Batch Delete Indicators

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Note

If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.

Tip

For better performance, you can use server closer to your geo location:

API description

Deletes Indicator entities by ID.

Rate limitations for this API are 30 calls per minute and 1,500 calls per hour.

Batch size limit of up to 500 Indicator IDs.

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Get started.

Permission type	Permission	Permission display name
Application	Ti.ReadWrite	'Read and write TI Indicators'
Application	Ti.ReadWrite.All	'Read and write Indicators'

POST https://api.securitycenter.microsoft.com/api/indicators/BatchDelete

Tip

For better performance, you can use server closer to your geo location:

Name	Type	Description
Authorization	String	Bearer {token}. Required.

In the request body, supply a JSON object with the following parameters:

Parameter	Type	Description
IndicatorIds	List String	A list of the IDs of the indicators to be removed. Required

If Indicators all existed and were deleted successfully - 204 OK without content.

If indicator IDs list is empty or exceeds size limit - 400 Bad Request.

If any indicator ID is invalid - 400 Bad Request.

If requestor isn't exposed to any indicator's device groups - 403 Forbidden.

If any Indicator ID wasn't found - 404 Not Found.

Here's an example of the request.

POST https://api.securitycenter.microsoft.com/api/indicators/BatchDelete

{
    "IndicatorIds": [ "1", "2", "5" ]
}