Jul 25 2022 01:03 PM
Hello!
My organization is new to Microsoft Defender for Endpoints. I'd like to be able to threat hunt for IOC in the form of IPs, URL and naturally file hashes. Can someone direct me to the proper syntax for file hashes? For instance if I have a list of 30 MD5 hashes. Thank you.
I've googled and see some mentions but nothing that gets me all the way there.
Jul 26 2022 12:29 PM
SolutionJul 28 2022 11:50 PM - edited Jul 28 2022 11:50 PM
Hi @JerrySmith_UAB,
In addition to actively hunting for a file hash, an IP address, or domain name yourself via Advanced Hunting (or via Sentinel), you also have the option of using the Indicators via Settings --> Endpoints --> Indicators.
Here you can enter indicators such as a File hash, IP addresses, URLs/Domains, and certificates as IOCs. Indicators then use the Microsoft Defender for Endpoint sensors to actively search for these IOCs.
For more information about managing indicators, see: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-manage?view=o365...
Jul 29 2022 07:50 AM
Jul 26 2022 12:29 PM
Solution