Get Indicators

6 min

description retrieves threat indicators from microsoft defender to pinpoint and analyze malicious activities endpoint url /api/indicators method get inputs parameters (object) $filter (string) $select (string) $orderby (string) $top (number) $skip (number) $count (boolean) $expand (string) output example \[ { "status code" 200, "response headers" { "date" "thu, 04 may 2023 18 25 48 gmt", "content type" "application/json; odata metadata=minimal; odata streaming=true; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "content encoding" "deflate", "vary" "accept encoding", "odata version" "4 0", "strict transport security" "max age=15724800; includesubdomains" }, "reason" "ok", "json body" { "@odata context" "https //api securitycenter microsoft com/api/$metadata#indicators", "value" \[ { "id" "7", "indicatorvalue" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "indicatortype" "filesha1", "action" "blockandremediate", "createdby" "pov\@swimlaneintegrations onmicrosoft com", "severity" "informational", "category" 1, "application" "demo test", "educateurl" null, "bypassdurationhours" null, "title" "test", "description" "test", "recommendedactions" "nothing", "creationtimedatetimeutc" "2023 04 25t17 37 28 8510566z", "expirationtime" "2024 12 12t00 00 00z", "lastupdatetime" "2023 04 25t18 05 39 4204981z", "lastupdatedby" "pov\@swimlaneintegrations onmicrosoft com", "rbacgroupnames" \[], "rbacgroupids" \[], "notificationid" null, "notificationbody" null, "version" null, "mitretechniques" \[], "historicaldetection" false, "lookbackperiod" null, "generatealert" false, "additionalinfo" null, "createdbydisplayname" "pov\@swimlaneintegrations onmicrosoft com", "externalid" null, "createdbysource" "portal", "certificateinfo" null }, { "id" "8", "indicatorvalue" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "indicatortype" "filesha1", "action" "audit", "createdby" "pov\@swimlaneintegrations onmicrosoft com", "severity" "informational", "category" 1, "application" "demo test", "educateurl" null, "bypassdurationhours" null, "title" "test", "description" "test", "recommendedactions" "nothing", "creationtimedatetimeutc" "2023 04 25t17 49 58 8706797z", "expirationtime" "2024 12 12t00 00 00z", "lastupdatetime" "2023 04 25t18 29 47 7434049z", "lastupdatedby" "pov\@swimlaneintegrations onmicrosoft com", "rbacgroupnames" \[], "rbacgroupids" \[], "notificationid" null, "notificationbody" null, "version" null, "mitretechniques" \[], "historicaldetection" false, "lookbackperiod" null, "generatealert" true, "additionalinfo" null, "createdbydisplayname" "pov\@swimlaneintegrations onmicrosoft com", "externalid" null, "createdbysource" "portal", "certificateinfo" null }, { "id" "9", "indicatorvalue" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "indicatortype" "filesha1", "action" "allowed", "createdby" "pov\@swimlaneintegrations onmicrosoft com", "severity" "informational", "category" 1, "application" "demo test", "educateurl" null, "bypassdurationhours" null, "title" "test", "description" "test", "recommendedactions" "nothing", "creationtimedatetimeutc" "2023 04 25t18 01 14 6910676z", "expirationtime" "2024 12 12t00 00 00z", "lastupdatetime" "2023 04 25t18 01 14 6910676z", "lastupdatedby" null, "rbacgroupnames" \[], "rbacgroupids" \[], "notificationid" null, "notificationbody" null, "version" null, "mitretechniques" \[], "historicaldetection" false, "lookbackperiod" null, "generatealert" false, "additionalinfo" null, "createdbydisplayname" "pov\@swimlaneintegrations onmicrosoft com", "externalid" null, "createdbysource" "portal", "certificateinfo" null }, { "id" "10", "indicatorvalue" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "indicatortype" "filesha1", "action" "warn", "createdby" "pov\@swimlaneintegrations