Create indicators from associated observables of the security incident using the Microsoft Defender for Endpoint.

Before you begin

Role required: sn_si.admin, sn_si.analyst

About this task

The Microsoft Defender for Endpoint integration allows observable enrichment for all the observable types that are mapped in the Observable-Indicator mapping module.

Create indicators provide you the ability to set a list of indicators for detection, and for blocking prevention and responses. You can create the indicators from associated observable of the security incident.

Procedure

  1. Navigate to Security Incidents > Show All Incidents.
  2. Select the security incident that contains the observables for which you want to create indicators in Microsoft Defender for Endpoint.
  3. Click the Associated Observables related lists.
  4. Add any existing observables or create new observables.
  5. Select the observables.
  6. From the Actions on selected rows, click Create Indicator in Microsoft Defender.
    Associated Deliverables view: Select Create Indicators in Microsoft Defender for Endpoint from the Actions list.
  7. On the form, fill in the fields.
  8. Click Create Indicator
  9. Validate the activity and UI messages.
  10. Click the Microsoft Defender Indicator tab to view the results.