence(&confidence)
description := "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator."
requestBody.SetDescription(&description)
expirationDateTime , err := time.Parse(time.RFC3339, "2019-03-01T21:43:37.5031462+00:00")
requestBody.SetExpirationDateTime(&expirationDateTime)
externalId := "Test--8586509942679764298MS501"
requestBody.SetExternalId(&externalId)
fileHashType := graphmodels.SHA256_FILEHASHTYPE
requestBody.SetFileHashType(&fileHashType)
fileHashValue := "aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313"
requestBody.SetFileHashValue(&fileHashValue)
killChain := []string {
}
requestBody.SetKillChain(killChain)
malwareFamilyNames := []string {
}
requestBody.SetMalwareFamilyNames(malwareFamilyNames)
severity := int32(0)
requestBody.SetSeverity(&severity)
tags := []string {
}
requestBody.SetTags(tags)
targetProduct := "Azure Sentinel"
requestBody.SetTargetProduct(&targetProduct)
threatType := "WatchList"
requestBody.SetThreatType(&threatType)
tlpLevel := graphmodels.GREEN_TLPLEVEL
requestBody.SetTlpLevel(&tlpLevel)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
tiIndicators, err := graphClient.Security().TiIndicators().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
TiIndicator tiIndicator = new TiIndicator();
tiIndicator.setAction(TiAction.Alert);
LinkedList<String> activityGroupNames = new LinkedList<String>();
tiIndicator.setActivityGroupNames(activityGroupNames);
tiIndicator.setConfidence(0);
tiIndicator.setDescription("This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.");
OffsetDateTime expirationDateTime = OffsetDateTime.parse("2019-03-01T21:43:37.5031462+00:00");
tiIndicator.setExpirationDateTime(expirationDateTime);
tiIndicator.setExternalId("Test--8586509942679764298MS501");
tiIndicator.setFileHashType(FileHashType.Sha256);
tiIndicator.setFileHashValue("aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313");
LinkedList<String> killChain = new LinkedList<String>();
tiIndicator.setKillChain(killChain);
LinkedList<String> malwareFamilyNames = new LinkedList<String>();
tiIndicator.setMalwareFamilyNames(malwareFamilyNames);
tiIndicator.setSeverity(0);
LinkedList<String> tags = new LinkedList<String>();
tiIndicator.setTags(tags);
tiIndicator.setTargetProduct("Azure Sentinel");
tiIndicator.setThreatType("WatchList");
tiIndicator.setTlpLevel(TlpLevel.Green);
TiIndicator result = graphClient.security().tiIndicators().post(tiIndicator);
const options = {
authProvider,
};
const client = Client.init(options);
const tiIndicator = {
action: 'alert',
activityGroupNames: [],
confidence: 0,
description: 'This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.',
expirationDateTime: '2019-03-01T21:43:37.5031462+00:00',
externalId: 'Test--8586509942679764298MS501',
fileHashType: 'sha256',
fileHashValue: 'aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313',
killChain: [],
malwareFamilyNames: [],
severity: 0,
tags: [],
targetProduct: 'Azure Sentinel',
threatType: 'WatchList',
tlpLevel: 'green'
};
await client.api('/security/tiIndicators')
.version('beta')
.post(tiIndicator);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\TiIndicator;
use Microsoft\Graph\Beta\Generated\Models\TiAction;
use Microsoft\Graph\Beta\Generated\Models\FileHashType;
use Microsoft\Graph\Beta\Generated\Models\TlpLevel;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new TiIndicator();
$requestBody->setAction(new TiAction('alert'));
$requestBody->setActivityGroupNames([ ]);
$requestBody->setConfidence(0);
$requestBody->setDescription('This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.');
$requestBody->setExpirationDateTime(new \DateTime('2019-03-01T21:43:37.5031462+00:00'));
$requestBody->setExternalId('Test--8586509942679764298MS501');
$requestBody->setFileHashType(new FileHashType('sha256'));
$requestBody->setFileHashValue('aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313');
$requestBody->setKillChain([ ]);
$requestBody->setMalwareFamilyNames([ ]);
$requestBody->setSeverity(0);
$requestBody->setTags([ ]);
$requestBody->setTargetProduct('Azure Sentinel');
$requestBody->setThreatType('WatchList');
$requestBody->setTlpLevel(new TlpLevel('green'));
$result = $graphServiceClient->security()->tiIndicators()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Security
$params = @{
action = "alert"
activityGroupNames = @(
)
confidence = 0
description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator."
expirationDateTime = [System.DateTime]::Parse("2019-03-01T21:43:37.5031462+00:00")
externalId = "Test--8586509942679764298MS501"
fileHashType = "sha256"
fileHashValue = "aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313"
killChain = @(
)
malwareFamilyNames = @(
)
severity = 0
tags = @(
)
targetProduct = "Azure Sentinel"
threatType = "WatchList"
tlpLevel = "green"
}
New-MgBetaSecurityTiIndicator -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.ti_indicator import TiIndicator
from msgraph_beta.generated.models.ti_action import TiAction
from msgraph_beta.generated.models.file_hash_type import FileHashType
from msgraph_beta.generated.models.tlp_level import TlpLevel
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = TiIndicator(
action = TiAction.Alert,
activity_group_names = [
],
confidence = 0,
description = "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
expiration_date_time = "2019-03-01T21:43:37.5031462+00:00",
external_id = "Test--8586509942679764298MS501",
file_hash_type = FileHashType.Sha256,
file_hash_value = "aa64428647b57bf51524d1756b2ed746e5a3f31b67cf7fe5b5d8a9daf07ca313",
kill_chain = [
],
malware_family_names = [
],
severity = 0,
tags = [
],
target_product = "Azure Sentinel",
threat_type = "WatchList",
tlp_level = TlpLevel.Green,
)
result = await graph_client.security.ti_indicators.post(request_body)
Response
The following example shows the response.
Note
The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Security/tiIndicators/$entity",
"id": "e58c072b-c9bb-a5c4-34ce-eb69af44fb1e",
"azureTenantId": "XXXXXXXXXXXXXXXXXXXX",
"action": "alert",
"additionalInformation": null,
"activityGroupNames": [],
"confidence": 0,
"description": "This is a canary indicator for demo purpose. Take no action on any observables set in this indicator.",
}