diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index a35fd74410..c5bd8c7fbb 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -443,7 +443,11 @@ #### [Rules]() ##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md) -##### [Manage indicators](microsoft-defender-atp/manage-indicators.md) +##### [Create indicators](microsoft-defender-atp/manage-indicators.md) +###### [Create indicators for files](microsoft-defender-atp/indicator-file.md) +###### [Create indicators for IPs and URLs/domains](microsoft-defender-atp/indicator-ip-domain.md) +###### [Create indicators for certificates](microsoft-defender-atp/indicator-certificates.md) +###### [Manage indicators](microsoft-defender-atp/indicator-manage.md) ##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md) ##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md new file mode 100644 index 0000000000..e0233b7ae1 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md @@ -0,0 +1,72 @@ +--- +title: Create indicators based on certificates +ms.reviewer: +description: Create indicators based on certificates that define the detection, prevention, and exclusion of entities. +keywords: ioc, certificate, certificates, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Create indicators based on certificates (preview) + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) + +You can create indicators for certificates. Some common use cases include: + +- Scenarios when you need to deploy blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) and [controlled folder access](controlled-folders.md) but need to allow behaviors from signed applications by adding the certificate in the allow list. +- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Windows Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same. + + +### Before you begin + +It's important to understand the following requirements prior to creating indicators for certificates: + +- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +- The Antimalware client version must be 4.18.1901.x or later. +- Supported on machines on Windows 10, version 1703 or later. +- The virus and threat protection definitions must be up-to-date. +- This feature currently supports entering .CER or .PEM file extensions. + +>[!IMPORTANT] +> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities'). +>- The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported. +>- Microsoft signed certificates cannot be blocked. + +#### Create an indicator for certificates from the settings page: + +>[!IMPORTANT] +> It can take up to 3 hours to create and remove a certificate IoC. + +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the **Certificate** tab. + +3. Select **Add indicator**. + +4. Specify the following details: + - Indicator - Specify the entity details and define the expiration of the indicator. + - Action - Specify the action to be taken and provide a description. + - Scope - Define the scope of the machine group. + +5. Review the details in the Summary tab, then click **Save**. + +## Related topics +- [Create indicators](manage-indicators.md) +- [Create indicators for files](indicator-file.md) +- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md) +- [Manage indicators](indicator-manage.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md new file mode 100644 index 0000000000..c3312ea5e8 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md @@ -0,0 +1,79 @@ +--- +title: Create indicators for files +ms.reviewer: +description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities. +keywords: file, hash, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Create indicators for files + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) + +You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. + +There are two ways you can create indicators for files: +- By creating an indicator through the settings page +- By creating a contextual indicator using the add indicator button from the file details page + +### Before you begin +It's important to understand the following prerequisites prior to creating indicators for files: + +- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +- The Antimalware client version must be 4.18.1901.x or later. +- Supported on machines on Windows 10, version 1703 or later. +- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. +- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. + +>[!IMPORTANT] +>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action +>- Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications. + + +>[!NOTE] +>Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. + +### Create an indicator for files from the settings page + +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the **File hash** tab. + +3. Select **Add indicator**. + +4. Specify the following details: + - Indicator - Specify the entity details and define the expiration of the indicator. + - Action - Specify the action to be taken and provide a description. + - Scope - Define the scope of the machine group. + +5. Review the details in the Summary tab, then click **Save**. + +### Create a contextual indicator from the file details page +One of the options when taking [response actions on a file](respond-file-alerts.md) is adding an indicator for the file. + +When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it. + +Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue. + + +## Related topics +- [Create indicators](manage-indicators.md) +- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md) +- [Create indicators based on certificates](indicator-certificates.md) +- [Manage indicators](indicator-manage.