Submit or Update Indicator API

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.


If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.


For better performance, you can use server closer to your geo location:


API description

Submits or Updates new Indicator entity.

CIDR notation for IPs is not supported.


  1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
  2. There is a limit of 15,000 active indicators per tenant.


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Get started

Permission type Permission Permission display name
Application Ti.ReadWrite 'Read and write Indicators'
Application Ti.ReadWrite.All 'Read and write All Indicators'
Delegated (work or school account) Ti.ReadWrite 'Read and write Indicators'

HTTP request


Request headers

Name Type Description
Authorization String Bearer {token}. Required.
Content-Type string application/json. Required.

Request body

In the request body, supply a JSON object with the following parameters:

Parameter Type Description
indicatorValue String Identity of the Indicator entity. Required
indicatorType Enum Type of the indicator. Possible values are: "FileSha1", "FileMd5", "CertificateThumbprint", "FileSha256", "IpAddress", "DomainName" and "Url". Required
action Enum The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "Warn", "Block", "Audit, "BlockAndRemediate", "AlertAndBlock", and "Allowed". Required. The "GenerateAlert" parameter must be set to "TRUE" when creating an action with "Audit".
application String The application associated with the indicator. This field only works for new indicators. It will not update the value on an existing indicator. Optional
title String Indicator alert title. Required
description String Description of the indicator. Required
expirationTime DateTimeOffset The expiration time of the indicator. Optional
severity Enum The severity of the indicator. Possible values are: "Informational", "Low", "Medium", and "High". Optional
recommendedActions String TI indicator alert recommended actions. Optional
rbacGroupNames String Comma-separated list of RBAC group names the indicator would be applied to. Optional
educateUrl String Custom notification/support URL. Supported for Block and Warn action types for URL indicators. Optional
generateAlert Enum True if alert generation is required, False if this indicator should not generate an alert.


  • If successful, this method returns 200 - OK response code and the created / updated Indicator entity in the response body.
  • If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body.



Here is an example of the request.

    "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
    "indicatorType": "FileSha1",
    "title": "test",
    "application": "demo-test",
    "expirationTime": "2020-12-12T00:00:00Z",
    "action": "AlertAndBlock",
    "severity": "Informational",
    "description": "test",
    "recommendedActions": "nothing",
    "rbacGroupNames": ["group1", "group2"]


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.