Add Defender Indicator

Create a new Microsoft Defender for Endpoint indicator

Description

Creates a new indicator in Microsoft Defender for Endpoint to allow or block a specific file hash, certificate thumbprint, IP, domain, or URL. The indicator action can generate alerts automatically for audit or alert-and-block actions.

Location

Organization → Security → Add Defender Indicator

Full Runbook name

rjgit-org_security_add-defender-indicator

Permissions

Application permissions

Type: WindowsDefenderATP
- Ti.ReadWrite.All

Parameters

IndicatorValue

Value of the indicator, such as a hash, thumbprint, IP address, domain name, or URL.

Property

Value

Required

true

Default Value

Type

String

IndicatorType

Type of the indicator value.

Property

Value

Required

true

Default Value

FileSha256

Type

String

Title

Title of the indicator entry.

Property

Value

Required

true

Default Value

Type

String

Description

Description of the indicator entry.

Property

Value

Required

true

Default Value

Type

String

Action

Action applied to the indicator.

Property

Value

Required

true

Default Value

Allowed

Type

String

Severity

Severity used for the indicator.

Property

Value

Required

true

Default Value

Informational

Type

String

GenerateAlert

If set to true, an alert is generated when the indicator matches.

Property

Value

Required

true

Default Value

False

Type

String

Back to Runbook Reference overview

Last updated 3 days ago

Was this helpful?

Good afternoon

hashtagDescription

hashtagLocation

hashtagPermissions

hashtagApplication permissions

hashtagParameters

hashtagIndicatorValue

hashtagIndicatorType

hashtagTitle

hashtagDescription

hashtagAction

hashtagSeverity

hashtagGenerateAlert

Description

Location

Permissions

Application permissions

Parameters

IndicatorValue

IndicatorType

Title

Description

Action

Severity

GenerateAlert