0
()
  1. In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
  2. Select the tab of the entity type you’d like to manage.
  3. Update the details of the indicator and click Save or click the Delete button if you’d like to remove the entity from the list.

Import a list of IoCs

You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.

Download the sample CSV to know the supported column attributes.

  1. In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
  2. Select the tab of the entity type you’d like to import indicators for.
  3. Select Import > Choose file.
  4. Select Import. Do this for all the files you’d like to import.
  5. Select Done.

 Note

Only 500 indicators can be uploaded for each batch.

The following table shows the supported parameters.

TABLE 1
Parameter Type Description
indicatorType Enum Type of the indicator. Possible values are: “FileSha1”, “FileSha256”, “IpAddress”, “DomainName” and “Url”. Required
indicatorValue String Identity of the Indicator entity. Required
action Enum The action that will be taken if the indicator will be discovered in the organization. Possible values are: “Alert”, “AlertAndBlock”, and “Allowed”. Required
title String Indicator alert title. Required
description String Description of the indicator. Required
expirationTime DateTimeOffset The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. The indicator gets deleted if the expiration time passes and whatever happens at the expiration time occurs at the seconds (SS) value. Optional
severity Enum The severity of the indicator. Possible values are: “Informational”, “Low”, “Medium” and “High”. Optional
recommendedActions String TI indicator alert recommended actions. Optional
rbacGroupNames String Comma-separated list of RBAC group names the indicator would be applied to. Optional
category String Category of the alert. Examples include: Execution and credential access. Optional
mitretechniques String MITRE techniques code/id (comma separated). For more information, see Enterprise tacticsOptional It is recommended to add a value in category when a MITRE technique.
GenerateAlert String Whether the alert should be generated or not. Possible Values are: True or False. Optional
Discover More help  Protect your network (Microsoft)

 Note

Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported. For more information, see Microsoft Defender for Endpoint alert categories are now aligned with MITRE ATT&CK!.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

(Visited 4 times, 1 visits today)