onmicrosoft com", "severity" "informational", "category" 1, "application" "demo test", "educateurl" null, "bypassdurationhours" null, "title" "test", "description" "test", "recommendedactions" "nothing", "creationtimedatetimeutc" "2023 04 25t18 02 06 322598z", "expirationtime" "2024 12 12t00 00 00z", "lastupdatetime" "2023 04 25t18 02 06 322598z", "lastupdatedby" null, "rbacgroupnames" \[], "rbacgroupids" \[], "notificationid" null, "notificationbody" null, "version" null, "mitretechniques" \[], "historicaldetection" false, "lookbackperiod" null, "generatealert" false, "additionalinfo" null, "createdbydisplayname" "pov\@swimlaneintegrations onmicrosoft com", "externalid" null, "createdbysource" "portal", "certificateinfo" null }, { "id" "11", "indicatorvalue" "bec1b52d350d721c7e22a6d4bb0a92909893a3ae", "indicatortype" "filesha1", "action" "block", "createdby" "pov\@swimlaneintegrations onmicrosoft com", "severity" "informational", "category" 1, "application" "demo test", "educateurl" null, "bypassdurationhours" null, "title" "test", "description" "test", "recommendedactions" "nothing", "creationtimedatetimeutc" "2023 04 25t18 02 53 8659665z", "expirationtime" "2024 12 12t00 00 00z", "lastupdatetime" "2023 04 25t18 02 53 8659665z", "lastupdatedby" null, "rbacgroupnames" \[], "rbacgroupids" \[], "notificationid" null, "notificationbody" null, "version" null, "mitretechniques" \[], "historicaldetection" false, "lookbackperiod" null, "generatealert" false, "additionalinfo" null, "createdbydisplayname" "pov\@swimlaneintegrations onmicrosoft com", "externalid" null, "createdbysource" "portal", "certificateinfo" null }, { "id" "12", "indicatorvalue" "3395856ce81f2b7382dee72602f798b642f14140", "indicatortype" "filesha1", "action" "blockandremediate", "createdby" "29c9ea20 6466 4ddd 8f23 bcd0b9e74bbd", "severity" "informational", "category" 1, "application" null, "educateurl" null, "bypassdurationhours" null, "title" "test2", "description" "test2", "recommendedactions" null, "creationtimedatetimeutc" "2023 04 25t19 14 16 864235z", "expirationtime" null, "lastupdatetime" "2023 04 29t03 38 37 9997514z", "lastupdatedby" "29c9ea20 6466 4ddd 8f23 bcd0b9e74bbd", "rbacgroupnames" \[], "rbacgroupids" \[], "notificationid" null, "notificationbody" null, "version" null, "mitretechniques" \[], "historicaldetection" false, "lookbackperiod" null, "generatealert" true, "additionalinfo" null, "createdbydisplayname" "windowsdefenderatpsiemconnector", "externalid" null, "createdbysource" "publicapi", "certificateinfo" null }, { "id" "14", "indicatorvalue" "https //www google com", "indicatortype" "url", "action" "blockandremediate", "createdby" "29c9ea20 6466 4ddd 8f23 bcd0b9e74bbd", "severity" "informational", "category" 1, "application" null, "educateurl" null, "bypassdurationhours" null, "title" "block google", "description" "see above", "recommendedactions" null, "creationtimedatetimeutc" "2023 04 29t03 22 12 3386173z", "expirationtime" null, "lastupdatetime" "2023 04 29t06 19 02 652157z", "lastupdatedby" "29c9ea20 6466 4ddd 8f23 bcd0b9e74bbd", "rbacgroupnames" \[], "rbacgroupids" \[], "notificationid" null, "notificationbody" null, "version" null, "mitretechniques" \[], "historicaldetection" false, "lookbackperiod" null, "generatealert" true, "additionalinfo" null, "createdbydisplayname" "windowsdefenderatpsiemconnector", "externalid" null, "createdbysource" "publicapi", "certificateinfo" null }, { "id" "15", "indicatorvalue" "https //www facebook com", "indicatortype" "url", "action" "blockandremediate", "createdby" "29c9ea20 6466 4ddd 8f23 bcd0b9e74bbd", "severity" "informational", "category" 