Indicators already blocked by Defender Antivirus or SmartScreen.To detect existing conflicting IoCs, execute this PowerShell script which detects and reports them. Note that the conflict handling orders differ for file/cert vs. Refer to the IoC support documentation on conflict handling file/cert and domain/URL/IP. Policies with the same device group and enforcement target but conflicting actions follow a policy conflict handling order. If importing through the portal, Defender will automatically update the existing policy with the new expiration date and alert severity/details if they differ from those of the previous policy. Indicators with the same device group, enforcement target, and actionĭefender for Endpoint already detects this type of duplicate indicator and does not import it.ĭuplicate indicators count towards the 15, 000 indicator limit per tenant but result in the duplicate indicator’s policy not being enforced. Let’s go over a few examples of duplicate indicators and ways to identify and remove them. Other enterprise customers have opted to directly import indicators from third party intelligence feed APIs such as PhishTank and Phishunt. They import the previous few days' worth of indicators, set the action to block these indicators, generates alerts, and set an expiration date of 3 days. Then, after the expiration date has passed, they push a new set of indicators from the previous few days. MISP is a free, open-source platform to share indicators and it consolidates many TI feeds. Many of our customers use custom IoCs to ingest third party TI feeds. For example, many of them integrate MISP with Microsoft Defender for Endpoint. To import third party TI, either use the indicator API or upload a csv file through the portal. Set the expiration date to a few days in advance and once the expiration date passes, import a fresh set of indicators from the previous few days. Setting an expiration date can also remove aged indicators that are more likely to have already been blocked by Defender Antivirus, and can make room for newer intelligence. We recommend setting an expiration date when ingesting recently added or relevant indicators to your organization to minimize the common overlap between third party TI and Microsoft TI that feeds solutions like Microsoft Defender for Endpoint. Custom IoCs provide the ability to import these feeds and block or monitor these entities. Ingesting these feeds can enrich your cybersecurity telemetry and give your devices an extra level of security. Third party threat intelligence ( TI ) can give insight into recently released malware or malicious websites. Set an expiration date when importing new indicators According to the conflict handling guidance, the custom IoC will win over ASR and web content filtering rules and Microsoft Defender Antivirus and SmartScreen ratings. Additionally, you can keep your ASR or web content filtering rules but exclude certain entities that would have been blocked by those rules. If there is an entity that is blocked by Microsoft Defender Antivirus or SmartScreen that you do not want blocked on your devices, you can add a policy to allow for the entity you want to unblock. Īllow IoC is used for exclusion management. We recommend that you limit the number of allow IoC policies that bypass Microsoft Defender Antivirus, SmartScreen, attack surface reduction (ASR ), or web content filtering blocks. In this blog, we will discuss recommendations for using custom IoCs to maximize their capabilities. In addition, we will provide recommendations for customers who ingest large threat intelligence (TI) feeds (beyond our limit of 15,000 indicators per tenant) or have more complex rules. However, note that the more indicators are added, the more management is needed.Įach time an IoC is allowed, it opens new attack vectors as well as increases the IoC count. Custom indicators of compromise (IoC) are an essential feature for every endpoint solution. Custom IoCs provide SecOps with greater capacity to fine-tune detections based on their organization’s particular and contextualized threat intelligence. Microsoft Defender for Endpoint supports a robust and comprehensive custom IoC platform.
0 Comments
Leave a Reply. |