Skip to main content
Retrieve a list of indicators that have communicated with Microsoft Defender for Endpoint cloud. The following permissions are required to run this action:
  • Ti.ReadWrite
  • Ti.ReadWrite.All
External DocumentationTo learn more, visit the Microsoft Defender For Endpoints documentation.

Parameters

ParameterDescription
FilterThe filter to apply on the operation. You can filter by application, createdByDisplayName, expirationTime, generateAlert, title, rbacGroupNames, rbacGroupIds, indicatorValue, indicatorType, creationTimeDateTimeUtc, createdBy, action, and severity.
LimitThe amount of results which will be returned. Max value is 10,000.
OffsetThe offset of the item at which to begin the response.

Example Output

{
  "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
  "value": [
    {
      "id": "995",
      "indicatorValue": "12.13.14.15",
      "indicatorType": "IpAddress",
      "action": "Alert",
      "application": "demo-test",
      "source": "TestPrdApp",
      "sourceType": "AadApp",
      "title": "test",
      "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z",
      "createdBy": "45097602-1234-5678-1234-9f453233e62c",
      "expirationTime": "2020-12-12T00:00:00Z",
      "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
      "lastUpdatedBy": TestPrdApp,
      "severity": "Informational",
      "description": "test",
      "recommendedActions": "test",
      "rbacGroupNames": []
    },
    {
      "id": "996",
      "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
      "indicatorType": "FileSha1",
      "action": "AlertAndBlock",
      "application": null,
      "source": "TestPrdApp",
      "sourceType": "AadApp",
      "title": "test",
      "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
      "createdBy": "45097602-1234-5678-1234-9f453233e62c",
      "expirationTime": "2020-12-12T00:00:00Z",
      "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
      "lastUpdatedBy": TestPrdApp,
      "severity": "Informational",
      "description": "test",
      "recommendedActions": "TEST",
      "rbacGroupNames": [ "Group1", "Group2" ]
    }
    ...
  ]
}

Workflow Library Example

List Indicators with Microsoft Defender for Endpoints and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop