Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt

Use this file to discover all available pages before exploring further.

Create or update a new indicator entity. The following permissions are required to run this action:
  • Ti.ReadWrite
  • Ti.ReadWrite.All
External DocumentationTo learn more, visit the Microsoft Defender For Endpoints documentation.

Basic Parameters

ParameterDescription
ActionThe action that is taken if the indicator is discovered in the organization.
DescriptionThe description of the indicator.
Generate AlertSelect True if alert generation is required,and False if this indicator shouldn’t generate an alert.
Indicator TypeThe type of the indicator entity.
Indicator ValueThe value to assign to the indicator.
SeverityThe severity of the indicator.
TitleThe title of the indicator alert.

Advanced Parameters

ParameterDescription
ApplicationA friendly name for the blocked content. If set, it appears in the blocking message instead of the file or domain name.
Educate URLA custom notification/support URL. Supported for Block and Warn action types for URL indicators.
Expiration TimeThe expiration time of the indicator.
Rbac Group NamesA comma-separated list of RBAC group names the indicator would be applied to.
Recommended ActionsRecommended actions for alerts triggered by threat intelligence (TI) indicators.

Example Output

{
	"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators/$entity",
	"id": "5",
	"indicatorValue": "230e7d15b011d7fac48f2bd61114db1022197f7f",
	"indicatorType": "FileSha1",
	"action": "BlockAndRemediate",
	"createdBy": "admin@havivblinkops.onmicrosoft.com",
	"severity": "Informational",
	"category": 1,
	"application": "demo-test",
	"educateUrl": null,
	"bypassDurationHours": null,
	"title": "test",
	"description": "test",
	"recommendedActions": "nothing",
	"creationTimeDateTimeUtc": "2025-10-21T12:09:46.0916319Z",
	"expirationTime": "2026-12-12T00:00:00Z",
	"lastUpdateTime": "2025-10-21T12:09:55.7079339Z",
	"lastUpdatedBy": "admin@havivblinkops.onmicrosoft.com",
	"rbacGroupNames": [],
	"rbacGroupIds": [],
	"notificationId": null,
	"notificationBody": null,
	"version": null,
	"mitreTechniques": [],
	"historicalDetection": false,
	"lookBackPeriod": null,
	"generateAlert": true,
	"additionalInfo": null,
	"createdByDisplayName": "admin@havivblinkops.onmicrosoft.com",
	"externalId": null,
	"createdBySource": "Portal",
	"certificateInfo": null
}

Workflow Library Example

Create or Update Indicator with Microsoft Defender for Endpoints and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop