Can I check whether an IoC/hash is already monitored by MDE?

Question

The list of IoC is limited to 15k. I imagine some IoCs entries from our "custom list" are already monitored by Microsoft/MDE. So, is there a way to check whether there is a detection rule for a specific IoC (hash)? This would save us some thousand entries and improve our monitoring coverage.

*Better to join forces than reinvent the wheel.

daniel simpson · Answer

Good question. Let me follow up on this for you. Will reply soon.

thomas_doucette · Answer

jjsantanna&nbsp;you can use this API to check the determination on a file hash:&nbsp;File resource type | Microsoft Docs.
&nbsp;
Hopefully this helps! 🙂&nbsp;

deleted · Answer

Problem is, how would you implement it to check "thousands" of entries?

Forum Discussion

Can I check whether an IoC/hash is already monitored by MDE?

3 Replies

Resources