Submit or Update Indicator API
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft 365 Defender
Want to experience Defender for Endpoint? Sign up for a free trial.
Note
If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.
Tip
For better performance, you can use server closer to your geo location:
- api-us.securitycenter.microsoft.com
- api-eu.securitycenter.microsoft.com
- api-uk.securitycenter.microsoft.com
- api-au.securitycenter.microsoft.com
API description
Submits or Updates new Indicator entity.
CIDR notation for IPs is not supported.
Limitations
- Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
- There is a limit of 15,000 active indicators per tenant.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Get started
| Permission type | Permission | Permission display name |
|---|---|---|
| Application | Ti.ReadWrite | 'Read and write Indicators' |
| Application | Ti.ReadWrite.All | 'Read and write All Indicators' |
| Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators' |
HTTP request
POST https://api.securitycenter.microsoft.com/api/indicators
Request headers
| Name | Type | Description |
|---|---|---|
| Authorization | String | Bearer {token}. Required. |
| Content-Type | string | application/json. Required. |
Request body
In the request body, supply a JSON object with the following parameters:
| Parameter | Type | Description |
|---|---|---|
| indicatorValue | String | Identity of the Indicator entity. Required |
| indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileMd5", "CertificateThumbprint", "FileSha256", "IpAddress", "DomainName" and "Url". Required |
| action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "Warn", "Block", "Audit, "BlockAndRemediate", "AlertAndBlock", and "Allowed". Required. The "GenerateAlert" parameter must be set to "TRUE" when creating an action with "Audit". |
| application | String | The application associated with the indicator. This field only works for new indicators. It will not update the value on an existing indicator. Optional |
| title | String | Indicator alert title. Required |
| description | String | Description of the indicator. Required |
| expirationTime | DateTimeOffset | The expiration time of the indicator. Optional |
| severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium", and "High". Optional |
| recommendedActions | String | TI indicator alert recommended actions. Optional |
| rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. Optional |
| educateUrl | String | Custom notification/support URL. Supported for Block and Warn action types for URL indicators. Optional |
| generateAlert | Enum | True if alert generation is required, False if this indicator should not generate an alert. |
Response
- If successful, this method returns 200 - OK response code and the created / updated Indicator entity in the response body.
- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body.
Example
Request
Here is an example of the request.
POST https://api.securitycenter.microsoft.com/api/indicators
{
"indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"application": "demo-test",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "nothing",
"rbacGroupNames": ["group1", "group2"]
}
Related topic
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Submit and view feedback for