1, "application" null, "educateurl" null, "bypassdurationhours" null, "title" "block facebook", "description" "block facebook", "recommendedactions" null, "creationtimedatetimeutc" "2023 04 29t03 27 48 914513z", "expirationtime" null, "lastupdatetime" "2023 04 29t06 18 37 4589084z", "lastupdatedby" "29c9ea20 6466 4ddd 8f23 bcd0b9e74bbd", "rbacgroupnames" \[], "rbacgroupids" \[], "notificationid" null, "notificationbody" null, "version" null, "mitretechniques" \[], "historicaldetection" false, "lookbackperiod" null, "generatealert" true, "additionalinfo" null, "createdbydisplayname" "windowsdefenderatpsiemconnector", "externalid" null, "createdbysource" "publicapi", "certificateinfo" null }, { "id" "16", "indicatorvalue" "https //www google com", "indicatortype" "url", "action" "allowed", "createdby" "29c9ea20 6466 4ddd 8f23 bcd0b9e74bbd", "severity" "informational", "category" 1, "application" null, "educateurl" null, "bypassdurationhours" null, "title" "block google", "description" "see above", "recommendedactions" null, "creationtimedatetimeutc" "2023 05 01t20 36 56 7510696z", "expirationtime" null, "lastupdatetime" "2023 05 02t13 52 21 7065962z", "lastupdatedby" "29c9ea20 6466 4ddd 8f23 bcd0b9e74bbd", "rbacgroupnames" \[], "rbacgroupids" \[], "notificationid" null, "notificationbody" null, "version" null, "mitretechniques" \[], "historicaldetection" false, "lookbackperiod" null, "generatealert" true, "additionalinfo" null, "createdbydisplayname" "windowsdefenderatpsiemconnector", "externalid" null, "createdbysource" "publicapi", "certificateinfo" null }, { "id" "17", "indicatorvalue" "yahoo com", "indicatortype" "domainname", "action" "block", "createdby" "29c9ea20 6466 4ddd 8f23 bcd0b9e74bbd", "severity" "informational", "category" 1, "application" null, "educateurl" null, "bypassdurationhours" null, "title" "block the yahoo com domain", "description" "block the yahoo com domain, this will apply to all defender protected endpoints", "recommendedactions" null, "creationtimedatetimeutc" "2023 05 04t16 08 56 7716458z", "expirationtime" null, "lastupdatetime" "2023 05 04t16 21 24 6281036z", "lastupdatedby" "29c9ea20 6466 4ddd 8f23 bcd0b9e74bbd", "rbacgroupnames" \[], "rbacgroupids" \[], "notificationid" null, "notificationbody" null, "version" null, "mitretechniques" \[], "historicaldetection" false, "lookbackperiod" null, "generatealert" true, "additionalinfo" null, "createdbydisplayname" "windowsdefenderatpsiemconnector", "externalid" null, "createdbysource" "publicapi", "certificateinfo" null } ] } } ] output parameters status code (number) reason (string) json body (object) @odata context (string) value (array) id (string) indicatorvalue (string) indicatortype (string) action (string) createdby (string) severity (string) category (number) application (object) educateurl (object) bypassdurationhours (object) title (string) description (string) recommendedactions (object) creationtimedatetimeutc (string) expirationtime (object) lastupdatetime (string) lastupdatedby (string) rbacgroupnames (array) file name (string) – required file (string) – required rbacgroupids (array) file name (string) – required file (string) – required notificationid (object) notificationbody (object) version (object) mitretechniques (array) file name (string) – required file (string) – required historicaldetection (boolean) lookbackperiod (object) generatealert (boolean) additionalinfo (object) createdbydisplayname (string) externalid (object) createdbysource (string) certificateinfo (object) response headers header type date string content type string transfer encoding string connection string content encoding string vary string odata version string strict transport security string