cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Create indicators for files in Defender

Solu662125
Copper Contributor

‎Feb 09 2023 01:51 PM

‎Feb 09 2023 01:51 PM

Create indicators for files in Defender

Hello,

 

I'm looking for some guidelines here when creating a block list for "file hashes".

My understanding when defender definitions are updated daily, they already include known & bad file hashes, so should we be doing it manually by following the below? or is it even recommended?

 

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-file?view=o365-...

 

posted on the community hub -

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/indicators-enhancements-allow...

 

 

 

 

1,192 Views
0 Likes
1 Reply
Reply
1 Reply
keenanbrooks

‎Feb 10 2023 04:21 AM

‎Feb 10 2023 04:21 AM

Re: Create indicators for files in Defender

Hi,

Guessing you're looking at adding these hashes in from a threat intelligence feed you may have received? The key feature I see from creating this block list would be receiving alerts if it is triggered. You're more than likely right on the fact that EDR would block them but then again, better safe than sorry.

If you receive an alert for one of these hashes being triggered it can give you an insight on looking into the user even if it would of originally been blocked by EDR, maybe it was received via a phishing email meaning tweaks need to be made to your threat policies?

Hope this answers your question?
0 Likes
Reply