KQL Queries with RemoteIP, whitelist Agency Public IP Addresses

Occasional Contributor
Is it possible to add a list somewhere to Defender EndPoint to 'whitelist' the Agency public IP addresses? Or say you're searching for LOLBINS reaching out to public IP addresses and you want to ignore the Agency IP addresses? Is there a way to do that? Thank you!
1 Reply

Hi @mathurin68,

 

Here are documentation that could help you: Create indicators for IPs and URLs/domains | Microsoft Docs, and Create indicators | Microsoft Docs. From there you can set the necessary action for the IP of interest. Such as shown below:
Jayronn_0-1630603028202.jpeg
Please let me know if this helps answer your question.