Import Indicators

5 min

description submits or updates a batch of indicators to microsoft defender using the specified json body format endpoint url api/indicators/import method post inputs json body (object) – required indicators (array) indicatorvalue (string) the value of the indicator entity indicatortype (string) the type of the indicator entity action (string) the action that is taken if the indicator is discovered in the organization application (string) the application associated with the indicator source (string) the source of the indicator expirationtime (string) the expiration time of the indicator sourcetype (string) user in case the indicator created by a user (for example, from the portal), aadapp in case it submitted using automated application via the api severity (string) the severity of the indicator the severity of the indicator possible values are informational, low, medium, and high title (string) the title of the indicator description (string) the description of the indicator recommendedactions (string) the recommended actions for the indicator rbacgroupnames (array) rbac device group names where the indicator is exposed and active empty list in case it exposed to all devices output example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "value" \[ { "id" "2841", "indicator" "220e7d15b011d7fac48f2bd61114db1022197f7f", "isfailed" false, "failurereason" null }, { "id" "2842", "indicator" "2233223322332233223322332233223322332233223322332233223322332222", "isfailed" false, "failurereason" null } ] } } ] output parameters status code (number) reason (string) json body (object) value (array) id (string) indicator (string) isfailed (boolean) failurereason (object)