Indicator resource type

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.


If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.


For better performance, you can use server closer to your geo location:

Method Return Type Description
List Indicators Indicator Collection List Indicator entities.
Submit Indicator Indicator Submit or update Indicator entity.
Import Indicators Indicator Collection Submit or update Indicators entities.
Delete Indicator No Content Deletes Indicator entity.


Property Type Description
id String Identity of the Indicator entity.
indicatorValue String The value of the Indicator.
indicatorType Enum Type of the indicator. Possible values are: "FileSha1", "FileSha256", "FileMd5", "CertificateThumbprint", "IpAddress", "DomainName" and "Url".
application String The application associated with the indicator.
action Enum The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Warn", "Block", "Audit", "Alert", "AlertAndBlock", "BlockAndRemediate" and "Allowed".
externalID String Id the customer can submit in the request for custom correlation.
sourceType Enum "User" in case the Indicator created by a user (e.g. from the portal), "AadApp" in case it submitted using automated application via the API.
createdBySource string The name of the user/application that submitted the indicator.
createdBy String Unique identity of the user/application that submitted the indicator.
lastUpdatedBy String Identity of the user/application that last updated the indicator.
creationTimeDateTimeUtc DateTimeOffset The date and time when the indicator was created.
expirationTime DateTimeOffset The expiration time of the indicator.
lastUpdateTime DateTimeOffset The last time the indicator was updated.
severity Enum The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High".
title String Indicator title.
description String Description of the indicator.
recommendedActions String Recommended actions for the indicator.
rbacGroupNames List of strings RBAC device group names where the indicator is exposed and active. Empty list in case it exposed to all devices.
rbacGroupIds List of strings RBAC device group ID's where the indicator is exposed and active. Empty list in case it exposed to all devices.

Public Preview: Indicator types


Information in this section (Public Preview for Automated investigation and remediation engine) relates to prereleased product which might be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The indicator action types supported by the API are:

  • Allowed
  • Alert
  • AlertAndBlock
  • Audit
  • Block
  • BlockAndRemediate
  • Warn

The API list of action types contains the new response actions along with the prior response actions (AlertAndBlock, and Alert). For more information on the description of the response action types, see Create indicators.

The Allowed, Warn, Block, and BlockAndRemediate IoC response actions are in public preview. For more information on the public preview, see Public Preview: Custom file IoC enhancements and API schema update - Microsoft Tech Community.


The prior response actions (AlertAndBlock, and Alert) will be removed when the feature has reached GAed. The estimated GA date with grace period is end of October 2021. We advise updating any existing templates or scripts as soon as possible.

Json representation

    "id": "994",
    "indicatorValue": "881c0f10c75e64ec39d257a131fcd531f47dd2cff2070ae94baa347d375126fd",
    "indicatorType": "FileSha256",
    "action": "AlertAndBlock",
    "application": null,
    "source": "",
    "sourceType": "User",
    "createdBy": "",
    "severity": "Informational",
    "title": "Michael test",
    "description": "test",
    "recommendedActions": "nothing",
    "creationTimeDateTimeUtc": "2019-12-19T09:09:46.9139216Z",
    "expirationTime": null,
    "lastUpdateTime": "2019-12-19T09:09:47.3358111Z",
    "lastUpdatedBy": null,
    "rbacGroupNames": ["team1"]