|
1 | | ---- |
2 | | -title: Submit or Update Indicator API |
3 | | -description: Learn how to use the Submit or Update Indicator API to submit or update a new Indicator entity in Microsoft Defender for Endpoint. |
4 | | -ms.service: defender-endpoint |
5 | | -ms.author: bagol |
6 | | -author: batamig |
7 | | -ms.localizationpriority: medium |
8 | | -manager: bagol |
9 | | -audience: ITPro |
10 | | -ms.collection: |
11 | | -- m365-security |
12 | | -- tier3 |
13 | | -- must-keep |
14 | | -ms.topic: reference |
15 | | -ms.subservice: reference |
16 | | -ms.custom: api |
17 | | -search.appverid: met150 |
18 | | -ms.date: 12/18/2020 |
19 | | -appliesto: |
20 | | - - Microsoft Defender for Endpoint |
21 | | - - Microsoft Defender for Endpoint Plan 1 |
22 | | - |
23 | 1 | --- |
24 | 2 | # Submit or Update Indicator API |
25 | 3 |
|
@@ -64,27 +42,50 @@ POST https://api.securitycenter.microsoft.com/api/indicators |
64 | 42 |
|
65 | 43 | Name|Type|Description |
66 | 44 | :---|:---|:--- |
| 45 | +--- |
| 46 | +title: Submit or Update Indicator API |
| 47 | +description: Learn how to use the Submit or Update Indicator API to submit or update a new Indicator entity in Microsoft Defender for Endpoint. |
| 48 | +ms.service: defender-endpoint |
| 49 | +ms.author: bagol |
| 50 | +author: batamig |
| 51 | +ms.localizationpriority: medium |
| 52 | +manager: bagol |
| 53 | +audience: ITPro |
| 54 | +ms.collection: |
| 55 | +- m365-security |
| 56 | +- tier3 |
| 57 | +- must-keep |
| 58 | +ms.topic: reference |
| 59 | +ms.subservice: reference |
| 60 | +ms.custom: api |
| 61 | +search.appverid: met150 |
| 62 | +ms.date: 12/18/2020 |
| 63 | +appliesto: |
| 64 | + - Microsoft Defender for Endpoint |
| 65 | + - Microsoft Defender for Endpoint Plan 1 |
| 66 | + |
| 67 | + |
67 | 68 | Authorization|String|Bearer {token}. **Required**. |
68 | 69 | Content-Type|string|application/json. **Required**. |
69 | 70 |
|
70 | 71 | ## Request body |
71 | 72 |
|
72 | 73 | In the request body, supply a JSON object with the following parameters: |
73 | 74 |
|
74 | | -Parameter|Type|Description |
75 | | -:---|:---|:--- |
76 | | -indicatorValue|String|Identity of the [Indicator](ti-indicator.md) entity. **Required** |
77 | | -indicatorType|Enum|Type of the indicator. Possible values are: `FileSha1`, `FileMd5`, `CertificateThumbprint`, `FileSha256`, `IpAddress`, `DomainName`, and `Url`. **Required** |
78 | | -action|Enum|The action that is taken if the indicator is discovered in the organization. Possible values are: `Alert`, `Warn`, `Block`, `Audit`, `BlockAndRemediate`, `AlertAndBlock`, and `Allowed`. **Required**. The `GenerateAlert` parameter must be set to `TRUE` when creating an action with `Audit`. |
79 | | -application|String|The application associated with the indicator. This field only works for new indicators. It doesn't update the value on an existing indicator. **Optional** |
80 | | -title|String|Indicator alert title. **Required** |
81 | | -description|String|Description of the indicator. **Required** |
82 | | -expirationTime|DateTimeOffset|The expiration time of the indicator. **Optional** |
83 | | -severity|Enum|The severity of the indicator. Possible values are: `Informational`, `Low`, `Medium`, and `High`. **Optional** |
84 | | -recommendedActions|String|TI indicator alert recommended actions. **Optional** |
85 | | -rbacGroupNames|String|Comma-separated list of RBAC group names the indicator would be applied to. **Optional** |
86 | | -educateUrl|String|Custom notification/support URL. Supported for Block and Warn action types for URL indicators. **Optional** |
87 | | -generateAlert|Enum|**True** if alert generation is required, **False** if this indicator shouldn't generate an alert. |
| 75 | +|Parameter|Type|Description| |
| 76 | +|:---|:---|:---| |
| 77 | +|indicatorValue|String|Identity of the [Indicator](ti-indicator.md) entity. **Required**| |
| 78 | +|indicatorType|Enum|Type of the indicator. Possible values are: `FileSha1`, `FileMd5`, `CertificateThumbprint`, `FileSha256`, `IpAddress`, `DomainName`, and `Url`. **Required**| |
| 79 | +|action|Enum|The action that is taken if the indicator is discovered in the organization. Possible values are: `Alert`, `Warn`, `Block`, `Audit`, `BlockAndRemediate`, `AlertAndBlock`, and `Allowed`. **Required**. The `GenerateAlert` parameter must be set to `TRUE` when creating an action with `Audit`.| |
| 80 | +|application|String|A user-friendly name for the content blocked by the indicator. If specified, this text will be shown in the blocking notification in place of the blocked filename or domain. This field only works for new indicators; it doesn't update the value on an existing indicator. **Optional**| |
| 81 | +|title|String|Indicator alert title. **Required**| |
| 82 | +|description|String|Description of the indicator. **Required**| |
| 83 | +|expirationTime|DateTimeOffset|The expiration time of the indicator. **Optional**| |
| 84 | +|severity|Enum|The severity of the indicator. Possible values are: `Informational`, `Low`, `Medium`, and `High`. **Optional**| |
| 85 | +|recommendedActions|String|TI indicator alert recommended actions. **Optional**| |
| 86 | +|rbacGroupNames|String|Comma-separated list of RBAC group names the indicator would be applied to. **Optional**| |
| 87 | +|educateUrl|String|Custom notification/support URL. Supported for Block and Warn action types for URL indicators. **Optional**| |
| 88 | +|generateAlert|Enum|**True** if alert generation is required, **False** if this indicator shouldn't generate an alert.| |
88 | 89 | ## Response |
89 | 90 |
|
90 | 91 | - If successful, this method returns 200 - OK response code and the created / updated [Indicator](ti-indicator.md) entity in the response body. |
|
0 commit comments