mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00

Joey Caparas 66ecae7bb4 turn ip/urls to GA

2019-10-29 16:06:11 -07:00

8.7 KiB

Raw Blame History

title, ms.reviewer, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic

title	ms.reviewer	description	keywords	search.product	search.appverid	ms.prod	ms.mktglfcycl	ms.sitesec	ms.pagetype	ms.author	author	ms.localizationpriority	manager	audience	ms.collection	ms.topic
Manage indicators		Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities.	manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain	eADQiWindows 10XVcnh	met150	w10	deploy	library	security	macapara	mjcaparas	medium	dansimp	ITPro	M365-security-compliance	article

Manage indicators

Applies to:

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).

Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.

Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Windows Defender AV).

Cloud detection engine
The cloud detection engine of Microsoft Defender ATP regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC.

Endpoint prevention engine
The same list of indicators is honored by the prevention agent. Meaning, if Windows Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Windows Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Windows Defender AV will not detect nor block the file from being run.

Automated investigation and remediation engine
The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad".

The current supported actions are:

Allow
Alert only
Alert and block

You can create an indicator for:

Files
IP addresses
URLs/domains

Note

There is a limit of 5000 indicators per tenant.

Create indicators for files

You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.

There are two ways you can create indicators for files:

By creating an indicator through the settings page
By creating a contextual indicator using the add indicator button from the file details page

Before you begin

It's important to understand the following prerequisites prior to creating indicators for files:

This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see Manage cloud–based protection.
The Antimalware client version must be 4.18.1901.x or later.
Supported on machines on Windows 10, version 1703 or later.
To start blocking files, you first need to turn the Block or allow feature on in Settings.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including .exe and .dll files. The coverage will be extended over time.

Important

The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action

Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.

The PE file needs to be in the machine timeline for you to be able to take this action.

Note

There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Create an indicator for files from the settings page

In the navigation pane, select Settings > Indicators.
Select the File hash tab.
Select Add indicator.
Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
- Action - Specify the action to be taken and provide a description.
- Scope - Define the scope of the machine group.
Review the details in the Summary tab, then click Save.

Create a contextual indicator from the file details page

One of the options when taking response actions on a file is adding an indicator for the file.

When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it.

Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.

Create indicators for IPs and URLs/domains

Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs through SmartScreen for Microsoft browsers and Network Protection for non-Microsoft browsers and calls made outside the browser.

The threat intelligence data set for this has been managed by Microsoft.

By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.

Before you begin

It's important to understand the following prerequisites prior to creating indicators for IPS, URLs or domains:

URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see Protect your network.
The Antimalware client version must be 4.18.1906.x or later.
Supported on machines on Windows 10, version 1709 or later.
Ensure that Custom network indicators is enabled in Microsoft Defender Security Center > Settings > Advanced features. For more information, see Advanced features.

Important

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.

Note

There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Create an indicator for IPs, URLs or domains from the settings page

In the navigation pane, select Settings > Indicators.
Select the IP addresses or URLs/Domains tab.
Select Add indicator.
Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
- Action - Specify the action to be taken and provide a description.
- Scope - Define the scope of the machine group.
Review the details in the Summary tab, then click Save.