Indicator resource type

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.


If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.


For better performance, you can use server closer to your geo location:

Method Return Type Description
List Indicators Indicator Collection List Indicator entities.
Submit Indicator Indicator Submit or update Indicator entity.
Import Indicators Indicator Collection Submit or update Indicators entities.
Delete Indicator No Content Deletes Indicator entity.


Property Type Description
id String Identity of the Indicator entity.
indicatorValue String The value of the Indicator.
indicatorType Enum Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url".
application String The application associated with the indicator.
action Enum The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed".
sourceType Enum "User" in case the Indicator created by a user (e.g. from the portal), "AadApp" in case it submitted using automated application via the API.
source string The name of the user/application that submitted the indicator.
createdBy String Unique identity of the user/application that submitted the indicator.
lastUpdatedBy String Identity of the user/application that last updated the indicator.
creationTimeDateTimeUtc DateTimeOffset The date and time when the indicator was created.
expirationTime DateTimeOffset The expiration time of the indicator.
lastUpdateTime DateTimeOffset The last time the indicator was updated.
severity Enum The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High".
title String Indicator title.
description String Description of the indicator.
recommendedActions String Recommended actions for the indicator.
rbacGroupNames List of strings RBAC device group names where the indicator is exposed and active. Empty list in case it exposed to all devices.

Json representation

    "id": "994",
    "indicatorValue": "881c0f10c75e64ec39d257a131fcd531f47dd2cff2070ae94baa347d375126fd",
    "indicatorType": "FileSha256",
    "action": "AlertAndBlock",
	"application": null,
    "source": "",
    "sourceType": "User",
	"createdBy": "",
    "severity": "Informational",
    "title": "Michael test",
    "description": "test",
    "recommendedActions": "nothing",
    "creationTimeDateTimeUtc": "2019-12-19T09:09:46.9139216Z",
    "expirationTime": null,
    "lastUpdateTime": "2019-12-19T09:09:47.3358111Z",
    "lastUpdatedBy": null,
    "rbacGroupNames": ["team1"]