You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/indicators-overview.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -50,11 +50,11 @@ A false positive (FP) refers to a false positive in Microsoft's threat intellige
50
50
51
51
You can use IP and URL/Domain indicators to manage site access.
52
52
53
-
To block connections to an IP address, type the IPv4 address in dotted-quad form (e.g. `8.8.8.8`). For IPv6 addresses, specify all 8 segments (e.g. `2001:4860:4860:0:0:0:0:8888`). Note that wildcards and ranges are not supported.
53
+
To block connections to an IP address, type the IPv4 address in dotted-quad form (for example, `8.8.8.8`). For IPv6 addresses, specify all eight segments (for example, `2001:4860:4860:0:0:0:0:8888`). Note that wildcards and ranges aren't supported.
54
54
55
-
To block connections to a domain and any of its subdomains, specify the domain (e.g. `example.com`). This indicator will match`example.com` as well as `sub.example.com` and `anything.sub.example.com`.
55
+
To block connections to a domain and any of its subdomains, specify the domain (for example, `example.com`). This indicator matches`example.com` as well as `sub.example.com` and `anything.sub.example.com`.
56
56
57
-
To block a specific URL path, specify the URL path (e.g. `https://example.com/block`). This indicator will match resources under the `/block` path on `example.com`. Note that HTTPS URL paths will only be matched in Microsoft Edge; HTTP URL paths can be matched in any browser.
57
+
To block a specific URL path, specify the URL path (for example, `https://example.com/block`). This indicator matches resources under the `/block` path on `example.com`. Note that HTTPS URL paths will only be matched in Microsoft Edge; HTTP URL paths can be matched in any browser.
58
58
59
59
You can also create IP and URL indicators to unblock users from a SmartScreen block or selectively bypass web content filtering blocks of sites that you'd like to allow to load. For example, consider a case where you have web content filtering set to block all social media websites. However, the marketing team has a requirement to use a specific social media site to monitor their ad placements. In this case, you can unblock the specific social media site by creating a domain Allow indicator and assigning it to the marketing team's device group.
60
60
@@ -143,17 +143,17 @@ The functionality of preexisting IoCs doesn't change. However, the indicators ar
143
143
The IoC API schema and the threat IDs in Advanced Hunting are updated to align with the renaming of the IoC response actions. The API scheme changes apply to all IoC Types.
144
144
145
145
> [!NOTE]
146
-
> There is a limit of 15,000 indicators per tenant. Increases to this limit are not supported.
146
+
> There's a limit of 15,000 indicators per tenant. Increases to this limit aren't supported.
147
147
>
148
-
> File and certificate indicators do not block [exclusions defined for Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). Indicators are not supported in Microsoft Defender Antivirus when it is in passive mode.
148
+
> File and certificate indicators don't block [exclusions defined for Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). Indicators aren't supported in Microsoft Defender Antivirus when it is in passive mode.
149
149
>
150
150
> The format for importing new indicators (IoCs) has changed according to the new updated actions and alerts settings. We recommend downloading the new CSV format that can be found at the bottom of the import panel.
151
151
>
152
-
> If indicators are synced to the Microsoft Defender portal from Microsoft Defender for Cloud Apps for sanctioned or unsanctioned applications, the `Generate Alert` option is enabled by default in the Microsoft Defender portal. If you try to clear the `Generate Alert` option for Defender for Endpoint, it is re-enabled after some time because the Defender for Cloud Apps policy overrides it.
152
+
If indicators are synced to the Defender portal from Microsoft Defender for Cloud Apps for sanctioned or unsanctioned applications, the settings are overwritten when synced to Microsoft Defender portal. The `Generate Alert` option is enabled by default in the Microsoft Defender portal for unsanctioned applications. If you try to clear the `Generate Alert` option for Defender for Endpoint, it's re-enabled after some time because the Defender for Cloud Apps policy overrides it. Sanctioned or allowed applications the value is set to not `Generate Alert`.
153
153
154
154
## Known issues and limitations
155
155
156
-
Microsoft Store apps cannot be blocked by Microsoft Defender because they're signed by Microsoft.
156
+
Microsoft Store apps can't be blocked by Microsoft Defender because they're signed by Microsoft.
157
157
158
158
Customers might experience issues with alerts for IoCs. The following scenarios are situations where alerts aren't created or are created with inaccurate information.
0 commit comments