Update indicators in Microsoft Defender for Endpoint

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 1 minute de lecture

    • Update the existing indicators in Microsoft Defender for Endpoint from the list context-menu or from the form view of the Microsoft Defender Indicator respectively.

    Avant de commencer

    Role required: sn_si.admin, sn_si.analyst

    Procédure

    1. Navigate to Security Incidents > Show All Incidents.
    2. Click Show All Related Lists and then click the Microsoft Defender Indicators tab.
      Remarque :

      You must configure the related list for the Microsoft Defender Indicators, which would appear in the Security Incident related lists. For more information, see Form UI actions.

    3. Update the Microsoft Defender for Endpoint indicators in one of the following ways:
      • To update the indicators from the list context-menu, select the row of the indicator that you want to update and click Update Indicator in the Microsoft Defender option.
        Figure 1. Update Indicators using list context-menu
        Update Indicators in Microsoft Defender for Endpoint from Microsoft Defender Indicator's list context-menu
      • To update the indicators from the form view, click Update Indicator in Microsoft Defender in the form view.
        Figure 2. Update Indicators using form view
        Update Indicator in Microsoft Defender for Endpoint from the Microsoft Defender Indicator's form view
    4. On the form, fill in the fields.
      Tableau 1. Microsoft Defender Indicator form
      Field Description
      Title Title for the indicator.
      Description Description for the indicator.
      Expiration Time Expiration time for the indicator.
      Recommended Actions Recommended actions to be performed for the indicator.
      Source Integration configuration to create the indicator.
      Action Actions that are performed if the indicator is discovered in the organization. The possible values are as follows:
      • Warn
      • Block
      • Audit
      • BlockAndRemediate
      • Allowed
      Application The Microsoft Defender for Endpoint application that is associated with the indicator. This field is applicable only for a new indicator and cannot be used for an existing indicator.
      Severity Severity of the Indicator. Possible values are as follows:
      • Low
      • Medium
      • High
      RBAC Group Names RBAC group names that the indicator is applied to. The names are in a comma-separated list.
    5. Click Update Indicator.
    6. Validate the activity and UI messages.