Indicators of Compromise (IoCs) in Microsoft Defender for Endpoint

Overview of IoCs

• Definition: Data indicating potential malicious activity in a network or computer system.
• Importance: Essential for endpoint protection solutions like Microsoft Defender for Endpoint.

Uses of IoCs in Defender for Endpoint

1. Cloud Detection Engine: Scans data for IoCs and acts based on specified settings.
2. Defender Antivirus: Uses the same IoCs list to take actions like blocking files.
3. Automated Investigation and Remediation Engine: Ignores allowed files or acts on blocked ones during automated investigations.

Methods to Add IoCs

1. Manual Creation

• Steps:
  • In Microsoft 365 Defender, go to Settings > Endpoints > Indicators.
  • Types of IoCs: File hashes, IP addresses, URLs and domains, certificates.
  • Example: Adding a file hash IoC.
    • Select Add item and paste the file hash.
    • Choose an expiration date or set it to never expire.
    • Specify action (Allow, Audit, Warn, Block, Block and Remediate).
    • Complete alert information (Severity: Informational, Category: Malware).
    • Select device groups and save.

2. Batch Import via CSV

• Steps:
  • Export existing IoCs to a .csv file.
  • Download sample CSV and customize it.
  • Select Choose File, open it, and import.
  • Re-importing the file will only add new IoCs (no duplicates).

3. Adding from an Entity Page

• Steps:
  • Within the context of an entity (e.g., URL discovered in investigation).
  • Select Add indicator on the entity page.
  • Complete the Indicator Creation Wizard.

4. Programmatic Addition via API

• Use the Defender for Endpoint APIs.
  • Requires app permissions to read and write all IoCs.
  • Refer to "Access the Microsoft Defender for Endpoint APIs" on Microsoft Docs.

5. Partner Applications

• Steps:
  • Follow links to available partners and set them up.

Conclusion

• Multiple ways to add custom IoCs in Defender for Endpoint.
• Further information available on Microsoft Docs.
• Microsoft Security.