Defender for Endpoint File Hash IOC Block

This guide will show an administrator how to ban potentially malicious files detected on a MDE enrolled device.

Role Requirements

Procedure Scope: Administrators

Required Group Membership: Admin.Security

Handbook Reference

Package: Device Security

Domain: Endpoint Indicator Management

Modifies: Unsanctioned File Hashes

Defender for Endpoint File Hash IOC Block

1.  Navigate to the File Hash – Microsoft Defender portal, locate and select the Add Item action.
   
2. A pop-up will be generated supply the desired File Hash in the provided input box. You will also need to provide basic information associated with the entry such a Title and Description, with the intent of giving future context if the rule is to be reviewed later. From this page you will either keep the default block time frame of Never or specify a Custom time frame. Select Next to continue.
   
3. For the response action, select either Block Execution or Block and Remediate; the difference being remediate will work to take automated response against the file if found, such as removing the file depending on how the Microsoft automated response goes. Select Next to continue.
   
4. If an alert should be generated when executed, check Generate Alert and fill in the desired Severity, Category, and the Recommended actions for handling alerts tied to this indicator. Select Next to continue.
   
5. The default for the organizational scope is set to all MDE joined devices, select Next to continue.
   
6. The summary page will allow you to see all configured settings for the indicator, if you detect a discrepancy at this stage make note of the section and select Back to go to the previous sections to make the necessary alterations before finalization. If everything checks out, select Submit to publish the indicator.