Forum Discussion

Haim Goldshtein's avatar
May 05, 2019

Pushing custom Indicator of Compromise (IoCs) to Microsoft Defender ATP

Submit your own IOCs to Microsoft Defender ATP to create alerts and perform remediation actions.

5 Minutes 

Low complexity 

 

 

Many organizations maintain internal lists of attack indicators such as file data, IP address, or URL.

These lists can be derived from an analysis of previous attacks on the company, external intelligence services, or the publication of data on attacks on information sharing tools on the Internet.

In this tutorial, you’ll see how these lists can be used to:

  • Generate Microsoft Defender ATP alerts
  • Block the execution/usage of items in the list

Let’s start

  • Step 1: Add the required permission to write indicators to Microsoft Defender ATP
  • Step 2: Enable advanced features in Microsoft Defender ATP
  • Step 3: Run tests

 

Step 1: Add permission to write indicators to MDATP

If you haven’t created an app: 

  • Create an app using the instructions described in the Hello world blog. 
  • Then follow the instructions on how to Add Isolation Permission as described below. 

If you’ve already created an app that you’re going to reuse for this demonstration: 

  • Add the “TI.ReadWrite.All” permission as described below. 
  • We recommend that you follow the detailed steps as described in the “Step 1 - Add the required permission to the application” in the Alert Update API blog . 

Add TI writing Permission

  • Open Azure portal. 
  • Navigate to Azure Active Directory > App registrations
  • Under All Applications, find and select the application, for example, ContosoSIEMConnector
  • Click  API permissions > Add a permission

  • Click on “APIs my organization uses” and type WindowDefenderATP in the search box. Then chose the “WindowsDefenderATP” API from the list.

  • Click on “Application permission” button and check the “TI.ReadWrite.All” checkbox.

  • Click Add Permission.
  • On the “API Permission” screen, click on “Grant admin consent for…” button.

Done! You have successfully added the required permissions to the application.

Step 2: Enable advanced features in Microsoft Defender ATP

  • Open the Settings menu in the Microsoft Defender ATP portal.
  • Click on Advance features button and turn on “Block file” setting.

Done! You have successfully enabled the block feature.

Note: To use the block file feature, you need to make sure Windows Defender Antivirus is turned on and could-based protection feature is enabled in your organization.

Step 3: Run tests

It’s a good idea to run some tests to verify that we have configured the right mechanisms in place.

  • Download the “Submit-Indicator.ps1” script from the link at the buttom of this blog.
  • Save the script in the same folder you saved the Get-Token.ps1 script from the previous blogs.
  • Open a PowerShell console.
  • Change directory to the directory you saved the scripts from the previous steps.
  • Run a command to submit an indicator in the following format:

PS> .\Submit-Indicator -indicrotType {sha1/sha256/IpAddress/Url}

-action {Alert/AlertAndBlock/Allowed}

-severity {Informational/Low/Medium/High}

-title {the alert’s title}

-description {the alert’s description}

-recommendedAction {the recommended action to remediate the alert}

 

For example, if we want to get an alert and block the execution of file with

sha1 = “b9174c8a1db96d329071ee46483a447c1d3abdc0” we can run the following command (write the command and parameters in one line):

 

PS>.\Submit-Indicator.ps1 -indicatorType FileSha1

-indicatorValue  b9174c8a1db96d329071ee46483a447c1d3abdc0

-action AlertAndBlock

-severity High

-title "Custom Threat Intelligence demo"

-description "This is a demo how you can use your own IOC to raise an alert and to block the threat."

-recommendedActions "You can add here your own recommended action according to your company procedures"

Done! You have successfully submitted an IOC to Microsoft Defender ATP

If you run a file with a SHA1 that is equal to the submitted SHA1 on a machine with the required Windows Defender Antivirus setting as mentioned above, the file will be blocked and quarantined and you will get a custom alert in Microsoft Defender ATP portal.

Conclusion:

In this blog, we demonstrated how you can easily submit your own IOC to Microsoft Defender ATP and set a remediation action for it.

In the next blog, we are going to demonstrate how we can automate export of IOC from MISP and submit the IOC to MDATP.

 

Thanks,

@Haim Goldshtein, security software engineer, Windows Defender ATP  

@Dan Michelson, program manager, Windows Defender ATP  

@Ben Alfasi, software engineer, Windows Defender ATP

  • Haim Goldshtein Great news here - just wondering though how this might/might not tie in to Sentinel?

    At some point are these going to be "joined up" or stay separate ??

    • Haim Goldshtein's avatar
      Haim Goldshtein
      Icon for Microsoft rankMicrosoft

      Hi Vinay Varma 

       

      This API gives you a programmatic way to control the lists you maintain under the indicator section.

      many organization trying to create automation on repetitive tasks to apply the changes faster and to free their employees to other tasks.

       

      Thanks,

      Haim

       

    • Dan Michelson's avatar
      Dan Michelson
      Icon for Microsoft rankMicrosoft

      DannyC_Gamma 

       

      Please check first how many items you are pushing.

       

      Currently, there is a limit of 5K items in the list. If the batch you are trying to push is larger than the remaining room in the list, it may fail.

       

       

      • DannyC_Gamma's avatar
        DannyC_Gamma
        Brass Contributor

        Dan Michelson 

         

        I was more referring to the message that I'd crudely highlighted in the screen grab

         

        Blocking IP addresses, domains, or URLs is not yet available for this tenant.

         

        I'm sure I've had the ability to do these previously - at present, I can only block hashes. Is the URL/Domain blocking functionality going to be (re)made available soon?

         

        Thanks

        Danny

         

         

  • NC_0101's avatar
    NC_0101
    Copper Contributor

    Hello,

     

    Great post. I would like to know if there is a way to check bulk IOCs and see if those IOCs are present in my group of machine? But I dont want to save them or import them it's just checked them if they resides in a machine of my group

    Haim Goldshtein 

    Thanks in advance!

Resources