deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

1

Browse Source
This commit is contained in:
Ben Alfasi
2021-01-21 21:48:12 +02:00
parent 6b129e368c
commit ac2d63462d
3 changed files with 145 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md Normal file
View File

@ -0,0 +1,141 @@
---
title: Import Indicators API
description: Learn how to use the Import batch of Indicator API in Microsoft Defender Advanced Threat Protection.
keywords: apis, supported apis, submit, ti, indicator, update
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Import Indicators API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
[!include[Improve request performance](../../includes/improve-request-performance.md)]
## API description
Submits or Updates batch of [Indicator](ti-indicator.md) entities.
<br>CIDR notation for IPs is not supported.
## Limitations
1. Rate limitations for this API are 30 calls per minute.
2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Ti.ReadWrite | 'Read and write Indicators'
Application | Ti.ReadWrite.All | 'Read and write All Indicators'
Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators'
## HTTP request
```
POST https://api.securitycenter.microsoft.com/api/indicators/import
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
Content-Type | string | application/json. **Required**.
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Indicators | List<[Indicator](ti-indicator.md)> | List of [Indicators](ti-indicator.md). **Required**
## Response
- If successful, this method returns 200 - OK response code with a list of import results per indicator, see example below.
- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body.
## Example
**Request**
Here is an example of the request.
```
POST https://api.securitycenter.microsoft.com/api/indicators/import
```
```json
{
"Indicators":
[
{
"indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"title": "demo",
"application": "demo-test",
"expirationTime": "2021-12-12T00:00:00Z",
"action": "Alert",
"severity": "Informational",
"description": "demo2",
"recommendedActions": "nothing",
"rbacGroupNames": ["group1", "group2"]
},
{
"indicatorValue": "2233223322332233223322332233223322332233223322332233223322332222",
"indicatorType": "FileSha256",
"title": "demo2",
"application": "demo-test2",
"expirationTime": "2021-12-12T00:00:00Z",
"action": "Alert",
"severity": "Medium",
"description": "demo2",
"recommendedActions": "nothing",
"rbacGroupNames": []
}
]
}
```
**Request**
Here is an example of the request.
```json
{
"value": [
{
"id": "2841",
"indicator": "220e7d15b011d7fac48f2bd61114db1022197f7f",
"isFailed": false,
"failureReason": null
},
{
"id": "2842",
"indicator": "2233223322332233223322332233223322332233223322332233223322332222",
"isFailed": false,
"failureReason": null
}
]
}
```
## Related topic
- [Manage indicators](manage-indicators.md)

5
windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
View File

@ -32,7 +32,7 @@ ms.topic: article
## API description ## API description
Submits or Updates new [Indicator](ti-indicator.md) entity. Submits or Updates new [Indicator](ti-indicator.md) entity.
<br>CIDR notation for IPs is supported. <br>CIDR notation for IPs is not supported.
## Limitations ## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@ -90,7 +90,8 @@ Here is an example of the request.
``` ```
POST https://api.securitycenter.microsoft.com/api/indicators POST https://api.securitycenter.microsoft.com/api/indicators
Content-type: application/json ```
```json
{ {
"indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1", "indicatorType": "FileSha1",