deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

ioc content updates

Browse Source
This commit is contained in:
Joey Caparas 2020-04-20 10:32:19 -07:00
parent 8305dfe653
commit 4eae06d0bd
2 changed files with 36 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
View File

@ -1,7 +1,7 @@
--- ---
title: Manage indicators title: Manage indicators
ms.reviewer: ms.reviewer:
description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities. description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
search.appverid: met150 search.appverid: met150
@ -26,7 +26,7 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response). Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to. Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
@ -54,7 +54,7 @@ You can create an indicator for:
- URLs/domains - URLs/domains
>[!NOTE] >[!NOTE]
>There is a limit of 5000 indicators per tenant. >There is a limit of 15,000 indicators per tenant.
![Image of indicators settings page](images/rules-indicators.png) ![Image of indicators settings page](images/rules-indicators.png)
@ -103,17 +103,17 @@ One of the options when taking [response actions on a file](respond-file-alerts.
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it. When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue. Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue.
## Create indicators for IPs and URLs/domains (preview) ## Create indicators for IPs and URLs/domains (preview)
Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser. Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser.
The threat intelligence data set for this has been managed by Microsoft. The threat intelligence data set for this has been managed by Microsoft.
By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others. By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
### Before you begin ### Before you begin
It's important to understand the following prerequisites prior to creating indicators for IPS, URLs or domains: It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:
- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Protect your network](network-protection.md). - URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Protect your network](network-protection.md).
- The Antimalware client version must be 4.18.1906.x or later. - The Antimalware client version must be 4.18.1906.x or later.
- Supported on machines on Windows 10, version 1709 or later. - Supported on machines on Windows 10, version 1709 or later.
@ -132,7 +132,7 @@ It's important to understand the following prerequisites prior to creating indic
>[!NOTE] >[!NOTE]
>There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being blocked. >There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being blocked.
### Create an indicator for IPs, URLs or domains from the settings page ### Create an indicator for IPs, URLs, or domains from the settings page
1. In the navigation pane, select **Settings** > **Indicators**. 1. In the navigation pane, select **Settings** > **Indicators**.
@ -163,8 +163,24 @@ You can also choose to upload a CSV file that defines the attributes of indicato
Download the sample CSV to know the supported column attributes. Download the sample CSV to know the supported column attributes.
The following table shows the supported parameters.
Parameter | Type | Description
:---|:---|:---
indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required**
action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
title | String | Indicator alert title. **Required**
description | String | Description of the indicator. **Required**
expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional**
severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional**
recommendedActions | String | TI indicator alert recommended actions. **Optional**
rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
## Related topic ## Related topic
- [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) - [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
- [Use the Microsoft Defender ATP indicators API](ti-indicator.md) - [Use the Microsoft Defender ATP indicators API](ti-indicator.md)
- [Use partner integrated solutions](partner-applications.md) - [Use partner integrated solutions](partner-applications.md)

5
windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
View File

@ -71,6 +71,7 @@ description | String | Description of the indicator. **Required**
expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional** expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional**
severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional** severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional**
recommendedActions | String | TI indicator alert recommended actions. **Optional** recommendedActions | String | TI indicator alert recommended actions. **Optional**
rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
## Response ## Response
@ -95,8 +96,10 @@ Content-type: application/json
"action": "AlertAndBlock", "action": "AlertAndBlock",
"severity": "Informational", "severity": "Informational",
"description": "test", "description": "test",
"recommendedActions": "nothing" "recommendedActions": "nothing",
“rbacGroupNames": [“group1”, “group2”]
} }
```
## Related topic ## Related topic
- [Manage indicators](manage-indicators.md) - [Manage indicators](manage-indicators.md)