From fc74cd545aa887c34d22a505eb951df1a30be01c Mon Sep 17 00:00:00 2001 From: vboyev-MSFT Date: Fri, 25 Oct 2024 13:01:57 -0500 Subject: [PATCH 1/2] Update indicator-manage.md Added note under parameter table to detail that network indicators cannot have the action parameter set to BlockAndRemediate. --- defender-endpoint/indicator-manage.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defender-endpoint/indicator-manage.md b/defender-endpoint/indicator-manage.md index c90288d458..ae8f32bae4 100644 --- a/defender-endpoint/indicator-manage.md +++ b/defender-endpoint/indicator-manage.md @@ -79,6 +79,9 @@ The following table shows the supported parameters. > Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported. For more information, see [Microsoft Defender for Endpoint alert categories are now aligned with MITRE ATT&CK!](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-atp-alert-categories-are-now-aligned-with/ba-p/732748). +> [!NOTE] +> Network Indicators 'action' type does not support the use of *BlockAndRemediate*. The Network indicator will not import if it is set to *BlockAndRemediate*. + Watch this video to learn how Microsoft Defender for Endpoint provides multiple ways to add and manage Indicators of compromise (IoCs). > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLVw] From 85834461de17c376ba6c8214f3cccedb55569d0c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 28 Oct 2024 10:40:18 -0700 Subject: [PATCH 2/2] Update indicator-manage.md --- defender-endpoint/indicator-manage.md | 38 ++++++++++++--------------- 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/defender-endpoint/indicator-manage.md b/defender-endpoint/indicator-manage.md index ae8f32bae4..6e99e23645 100644 --- a/defender-endpoint/indicator-manage.md +++ b/defender-endpoint/indicator-manage.md @@ -15,20 +15,18 @@ ms.collection: ms.topic: conceptual ms.subservice: asr search.appverid: met150 -ms.date: 12/18/2020 +ms.date: 10/28/2024 --- # Manage indicators [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md) - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) - [Microsoft Defender XDR](/defender-xdr) - > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) 1. In the navigation pane, select **Settings** \> **Endpoints** \> **Indicators** (under **Rules**). @@ -55,32 +53,29 @@ Download the sample CSV to know the supported column attributes. > [!NOTE] > Only 500 indicators can be uploaded for each batch. -> > Attempting to import indicators with specific categories requires the string to be written in Pascal case convention and only accepts the category list available at the portal. The following table shows the supported parameters. | Parameter|Type|Description | | ---| ---| --- | -| indicatorType|Enum|Type of the indicator. Possible values are: *FileSha1*, *FileSha256*, *IpAddress*, *DomainName*, and *Url*. **Required** | -| indicatorValue|String|Identity of the [Indicator](api/ti-indicator.md) entity. **Required** | -| action|Enum|The action that is taken if the indicator is discovered in the organization. Possible values are: *Allowed*, *Audit*, *BlockAndRemediate*, *Warn*, and *Block*. **Required** | -| title|String|Indicator alert title. **Required** | -| description|String| Description of the indicator. **Required** | -| expirationTime|DateTimeOffset|The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. The indicator gets deleted if the expiration time passes and whatever happens at the expiration time occurs at the seconds (SS) value. **Optional** | -| severity|Enum|The severity of the indicator. Possible values are: *Informational*, *Low*, *Medium*, and *High*. **Optional** | -| recommendedActions|String|TI indicator alert recommended actions. **Optional** | -| rbacGroups|String|Comma-separated list of RBAC groups the indicator would be applied to. **Optional** | -| category|String|Category of the alert. Examples include: Execution and credential access. **Optional** | -| mitretechniques|String|MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/). **Optional** It's recommended to add a value in category when a MITRE technique. | -| GenerateAlert|String|Whether the alert should be generated. Possible Values are: True or False. **Optional** | +| indicatorType|Enum|Type of the indicator. Possible values are: `FileSha1`, `FileSha256`, `IpAddress`, `DomainName`, and `Url`.
**Required** | +| indicatorValue|String|Identity of the [Indicator](api/ti-indicator.md) entity.
**Required** | +| action|Enum|The action that is taken if the indicator is discovered in the organization. Possible values are: `Allowed`, `Audit`, `BlockAndRemediate`, `Warn`, and `Block`.
**Required** | +| title|String|Indicator alert title.
**Required** | +| description|String| Description of the indicator.
**Required** | +| expirationTime|DateTimeOffset|The expiration time of the indicator in the following format `YYYY-MM-DDTHH:MM:SS.0Z`. The indicator gets deleted if the expiration time passes and whatever happens at the expiration time occurs at the seconds (SS) value.
**Optional** | +| severity|Enum|The severity of the indicator. Possible values are: `Informational`, `Low`, `Medium`, and `High`.
**Optional** | +| recommendedActions|String|TI indicator alert recommended actions.
**Optional** | +| rbacGroups|String|Comma-separated list of RBAC groups the indicator would be applied to.
**Optional** | +| category|String|Category of the alert. Examples include: Execution and credential access.
**Optional** | +| mitretechniques|String|MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/).
**Optional**
It's recommended to add a value in category when a MITRE technique. | +| GenerateAlert|String|Whether the alert should be generated. Possible Values are: `True` or `False`.
**Optional** | > [!NOTE] -> Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported. -For more information, see [Microsoft Defender for Endpoint alert categories are now aligned with MITRE ATT&CK!](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-atp-alert-categories-are-now-aligned-with/ba-p/732748). - -> [!NOTE] -> Network Indicators 'action' type does not support the use of *BlockAndRemediate*. The Network indicator will not import if it is set to *BlockAndRemediate*. +> Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported. For more information, see [Microsoft Defender for Endpoint alert categories are now aligned with MITRE ATT&CK!](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-atp-alert-categories-are-now-aligned-with/ba-p/732748). +> +> Network indicators do not support the action type, `BlockAndRemediate`. If a network indicator is set to `BlockAndRemediate`, it won't import. Watch this video to learn how Microsoft Defender for Endpoint provides multiple ways to add and manage Indicators of compromise (IoCs). > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLVw] @@ -92,4 +87,5 @@ Watch this video to learn how Microsoft Defender for Endpoint provides multiple - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md) - [Create indicators based on certificates](indicator-certificates.md) - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md) + [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]