Custom IOCs in Defender ATP

Working with custom IOC can be done via the UI or script (Powershell or Python).

This post will describe the UI way for creating a custom IOC

Go to settings and in the Rules section click on Allowed/Blocked List

You can create an IOC based on File hash, IP address and URLs/Domains

When creating a new IOC you have the options to Import (more on that later) and a wizard.

We click on the Add indicator text and start by filling in the template.

To get the filehash you can just use powershell “get-filehash” or if you have that information from another system or a list from somewhere.

You can set the Custom date for IOC expiration if you want.

You can at this point look at the impact for this IOC by clicking on the Show statistics which will get the data for that specific ile hash from the last 30 days

From this view you could take action and stop the file if needed depending on the situation.

Click next and add details for response action, alert details etc


Scope the machines to different machine groups

Click save in the summary.

Import IOC

The CSV template is comma separated

IndicatorType,IndicatorValue,ExpirationTime,Action,Severity,Title,Category,Description,RecommendedActions

New alert

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.