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md new file mode 100644 index 0000000000..90e188b28e --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md @@ -0,0 +1,75 @@ +--- +title: Create indicators for IPs and URLs/domains +ms.reviewer: +description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities. +keywords: ip, url, domain, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Create indicators for IPs and URLs/domains + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) + + +Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser. + +The threat intelligence data set for this has been managed by Microsoft. + +By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others. + +### Before you begin +It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains: +- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md). +- The Antimalware client version must be 4.18.1906.x or later. +- Supported on machines on Windows 10, version 1709 or later. +- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md). + + +>[!IMPORTANT] +> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. +> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
+> NOTE: +>- IP is supported for all three protocols +>- Encrypted URLs (full path) can only be blocked on first party browsers +>- Encrypted URLS (FQDN only) can be blocked outside of first party browsers +>- Full URL path blocks can be applied on the domain level and all unencrypted URLs + +>[!NOTE] +>There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. + +### Create an indicator for IPs, URLs, or domains from the settings page + +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the **IP addresses or URLs/Domains** tab. + +3. Select **Add indicator**. + +4. Specify the following details: + - Indicator - Specify the entity details and define the expiration of the indicator. + - Action - Specify the action to be taken and provide a description. + - Scope - Define the scope of the machine group. + +5. Review the details in the Summary tab, then click **Save**. + +## Related topics +- [Create indicators](manage-indicators.md) +- [Create indicators for files](indicator-file.md) +- [Create indicators based on certificates](indicator-certificates.md) +- [Manage indicators](indicator-manage.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md new file mode 100644 index 0000000000..2c3ba958b9 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md @@ -0,0 +1,70 @@ +--- +title: Manage indicators +ms.reviewer: +description: Manage indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities. +keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Manage indicators + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) + + +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the tab of the entity type you'd like to manage. + +3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list. + +## Import a list of IoCs + +You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details. + +Download the sample CSV to know the supported column attributes. + +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the tab of the entity type you'd like to import indicators for. + +3. Select **Import** > **Choose file**. + +4. Select **Import**. Do this for all the files you'd like to import. + +5. Select **Done**. + +The following table shows the supported parameters. + +Parameter | Type | Description +:---|:---|:--- +indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** +indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required** +action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** +title | String | Indicator alert title. **Required** +description | String | Description of the indicator. **Required** +expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional** +severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional** +recommendedActions | String | TI indicator alert recommended actions. **Optional** +rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional** + +## Related topics +- [Create indicators](manage-indicators.md) +- [Create indicators for files](indicator-file.md) +- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md) +- [Create indicators based on certificates](indicator-certificates.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index 2350c4c54c..e17e4280c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -1,5 +1,5 @@ --- -title: Manage indicators +title: Create indicators ms.reviewer: description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities. keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain @@ -18,7 +18,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Manage indicators +# Create indicators **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -49,188 +49,17 @@ The current supported actions are: You can create an indicator for: -- Files -- IP addresses -- URLs/domains +- [Files](indicator-file.md) +- [IP addresses, URLs/domains](indicator-ip-domain.md) +- [Certificates (preview)](indicator-certificates.md) + >[!NOTE] >There is a limit of 15,000 indicators per tenant. -![Image of indicators settings page](images/rules-indicators.png) +## Related topics - -## Create indicators for files -You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization. - -There are two ways you can create indicators for files: -- By creating an indicator through the settings page -- By creating a contextual indicator using the add indicator button from the file details page - -### Before you begin -It's important to understand the following prerequisites prior to creating indicators for files: - -- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). -- The Antimalware client version must be 4.18.1901.x or later. -- Supported on devices on Windows 10, version 1703 or later. -- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. -- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. - ->[!IMPORTANT] ->- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action ->- Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications. - - ->[!NOTE] ->Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. - -### Create an indicator for files from the settings page - -1. In