Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

KQL Queries with RemoteIP, whitelist Agency Public IP Addresses

Brass Contributor
Is it possible to add a list somewhere to Defender EndPoint to 'whitelist' the Agency public IP addresses? Or say you're searching for LOLBINS reaching out to public IP addresses and you want to ignore the Agency IP addresses? Is there a way to do that? Thank you!
1 Reply
best response confirmed by mathurin68 (Brass Contributor)

Hi @mathurin68,


Here are documentation that could help you: Create indicators for IPs and URLs/domains | Microsoft Docs, and Create indicators | Microsoft Docs. From there you can set the necessary action for the IP of interest. Such as shown below:
Please let me know if this helps answer your question.