Forum Discussion

Solu662125's avatar
Solu662125
Copper Contributor
Feb 09, 2023

Create indicators for files in Defender

Hello,

 

I'm looking for some guidelines here when creating a block list for "file hashes".

My understanding when defender definitions are updated daily, they already include known & bad file hashes, so should we be doing it manually by following the below? or is it even recommended?

 

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-file?view=o365-worldwide

 

posted on the community hub -

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/indicators-enhancements-allow-block-by-certificates-amp-more/ba-p/1377586

 

 

 

 

  • keenanbrooks's avatar
    keenanbrooks
    Brass Contributor
    Hi,

    Guessing you're looking at adding these hashes in from a threat intelligence feed you may have received? The key feature I see from creating this block list would be receiving alerts if it is triggered. You're more than likely right on the fact that EDR would block them but then again, better safe than sorry.

    If you receive an alert for one of these hashes being triggered it can give you an insight on looking into the user even if it would of originally been blocked by EDR, maybe it was received via a phishing email meaning tweaks need to be made to your threat policies?

    Hope this answers your question?

Resources