Batch Delete Indicators

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.


If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.


For better performance, you can use server closer to your geo location:


API description

Deletes Indicator entities by ID.


Rate limitations for this API are 30 calls per minute and 1500 calls per hour.

Batch size limit of up to 500 Indicator IDs.


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Get started

Permission type Permission Permission display name
Application Ti.ReadWrite 'Read and write TI Indicators'
Application Ti.ReadWrite.All 'Read and write Indicators'

HTTP request



For better performance, you can use server closer to your geo location:


Request headers

Name Type Description
Authorization String Bearer {token}. Required.

Request body

In the request body, supply a JSON object with the following parameters:

Parameter Type Description
IndicatorIds List String A list of the IDs of the indicators to be removed. Required


If Indicators all existed and were deleted successfully - 204 OK without content

if indicator IDs list is empty or exceeds size limit - 400 Bad Request

if any indicator ID is invalid - 400 Bad Request

if requestor is not exposed to any indicator's device groups - 403 Forbidden

If any Indicator ID was not found - 404 Not Found



Here's an example of the request.

	"IndicatorIds": [ "1", "2", "5" ]