Can I check whether an IoC/hash is already monitored by MDE?

Contributor

The list of IoC is limited to 15k. I imagine some IoCs entries from our "custom list" are already monitored by Microsoft/MDE. So, is there a way to check whether there is a detection rule for a specific IoC (hash)? This would save us some thousand entries and improve our monitoring coverage.

 

*Better to join forces than reinvent the wheel.

2 Replies
Good question. Let me follow up on this for you. Will reply soon.

@jjsantanna you can use this API to check the determination on a file hash: File resource type | Microsoft Docs.

 

Hopefully this helps! :)