Create indicators

Applies to:

Tip

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).

Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the device group to apply it to.

Currently supported sources are the cloud detection engine of Defender for Endpoint, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender Antivirus).

Cloud detection engine

The cloud detection engine of Defender for Endpoint regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC.

Endpoint prevention engine

The same list of indicators is honored by the prevention agent. Meaning, if Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Microsoft Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Microsoft Defender AV will not detect nor block the file from being run.

Automated investigation and remediation engine

The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad".

The EnableFileHashComputation setting computes the file hash for the cert and file IoC during file scans. It supports IoC enforcement of hashes and certs belong to trusted applications. It will be concurrently enabled and disabled with the allow or block file setting. EnableFileHashComputation is enabled manually through Group Policy, and is disabled by default.

The current supported actions are:

  • Allow
  • Alert only
  • Alert and block
  • Warn

Note

Using Warn mode will prompt your users with a warning if they open a risky app. The prompt won't block them from using the app, but you can provide a custom message and links to a company page that describes appropriate usage of the app. Users can still bypass the warning and continue to use the app if they need. For more information, see Govern apps discovered by Microsoft Defender for Endpoint.

You can create an indicator for:

Note

There is a limit of 15,000 indicators per tenant. File and certificate indicators do not block exclusions defined for Microsoft Defender Antivirus. Indicators are not supported in Microsoft Defender Antivirus when it is in passive mode.

Public Preview for Automated investigation and remediation engine

Important

Information in this section (Public Preview for Automated investigation and remediation engine) relates to prereleased product which might be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

When creating a new indicator (IoC), one or more of the following actions are now available:

  • Allow – the IoC will be allowed to run on your devices.
  • Audit – an alert will be triggered when the IoC runs.
  • Block execution - the IoC will not be allowed to run.
  • Block and remediate - the IoC will not be allowed to run and a remediation action will be applied to the IoC.

The table below shows exactly which actions are available per indicator (IoC) type:

IoC type Available actions
Files Allow
Audit
Block and remediate
IP addresses Allow
Audit
Block execution
URLs and domains Allow
Audit
Block execution
Certificates Allow
Block and remediate

For example, the original three IoC response actions were “allow,” “alert only,” and “alert and block.” As part of the update, the functionality of pre-existing IoCs will not change. However, the indicators were renamed to match the current supported response actions:

  • The “alert only” response action was renamed to “audit” with the generate alert setting enabled.
  • The “alert and block” response was renamed to “block and remediate” with the optional generate alert setting.

The IoC API schema and the threat ids in advance hunting have been updated to align with the renaming of the IoC response actions. The API scheme changes applies to all IoC Types.

Note

For file indicators, raising an alert on block actions is optional.

There is a limit of 15,000 indicators per tenant. File and certificate indicators do not block exclusions defined for Microsoft Defender Antivirus. Indicators are not supported in Microsoft Defender Antivirus when it is in passive mode.

The format for importing new indicators (IoCs) has changed according to the new updated actions and alerts settings. We recommend downloading the new CSV format that can be found at the bottom of the import panel.