| title | description | ms.service | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic | ms.subservice | ms.custom | search.appverid | ms.date | |||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Indicator resource type |
Specify the entity details and define the expiration of the indicator using Microsoft Defender for Endpoint. |
defender-endpoint |
siosulli |
siosulli |
medium |
deniseb |
ITPro |
|
reference |
reference |
api |
met150 |
12/18/2020 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
[!includeMicrosoft Defender for Endpoint API URIs for US Government]
[!includeImprove request performance]
- See the corresponding Indicators page in the portal.
| Method | Return Type | Description |
|---|---|---|
| List Indicators | Indicator Collection | List Indicator entities. |
| Submit Indicator | Indicator | Submit or update Indicator entity. |
| Import Indicators | Indicator Collection | Submit or update Indicators entities. |
| Delete Indicator | No Content | Deletes Indicator entity. |
| Property | Type | Description |
|---|---|---|
| id | String | Identity of the Indicator entity. |
| indicatorValue | String | The value of the Indicator. |
| indicatorType | Enum | Type of the indicator. Possible values are: FileSha1, FileSha256, FileMd5, CertificateThumbprint, IpAddress, DomainName, and Url. |
| application | String | The application associated with the indicator. |
| action | Enum | The action that is taken if the indicator is discovered in the organization. Possible values are: Warn, Block, Audit, Alert, AlertAndBlock, BlockAndRemediate, and Allowed. |
| externalID | String | Id the customer can submit in the request for custom correlation. |
| sourceType | Enum | User in case the Indicator created by a user (for example, from the portal), AadApp in case it submitted using automated application via the API. |
| createdBySource | string | The name of the user/application that submitted the indicator. |
| createdBy | String | Unique identity of the user/application that submitted the indicator. |
| lastUpdatedBy | String | Identity of the user/application that last updated the indicator. |
| creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created. |
| expirationTime | DateTimeOffset | The expiration time of the indicator. |
| lastUpdateTime | DateTimeOffset | The last time the indicator was updated. |
| severity | Enum | The severity of the indicator. Possible values are: Informational, Low, Medium, and High. |
| title | String | Indicator title. |
| description | String | Description of the indicator. |
| recommendedActions | String | Recommended actions for the indicator. |
| rbacGroupNames | List of strings | RBAC device group names where the indicator is exposed and active. Empty list in case it exposed to all devices. |
| rbacGroupIds | List of strings | RBAC device group IDs where the indicator is exposed and active. Empty list in case it exposed to all devices. |
| generateAlert | Enum | True if alert generation is required, False if this indicator shouldn't generate an alert. |
The indicator action types supported by the API are:
- Allowed
- Audit
- Block
- BlockAndRemediate
- Warn (Defender for Cloud Apps only)
For more information on the description of the response action types, see Create indicators.
Note
The prior response actions (AlertAndBlock, and Alert) will be supported until January 2022. After this date, all customers must be use one of the action types listed in this section.
{
"id": "994",
"indicatorValue": "881c0f10c75e64ec39d257a131fcd531f47dd2cff2070ae94baa347d375126fd",
"indicatorType": "FileSha256",
"action": "AlertAndBlock",
"application": null,
"source": "user@contoso.onmicrosoft.com",
"sourceType": "User",
"createdBy": "user@contoso.onmicrosoft.com",
"severity": "Informational",
"title": "Michael test",
"description": "test",
"recommendedActions": "nothing",
"creationTimeDateTimeUtc": "2019-12-19T09:09:46.9139216Z",
"expirationTime": null,
"lastUpdateTime": "2019-12-19T09:09:47.3358111Z",
"lastUpdatedBy": null,
"rbacGroupNames": ["team1"]
}