deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

s

Browse Source
This commit is contained in:
Ben Alfasi
2018-10-25 09:52:49 +03:00
parent a7ee8fea98
commit 0a9bbd5920
2 changed files with 114 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md Normal file
View File

@ -0,0 +1,113 @@
---
title: Submit Ti Indicator API
description: Use this API to submit Ti Indicator.
keywords: apis, graph api, supported apis, submit, ti, ti indicator
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 12/08/2017
---
# Submit Ti Indicator API
[!include[Prerelease information](prerelease.md)]
>[!Note]
> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Submits new [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Ti_ReadWrite | 'Read and write Ti Indicators'
## HTTP request
```
POST https://api.securitycenter.windows.com/api/tiindicators
```
[!include[Improve request performance](improverequestperformance-new.md)]
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
Content-Type | string | application/json. **Required**.
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
indicator | String | Identity of the [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required**
indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
title | String | Ti indicator title.
expirationTime | DateTimeOffset | The expiration time of the indicator.
action | Enum | The action that will be taken when the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High".
description | String | Description of the indicator.
recommendedActions | String | Recommended actions for the indicator.
## Response
If successful, this method returns 201 - Created response code and the created [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) in the response body.
## Example
**Request**
Here is an example of the request.
```
POST https://api.securitycenter.windows.com/api/tiindicators
Content-type: application/json
{
"indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST"
}
```
**Response**
Here is an example of the response.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST"
}
```

2
windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md
View File

@ -31,7 +31,7 @@ indicator | String | Identity of the [Ti Indicator](ti-indicator-windows-defende
indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url" indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url"
title | String | Ti indicator title. title | String | Ti indicator title.
creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created. creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created.
createdBy | String | Identity of the user/application that created the indicator. createdBy | String | Identity of the user/application that submitted the indicator.
expirationTime | DateTimeOffset | The expiration time of the indicator expirationTime | DateTimeOffset | The expiration time of the indicator
action | Enum | The action that will be taken when the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed" action | Enum | The action that will be taken when the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed"
severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High" severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High"