Can I check whether an IoC/hash is already monitored by MDE?

jjsantanna · ‎Oct 21 2021

The list of IoC is limited to 15k. I imagine some IoCs entries from our "custom list" are already monitored by Microsoft/MDE. So, is there a way to check whether there is a detection rule for a specific IoC (hash)? This would save us some thousand entries and improve our monitoring coverage.

*Better to join forces than reinvent the wheel.

Daniel Simpson · ‎Oct 21 2021

Good question. Let me follow up on this for you. Will reply soon.

Thomas_Doucette · ‎Oct 27 2021

@jjsantanna you can use this API to check the determination on a file hash: File resource type | Microsoft Docs.

Hopefully this helps! :)

Thomas_Doucette · ‎Sep 27 2022

Problem is, how would you implement it to check "thousands" of entries?

Can I check whether an IoC/hash is already monitored by MDE?

Can I check whether an IoC/hash is already monitored by MDE?

Re: Can I check whether an IoC/hash is already monitored by MDE?

Re: Can I check whether an IoC/hash is already monitored by MDE?

Re: Can I check whether an IoC/hash is already monitored by MDE?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Can I check whether an IoC/hash is already monitored by MDE?

Can I check whether an IoC/hash is already monitored by MDE?

Re: Can I check whether an IoC/hash is already monitored by MDE?

Re: Can I check whether an IoC/hash is already monitored by MDE?

Re: Can I check whether an IoC/hash is already monitored by MDE?