Process: Adding an IoC to 365 Defender

Adding an IoC to 365 Defender

If an IoC (Indicator of Compromise) has been found and needs to be either monitored or blocked in our estate you can block it in 365 Defender. IoCs that can be added are the following:

File Hashes (SHA1, SHA265)
IP Addresses (IPv4 + IPv6)
URLs / Domains
Certificates

IoCs are usually gathered from Incidents, Phishing attempts, Malware Analysis or Threat Intelligence.

Process:

Go to 365 Defender (security.microsoft.com)
Settings (In the Left Panel)
Endpoints
Rules -> Indicators
Choose the Appropriate IoC type at the top.
1. File Hashes (SHA1, SHA265) - Example: fd9c3bc4d6d47dcf4fa26a38f00b95f88f901cdde0ddec5c0447da82eee5815a
2. IP Addresses - Example: 123.123.123.123
3. URLs/Domains - Example: maliciousdomain.com
4. Certificates - Example: certificate.cer / certificate.pem
If you need to batch Import, go to Batch Importing, located at the bottom of this solution article.
Click on Add Item
Input the Appropriate Fields
1. URL/Domain/Hash/IP/Certificate
2. Title: (Incident Number) (Malware/Phishing/Malicious Domain etc.)
3. Description: Short Description of IoC
4. Expires on: “Never”
Click Next
Select Action
1. Never use Allow as its not needed.
2. Audit - to track via reporting if users are connecting to IoC and alert is triggered.
3. Warn – the IoC prompts a warning that the user can bypass. Able to create custom warning.
4. (Most Commonly Used) Block - the IoC won't be allowed to run.
5. (Used for File Hashes or Certificate IoCs) Block and Remediate - the IoC won't be allowed to run and a remediation action will be applied to the IoC.
Click Next
If Blocking IOC uncheck the Generate Alert. If Audit or Warn you can customize the properties of the alert:
1. Severity – Select Appropriate
2. Category – Select Appropriate
3. Recommended actions – Recommended actions to perform on this alert.
Click Next
Select Appropriate Device Scope
1. (Most Commonly Used) All Devices in my Organization.
2. Specific machine groups – Used mostly for Auditing IoCs in specific departments.
Click Next
Review Summary and Click Submit.
Confirm in List that the IoCs have been added successfully with the appropriate configuration.

Batch Importing:

If Batch importing download Appropriate attached template located in this Solution Article. In the template there are existing values for you to use as a Guide. Ensure you delete the existing values.
Fill in the Appropriate Indicators and Values
1. IndicatorType – DomainName/URL/IpAddress
2. IndicatorValue – Actual IoC (ex. 123.123.123.123 / maliciousdomain.com)
3. Expiration – Leave Blank for no Expiration.
4. Action – Allow/Audit/Warn/Block/BlockandRemediate
5. Severity – High/Medium/Low/Informational (Leave Blank if no Alerting)
6. Title – (Incident Number) (Malware/Phishing/Malicious Domain etc.)
7. Description - Short Description of IoC
8. RecommendedActions - Recommended actions to perform on this alert (Leave Blank if no Alerting)
9. RbacGroup – Leave blank for whole organization.
10. Category – Category of Alerting. (Leave Blank if no Alerting)
11. MitreTech – Not used.
12. Generate Alert
  1. TRUE if you want alerting.
  2. FALSE if you want no alerting.
Ensure you save the file as a CSV.
Go back to 365 Defender IoC Page and click on Import.
Choose File and then Click Import
Confirm in List that the IoCs have been added successfully with the appropriate configuration.

Additional References:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-indicators?view=o365-worldwide