Forum Discussion
IOCs indicator
i have a defender P2 license and uploaded indicator hash is there a report for the affected devices from my indicator uploaded list. i have an audit and i need a report regarding the IOCs and the af...
Have you looked here: https://learn.microsoft.com/en-us/defender-endpoint/indicator-file#advanced-hunting-capabilities-preview
You can get the results with the following query:
search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents)
Timestamp > ago(30d)
| where AdditionalFields contains "EUS:Win32/CustomEnterpriseBlock!cl"
or AdditionalFields contains "EUS:Win32/CustomEnterpriseNoAlertBlock!cl"
or AdditionalFields contains "EUS:Win32/CustomCertEnterpriseBlock!cl"