| title | description | ms.localizationpriority | author | ms.subservice | doc_type |
|---|---|---|---|---|---|
Update tiIndicator |
Update the properties of a tiIndicator object. |
medium |
preetikr |
security |
apiPageType |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Update the properties of a tiIndicator object.
[!INCLUDE national-cloud-support]
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
PATCH /security/tiIndicators/{id}| Name | Description |
|---|---|
| Authorization | Bearer {code} Required |
| Prefer | return=representation |
In the request body, supply the values for relevant fields that should be updated. Existing properties that aren't included in the request body maintains their previous values or be recalculated based on changes to other property values. For best performance, don't include existing values that haven't changed. Required fields are: id, expirationDateTime, targetProduct.
| Property | Type | Description |
|---|---|---|
| action | string | The action to apply if the indicator is matched from within the targetProduct security tool. Possible values are: unknown, allow, block, alert. |
| activityGroupNames | String collection | The cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator. |
| additionalInformation | String | A catchall area into which extra data from the indicator not covered by the other tiIndicator properties may be placed. Data placed into additionalInformation will typically not be utilized by the targetProduct security tool. |
| confidence | Int32 | An integer representing the confidence the data within the indicator accurately identifies malicious behavior. Acceptable values are 0 – 100 with 100 being the highest. |
| description | String | Brief description (100 characters or less) of the threat represented by the indicator. |
| diamondModel | diamondModel | The area of the Diamond Model in which this indicator exists. Possible values are: unknown, adversary, capability, infrastructure, victim. |
| expirationDateTime | DateTimeOffset | DateTime string indicating when the Indicator expires. All indicators must have an expiration date to avoid stale indicators persisting in the system. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| externalId | String | An identification number that ties the indicator back to the indicator provider’s system (for example, a foreign key). |
| isActive | Boolean | Used to deactivate indicators within system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ‘False’ to deactivate indicators in the system. |
| killChain | killChain collection | A JSON array of strings that describes which point or points on the Kill Chain this indicator targets. See "killChain values" below for exact values. |
| knownFalsePositives | String | Scenarios in which the indicator may cause false positives. This should be human-readable text. |
| lastReportedDateTime | DateTimeOffset | The last time the indicator was seen. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| malwareFamilyNames | String collection | The malware family name associated with an indicator if it exists. Microsoft prefers the Microsoft malware family name if at all possible that can be found via the Windows Defender Security Intelligence threat encyclopedia. |
| passiveOnly | Boolean | Determines if the indicator should trigger an event that is visible to an end-user. When set to ‘true,’ security tools won't notify the end user that a ‘hit’ has occurred. This is most often treated as audit or silent mode by security products where they'll log that a match occurred but won't perform the action. Default value is false. |
| severity | Int32 | An integer representing the severity of the malicious behavior identified by the data within the indicator. Acceptable values are 0 – 5 where 5 is the most severe and zero isn't severe at all. Default value is 3. |
| tags | String collection | A JSON array of strings that stores arbitrary tags/keywords. |
| tlpLevel | tlpLevel | Traffic Light Protocol value for the indicator. Possible values are: unknown, white, green, amber, red. |
If successful, this method returns a 204 No Content response code.
If the optional request header is used, the method returns a 200 OK response code and the updated tiIndicator object in the response body.
The following example shows a request without the Prefer header.
PATCH https://graph.microsoft.com/beta/security/tiIndicators/{id}
Content-type: application/json
{
"description": "description-updated",
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
HTTP/1.1 204 No ContentThe following example shows a request that includes the Prefer header.
PATCH https://graph.microsoft.com/beta/security/tiIndicators/{id}
Content-type: application/json
Prefer: return=representation
{
"additionalInformation": "additionalInformation-after-update",
"confidence": 42,
"description": "description-after-update",
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note
The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Security/tiIndicators/$entity",
"id": "e58c072b-c9bb-a5c4-34ce-eb69af44fb1e",
"azureTenantId": "XXXXXXXXXXXXXXXXXXXXXXXXX",
"action": null,
"additionalInformation": "additionalInformation-after-update",
"activityGroupNames": [],
"confidence": 42,
"description": "description-after-update",
}