Can I check whether an IoC/hash is already monitored by MDE?

%3CLINGO-SUB%20id%3D%22lingo-sub-2869507%22%20slang%3D%22en-US%22%3ECan%20I%20check%20whether%20an%20IoC%2Fhash%20is%20already%20monitored%20by%20MDE%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2869507%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20list%20of%20IoC%20is%20limited%20to%2015k.%20I%20imagine%20%3CEM%3Esome%3C%2FEM%3E%20IoCs%20entries%20from%20our%20%22custom%20list%22%20are%20already%20monitored%20by%20Microsoft%2FMDE.%20So%2C%20is%20there%20a%20way%20to%20check%20whether%20there%20is%20a%20detection%20rule%20for%20a%20specific%20IoC%20(hash)%3F%20This%20would%20save%20us%20some%20thousand%20entries%20and%20improve%20our%20monitoring%20coverage.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E*Better%20to%20join%20forces%20than%20reinvent%20the%20wheel.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2869507%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Echeck%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIoC%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMDE%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2870716%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20I%20check%20whether%20an%20IoC%2Fhash%20is%20already%20monitored%20by%20MDE%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2870716%22%20slang%3D%22en-US%22%3EGood%20question.%20Let%20me%20follow%20up%20on%20this%20for%20you.%20Will%20reply%20soon.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2893614%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20I%20check%20whether%20an%20IoC%2Fhash%20is%20already%20monitored%20by%20MDE%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2893614%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F584375%22%20target%3D%22_blank%22%3E%40jjsantanna%3C%2FA%3E%26nbsp%3Byou%20can%20use%20this%20API%20to%20check%20the%20determination%20on%20a%20file%20hash%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Ffiles%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EFile%20resource%20type%20%7C%20Microsoft%20Docs.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHopefully%20this%20helps!%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

The list of IoC is limited to 15k. I imagine some IoCs entries from our "custom list" are already monitored by Microsoft/MDE. So, is there a way to check whether there is a detection rule for a specific IoC (hash)? This would save us some thousand entries and improve our monitoring coverage.

 

*Better to join forces than reinvent the wheel.

2 Replies
Good question. Let me follow up on this for you. Will reply soon.

@jjsantanna you can use this API to check the determination on a file hash: File resource type | Microsoft Docs.

 

Hopefully this helps! :) 

www.000webhost.com