Import-Indicatior.ps1
|
Function Import-Indicatior { <# .SYNOPSIS Import list of Defender indicatior. .PARAMETER Token Authorization token. .PARAMETER Body Indicatior content. .EXAMPLE $Indicator = @{ Indicators = @( @{ indicatorValue = $Attribute1.value indicatorType = "IpAddress" action = "Block" title = $EventDetails.info severity = $Severity description = $Attribute.comment expirationTime = $MISPAddDate.AddMonths(3).ToString("yyyy-MM-ddTHH:mm:ssZ") recommendedActions = $recommendedActions }, @{ indicatorValue = $Attribute2.value indicatorType = "IpAddress" action = "Block" title = $EventDetails.info severity = $Severity description = $Attribute.comment expirationTime = $MISPAddDate.AddMonths(3).ToString("yyyy-MM-ddTHH:mm:ssZ") recommendedActions = $recommendedActions } ) } Import-Indicatior -Token $Token -Body $Indicator .NOTES Author: Michal Gajda .LINK https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/post-ti-indicator?view=o365-worldwide #> [CmdletBinding()] Param ( [Parameter(Mandatory = $true)] $Token, [Parameter(Mandatory = $true)] $Body ) Begin {} Process { $Headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $Token" } $Uri = "https://api.securitycenter.windows.com/api/indicators/import" $Request = @{ Method = "POST" Uri = $Uri Headers = $Headers Body = ($Body | ConvertTo-Json) ErrorAction = "Stop" } $Response = Invoke-RestMethod @Request Return $Response } End {} } |