updates to indicators

.openpublishing.redirection.json

@@ -631,6 +631,11 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md",
+"redirect_url": "windows/security/threat-protection/microsoft-defender-atp/manage-indicators",
+"redirect_document_id": false
+},
+{
 "source_path": "windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md",
 "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control",
 "redirect_document_id": true
@@ -15314,3 +15319,5 @@
 }
 ]
 }
+
+

windows/security/threat-protection/TOC.md

@@ -501,7 +501,6 @@
   
 #### [Rules]()
 ##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
-##### [Manage automation allowed/blocked lists](microsoft-defender-atp/manage-automation-allowed-blocked-list.md)
 ##### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
 ##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
 ##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)

windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md

@@ -16,6 +16,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
+ROBOTS: NOINDEX
 ---
 
 # Manage indicators 
@@ -25,8 +26,32 @@ ms.topic: article
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
 
+Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).
+
+
 Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
 
+Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Windows Defender AV).
+
+**Cloud detection engine**<br>
+The cloud detection engine of Microsoft Defender ATP regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC.
+
+**Endpoint prevention engine**<br>
+The same list of indicators is honored by the prevention agent. Meaning, if Windows Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Windows Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Windows Defender AV  will not detect nor block the file from being run.
+
+>![NOTE]
+>-There is a propagation time of several minutes before the blocking policy for a new hash is applied.
+>- Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.
+
+
+**Automated investigation and remediation engine**
+The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as “bad”.
+ 
+In the first phase, the file hashes are fully supported, while network addresses (IP, Domain names) are partially supported (Automation and Detection).  Stay tuned as the network blocking and more IoCs become available.
+ 
+The current actions supported are Allow, Alert-only, Alert&Block. 
+
+
 On the top navigation you can:
 
 - Import a list
@@ -37,7 +62,34 @@ On the top navigation you can:
 - Navigate between pages
 - Apply filters
 
-## Create an indicator
+There are several ways to control IoCs:
+- [Create an indicator from the settings page](#create-an-indicator-from-the-settings-page)
+- [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
+- [Import a list of IoCs](#import-a-list-of-iocs)
+- [Use the Microsoft Defender ATP indicators API](ti-indicator.md)
+- [Use partner integrated solutions](partner-applications.md)
+
+## Before you begin
+
+Creating IoCs must comply to the following:
+
+>- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+>
+>- The Antimalware client version must be 4.18.1901.x or later.
+>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
+>- This response action is available for machines on Windows 10, version 1703 or later.
+>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
+
+>[!NOTE]
+> The PE file needs to be in the machine timeline for you to be able to take this action.
+>
+> There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
+
+
+## Create an indicator from the settings page
+
+>[!NOTE]
+>There is a limit of 5000 indicators per tenant. 
 
 1. In the navigation pane, select **Settings** > **Indicators**.  
 
@@ -69,7 +121,7 @@ On the top navigation you can:
 
 3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
 
-## Import a list
+## Import a list of IoCs
 
 You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
 

windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md

@@ -29,6 +29,7 @@ ms.topic: article
 - Submits or Updates new [Indicator](ti-indicator.md) entity.
 
 
+
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
 
@@ -116,3 +117,6 @@ Content-type: application/json
 }
 
 ```
+
+## Related topic
+- [Manage indicators](manage-indicators.md)