Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Manage indicators in Microsoft Defender for Endpoint
In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
Select the tab for the indicator type you want to manage, such as File hashes, IP addresses, URLs/domains, or Certificates.
Update the indicator details, and then select Save. To remove the indicator from the list, select Delete.
Import a list of IoCs
You can upload indicators from a CSV file that defines indicator attributes, actions, and other details.
Download the sample indicators CSV file from the import page to review the supported column attributes.
In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
Select the tab of the entity type you'd like to import indicators for.
Select Import > Choose file.
Select Import. Repeat for all the files you'd like to import.
Select Done.
Note
Only 500 indicators can be uploaded for each batch. Attempting to import indicators with specific categories requires the string to be written in Pascal case convention and only accepts the category list available at the portal.
The following table shows the supported parameters.
| Parameter | Type | Description |
|---|---|---|
| indicatorType | Enum | Type of the indicator. Possible values are: FileSha1, FileSha256, IpAddress, DomainName, and Url. Required |
| indicatorValue | String | Identity of the Indicator API resource entity. Required |
| action | Enum | The action that is taken if the indicator is discovered in the organization. Possible values are: Allowed, Audit, BlockAndRemediate, Warn, and Block. Required |
| title | String | Indicator alert title. Required |
| description | String | Description of the indicator. Required |
| expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. The indicator gets deleted if the expiration time passes and whatever happens at the expiration time occurs at the seconds (SS) value. Optional |
| severity | Enum | The severity of the indicator. Possible values are: Informational, Low, Medium, and High. Optional |
| recommendedActions | String | TI indicator alert recommended actions. Optional |
| rbacGroups | String | Comma-separated list of RBAC groups the indicator would be applied to. Optional |
| category | String | Category of the alert. Examples include: Execution and credential access. Optional |
| mitretechniques | String | MITRE techniques code/id (comma separated). For more information, see Enterprise tactics. Optional It's recommended to add a value in category when a MITRE technique. |
| GenerateAlert | String | Whether the alert should be generated. Possible Values are: True or False. Optional |
Note
Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported. For more information, see Microsoft Defender for Endpoint alert categories are now aligned with MITRE ATT&CK!.
Network indicators do not support the action type, BlockAndRemediate. If a network indicator is set to BlockAndRemediate, it won't import.
Watch this video to learn how Microsoft Defender for Endpoint provides multiple ways to add and manage Indicators of compromise (IoCs).
See also
Feedback
Was this page helpful?