Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Create indicators for files in Defender

Copper Contributor

Hello,

 

I'm looking for some guidelines here when creating a block list for "file hashes".

My understanding when defender definitions are updated daily, they already include known & bad file hashes, so should we be doing it manually by following the below? or is it even recommended?

 

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-file?view=o365-...

 

posted on the community hub -

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/indicators-enhancements-allow...

 

 

 

 

1 Reply
Hi,

Guessing you're looking at adding these hashes in from a threat intelligence feed you may have received? The key feature I see from creating this block list would be receiving alerts if it is triggered. You're more than likely right on the fact that EDR would block them but then again, better safe than sorry.

If you receive an alert for one of these hashes being triggered it can give you an insight on looking into the user even if it would of originally been blocked by EDR, maybe it was received via a phishing email meaning tweaks need to be made to your threat policies?

Hope this answers your question?