A little while ago we introduced the unified indicators of compromise (IOC) experience in Microsoft Defender ATP allowing you to define your organization-specific rules for detection, prevention, and the exclusion of entities.
With this update, we unified several different IoC lists and made the lists more accessible for interactive (portal) and automated (API) use. In addition, we aligned all detection and enforcement means to honor the unified list. The new schema supports several actions such as allow, alert-only, and alert and block. Today you can define the action to be taken on detected files and IPs, and soon we will be also exposing URLs, domains, and certificates. It also supports RBAC for fine-grained control over user access.
As part of this overall APIs alignment, we are deprecating the previous custom TI APIs and are asking you to migrate automation based on the custom TI to the new unified IOCs paradigm. The migration is easy and straight forward.
Migration path
Your existing custom TI rules will be migrated automatically to the new unified indicators experience. Please make sure to port any automation based on the custom TI API into the new unified IOCs paradigm in advance.
You can find here more details on how to configure new indicators through the management UI or through the Microsoft Defender ATP rich set of programmatic APIs.
Timelines
The custom TI will be available for the next weeks, until August 29th, 2019. We will then discontinue support for the custom TI.
Talk to us
As always, please don’t hesitate to contact our team at the Microsoft Defender ATP community if you have any questions or concerns.
Updated Apr 07, 2020
Version 4.0
Haim Goldshtein
Microsoft
Microsoft