NARRATOR: Indicators
of compromise, or IoCs, are data that indicate potential malicious activity in a network or computer system. They're an essential feature of any endpoint protection solution, like Microsoft Defender for Endpoint, which provides multiple ways to add and manage IoCs. I'll demonstrate those
options in this video and describe why you might
choose one over another. Microsoft uses the same list of IoCs in multiple places, but you only create them once. To get a sense of how this works, look at the article titled "Create Indicators" on Microsoft Docs. First, the cloud detection engine In Defender for Endpoint constantly scans data for matching IoCs and acts based on the settings you specify when you create them. Second, Microsoft
Defender Antivirus honors the same list of IoCs and takes the appropriate action, like blocking the file
when an IoC is discovered. And last, the automated investigation and remediation engine uses the same IoCs to ignore an allowed file or act on one that should be blocked, during an automated investigation. Now that you know how
Defender for Endpoint uses IoCs, let's create some. That's next. One method to add an IoC in Defender for Endpoint is by manually creating it. To do that in Microsoft 365
Defender, in "Settings," select "Endpoints,"
followed by "Indicators." There are different types
of IoCs you can add, including file hashes, IP addresses, URLs and domains, and certificates. For this example, I'll manually add a file hash indicator by selecting "Add item." In "File hash," I'll paste the file hash that I previously copied to the clipboard. Then, I could pick an expiration date for this indicator. For example, you could create a temporary IoC while you continue an investigation. But I'll just leave it to never expire. On the next page, I can choose what happens when Defender for Endpoint finds this hash. I can allow or audit the file without blocking it, warn users with a prompt they can bypass, block the file, or block and remediate it. I'll select "Audit" and complete the information that will appear in the alert. This is just a demo, so in "Alert severity," I'll select "Informational," and in "Category," I'll select "Malware." A description is also
required before continuing. On the Scope page,
choose the device groups you want to apply this IoC to. In this case, I'll select "Check/Uncheck all" to include all my device groups, and then review the summary and select "Save." In the next segment, I'll demonstrate how to batch-import these indicators, saving you a good bit of time. Many customers already have IoCs, from other sources and can export them to a .csv file. In that case, you can easily import these files into Defender for Endpoint
to batch-create IoCs. To import indicators, you need to have certain information in your .csv file. So, select "Download sample CSV" to get a sample that you can customize. Pretty simple structure. Notice that the expiration time on this one is blank. That means that it never expires. I used the sample to create my own file that shows each type of IoC that you can import into Microsoft Defender for Endpoint. Now I'm ready to import this, so select "Choose File," open the file, and then select "Import." That's it! And, by the way, if you're constantly
adding to this .csv file, you can always re-import it and Defender for Endpoint will only add the new IoCs rather than adding duplicates. Next, I'll show you how to add indicators from any entity page in
Defender for Endpoint. Another way to add indicators in Microsoft 365 Defender is within the context of an entity. For example, Defender
for Endpoint discovered this URL as part of an
incident investigation. You can select "Add indicator" right here or select "Open url page" to view the URL's entity page and do it there. In the future, I want to block this URL, and to do that, I select "Add Indicator," which opens the same
Indicator Creation Wizard I showed you earlier. The URL is already there, so I just need to complete the wizard. This experience makes it easy to add IoCs during an investigation. Looking for something a
bit more programmatic, like an API? You can use the Defender for Endpoint APIs to push IoCs. Your app will need permission to read and write all IoCs. For more information, see the article titled "Access the Microsoft
Defender for Endpoint APIs" in Microsoft Docs. The final method to add IoCs to Defender for Endpoint is through partner applications. This page contains the
list of available partners with links to how to set them up. Defender for Endpoint
provides multiple ways to add custom indicators of compromise. You can learn more about IoCs in Defender for Endpoint
on Microsoft Docs. Microsoft Security.