- In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
- Select the tab of the entity type you’d like to manage.
- Update the details of the indicator and click Save or click the Delete button if you’d like to remove the entity from the list.
Import a list of IoCs
You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
Download the sample CSV to know the supported column attributes.
- In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
- Select the tab of the entity type you’d like to import indicators for.
- Select Import > Choose file.
- Select Import. Do this for all the files you’d like to import.
- Select Done.
Note
Only 500 indicators can be uploaded for each batch.
The following table shows the supported parameters.
| Parameter | Type | Description |
|---|---|---|
| indicatorType | Enum | Type of the indicator. Possible values are: “FileSha1”, “FileSha256”, “IpAddress”, “DomainName” and “Url”. Required |
| indicatorValue | String | Identity of the Indicator entity. Required |
| action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: “Alert”, “AlertAndBlock”, and “Allowed”. Required |
| title | String | Indicator alert title. Required |
| description | String | Description of the indicator. Required |
| expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. The indicator gets deleted if the expiration time passes and whatever happens at the expiration time occurs at the seconds (SS) value. Optional |
| severity | Enum | The severity of the indicator. Possible values are: “Informational”, “Low”, “Medium” and “High”. Optional |
| recommendedActions | String | TI indicator alert recommended actions. Optional |
| rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. Optional |
| category | String | Category of the alert. Examples include: Execution and credential access. Optional |
| mitretechniques | String | MITRE techniques code/id (comma separated). For more information, see Enterprise tactics. Optional It is recommended to add a value in category when a MITRE technique. |
| GenerateAlert | String | Whether the alert should be generated or not. Possible Values are: True or False. Optional |
Note
Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported. For more information, see Microsoft Defender for Endpoint alert categories are now aligned with MITRE ATT&CK!.
Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team
(Visited 18 times, 1 visits today)