indicator resource type



APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.


The Microsoft Graph API for Microsoft Defender Threat Intelligence requires an active Defender Threat Intelligence Portal license and API add-on license for the tenant.

An abstract type that represents an indicator of compromise or increased risk. Indicators communicate artifacts that indicate that an asset was affected by or related to an attack vector or malicious actor.

This resource isn't directly addressable. You can interact with this resource through one of the following subtypes:


Property Type Description
id String The system-generated ID for the indicator.
source The source that provides this indicator. The possible values are: microsoft, osint, public, unknownFutureValue.


Relationship Type Description
artifact The artifact related to this indicator.

JSON representation

The following JSON representation shows the resource type.

  "@odata.type": "",
  "id": "String (identifier)",
  "source": "String"