IOCs indicator

Question

i have a defender P2 license and uploaded indicator hash is there a report for the affected devices from my indicator uploaded list.

i have an audit and i need a report regarding the IOCs and the affected devices.

goxatakan · Answer

You can try to use query from Advanced Hunting KQL

warren212 · Answer

Have you looked here: https://learn.microsoft.com/en-us/defender-endpoint/indicator-file#advanced-hunting-capabilities-preview

You can get the results with the following query:

search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents)

Timestamp > ago(30d)

| where AdditionalFields contains "EUS:Win32/CustomEnterpriseBlock!cl"

or AdditionalFields contains "EUS:Win32/CustomEnterpriseNoAlertBlock!cl"

or AdditionalFields contains "EUS:Win32/CustomCertEnterpriseBlock!cl"

Forum Discussion