Forum Discussion
MicrosoftPushing custom Indicator of Compromise (IoCs) to Microsoft Defender ATP
I've followed these instructions from Palo Alto https://live.paloaltonetworks.com/t5/MineMeld-Articles/How-to-Configure-MineMeld-to-Send-Indicators-to-Microsoft/ta-p/244121
I can see the IOC's pushed into ATP but I see the below within SecurityCenter
I'm sure this functionality has previously worked from when I've manually added IOC's
Any ideas?
Thanks
Thanks!
- Dan Michelson
Please check first how many items you are pushing.
Currently, there is a limit of 5K items in the list. If the batch you are trying to push is larger than the remaining room in the list, it may fail.
I was more referring to the message that I'd crudely highlighted in the screen grab
Blocking IP addresses, domains, or URLs is not yet available for this tenant.
I'm sure I've had the ability to do these previously - at present, I can only block hashes. Is the URL/Domain blocking functionality going to be (re)made available soon?
Thanks
Danny
- Haim Goldshtein
Hi Danny,
Blocking IPs, URL & Domains are features you need to turn on for you tenant.
if the feature is turned off, when going to Indicators page-> IP TAB you will see the following warning message:
to turn on the feature, you should go to Advance Feature tab, and turn Network Protection on:
Thank you for bring that up, I'll add that procedure to the blog.
Please check it and let me know if it works for you.
Thanks,
Haim