the navigation pane, select **Settings** > **Indicators**. - -2. Select the **File hash** tab. - -3. Select **Add indicator**. - -4. Specify the following details: - - Indicator - Specify the entity details and define the expiration of the indicator. - - Action - Specify the action to be taken and provide a description. - - Scope - Define the scope of the device group according to your [user permissions](machine-groups.md). - -5. Review the details in the Summary tab, then click **Save**. - -### Create a contextual indicator from the file details page -One of the options when taking [response actions on a file](respond-file-alerts.md) is adding an indicator for the file. - -When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it. - -Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue. - -## Create indicators for IPs and URLs/domains -Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser. - -The threat intelligence data set for this has been managed by Microsoft. - -By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by device groups if you deem certain groups to be more or less at risk than others. - -### Before you begin -It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains: -- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md). -- The Antimalware client version must be 4.18.1906.x or later. -- Supported on devices on Windows 10, version 1709 or later. -- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md). - - ->[!IMPORTANT] -> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. -> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
-> NOTE: ->- IP is supported for all three protocols ->- Encrypted URLs (full path) can only be blocked on first party browsers ->- Encrypted URLS (FQDN only) can be blocked outside of first party browsers ->- Full URL path blocks can be applied on the domain level and all unencrypted URLs - ->[!NOTE] ->There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. - -### Create an indicator for IPs, URLs, or domains from the settings page - -1. In the navigation pane, select **Settings** > **Indicators**. - -2. Select the **IP addresses or URLs/Domains** tab. - -3. Select **Add indicator**. - -4. Specify the following details: - - Indicator - Specify the entity details and define the expiration of the indicator. - - Action - Specify the action to be taken and provide a description. - - Scope - Define the scope of the device group. - -5. Review the details in the Summary tab, then click **Save**. - -## Create indicators for certificates - -You can create indicators for certificates. Some common use cases include: - -- Scenarios when you need to deploy blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) and [controlled folder access](controlled-folders.md) but need to allow behaviors from signed applications by adding the certificate in the allow list. -- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Microsoft Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same. - - -### Before you begin - -It's important to understand the following requirements prior to creating indicators for certificates: - -- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). -- The Antimalware client version must be 4.18.1901.x or later. -- Supported on devices on Windows 10, version 1703 or later. -- The virus and threat protection definitions must be up-to-date. -- This feature currently supports entering .CER or .PEM file extensions. - ->[!IMPORTANT] -> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it’s trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities'). ->- The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality – only leaf certificates are supported. ->- Microsoft signed certificates cannot be blocked. - -#### Create an indicator for certificates from the settings page: - ->[!IMPORTANT] -> It can take up to 3 hours to create and remove a certificate IoC. - -1. In the navigation pane, select **Settings** > **Indicators**. - -2. Select the **Certificate** tab. - -3. Select **Add indicator**. - -4. Specify the following details: - - Indicator - Specify the entity details and define the expiration of the indicator. - - Action - Specify the action to be taken and provide a description. - - Scope - Define the scope of the device group. - -5. Review the details in the Summary tab, then click **Save**. - - -## Manage indicators - -1. In the navigation pane, select **Settings** > **Indicators**. - -2. Select the tab of the entity type you'd like to manage. - -3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list. - -## Import a list of IoCs - -You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details. - -Download the sample CSV to know the supported column attributes. - -1. In the navigation pane, select **Settings** > **Indicators**. - -2. Select the tab of the entity type you'd like to import indicators for. - -3. Select **Import** > **Choose file**. - -4. Select **Import**. Do this for all the files you'd like to import. - -5. Select **Done**. - -The following table shows the supported parameters. - -Parameter | Type | Description -:---|:---|:--- -indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** -indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required** -action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** -title | String | Indicator alert title. **Required** -description | String | Description of the indicator. **Required** -expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional** -severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional** -recommendedActions | String | TI indicator alert recommended actions. **Optional** -rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional** - - - -## Related topic - [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) - [Use the Microsoft Defender ATP indicators API](ti-indicator.md) - [Use partner integrated solutions](partner-applications.md)