Update indicators in Microsoft Defender for Endpoint

Release version: Australia

Updated March 12, 2026

1 minute to read

Update the existing indicators in Microsoft Defender for Endpoint from the list context-menu or from the form view of the Microsoft Defender Indicator respectively.

Before you begin

Role required: sn_si.admin, sn_si.analyst

Procedure

Navigate to Security Incidents > Show All Incidents.
Select Show All Related Lists and then select the Microsoft Defender Indicators tab.

Note:

You must configure the related list for the Microsoft Defender Indicators, which would appear in the Security Incident related lists. For more information, see Form UI actions.
Update the Microsoft Defender for Endpoint indicators in one of the following ways:
- To update the indicators from the list context-menu, select the row of the indicator that you want to update and select Update Indicator in the Microsoft Defender option.
- To update the indicators from the form view, select Update Indicator in Microsoft Defender in the form view.

On the form, fill in the fields.

Table 1. Microsoft Defender Indicator form
Field	Description
Title	Title for the indicator.
Description	Description for the indicator.
Expiration Time	Expiration time for the indicator.
Recommended Actions	Recommended actions to be performed for the indicator.
Source	Integration configuration to create the indicator.
Action	Actions that are performed if the indicator is discovered in the organization. The possible values are as follows: Warn Block Audit BlockAndRemediate Allowed
Application	The Microsoft Defender for Endpoint application that is associated with the indicator. This field is applicable only for a new indicator and cannot be used for an existing indicator.
Severity	Severity of the Indicator. Possible values are as follows: Low Medium High
RBAC Group Names	RBAC group names that the indicator is applied to. The names are in a comma-separated list.

Select Update Indicator.
Validate the activity and UI messages.