Create indicators from associated observables of the security incident using the Microsoft Defender for Endpoint.

Before you begin

Role required: sn_si.admin, sn_si.analyst

About this task

The Microsoft Defender for Endpoint integration allows observable enrichment for all the observable types that are mapped in the Observable-Indicator mapping module.

Create indicators provide you the ability to set a list of indicators for detection, and for blocking prevention and responses. You can create the indicators from associated observable of the security incident.

Procedure

  1. Navigate to Security Incidents > Show All Incidents.
  2. Select the security incident that contains the observables for which you want to create indicators in Microsoft Defender for Endpoint.
  3. Click the Associated Observables related lists.
  4. Add any existing observables or create new observables.
  5. Select the observables.
  6. From the Actions on selected rows, click Create Indicator in Microsoft Defender.
    Associated Deliverables view: Select Create Indicators in Microsoft Defender for Endpoint from the Actions list.
  7. On the form, fill in the fields.
    Field Description
    Selected Observables Observables that are affected. This action can be used to create indicators for multiple observables. If you want to deselect an observable, you can do that by deselecting the observables from the list.
    Note: If the supported observable types are not mapped, then the indicators are not created in the Microsoft Defender for such observables.
    Title Title for the indicator.
    Description Description for the indicator.
    Expiration Time Expiration time for the indicator.
    Recommended Actions Recommended actions that must be performed for the indicator.
    Source Integration configuration to create the indicator.
    Action Actions that will be performed if the Indicator is discovered in the organization. The possible values are as follows:
    • Warn
    • Block
    • Audit
    • 'BlockAndRemediate
    • Allowed
    Application The Microsoft Defender for Endpoint application that is associated with the indicator. This field is applicable only for a new indicator and cannot be used for an existing indicator.
    Severity Severity of the Indicator. The possible values are as follows:
    • Low
    • Medium
    • High
    RBAC Group Names RBAC group names that the indicator would be applied to. The names are in a comma-separated list.
  8. Click Create Indicator
  9. Validate the activity and UI messages.
  10. Click the Microsoft Defender Indicator tab to view the results.