From cf573b9d90378dbd6fbd3dd19c6c30c9b165f5e6 Mon Sep 17 00:00:00 2001 From: manojechandran <109319282+manojechandran@users.noreply.github.com> Date: Thu, 5 Dec 2024 16:36:39 -0800 Subject: [PATCH 1/3] Update indicator-ip-domain.md AV Requirement Active require only for Third Party browser. --- defender-endpoint/indicator-ip-domain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defender-endpoint/indicator-ip-domain.md b/defender-endpoint/indicator-ip-domain.md index ce0f736dad..94a77cf6b8 100644 --- a/defender-endpoint/indicator-ip-domain.md +++ b/defender-endpoint/indicator-ip-domain.md @@ -65,7 +65,7 @@ It's important to understand the following prerequisites prior to creating indic ### Microsoft Defender Antivirus version requirements -This feature is available if your organization uses [Microsoft Defender Antivirus](/defender-endpoint/microsoft-defender-antivirus-windows) (in active mode) +This feature is available if your organization uses [Microsoft Defender Antivirus](/defender-endpoint/microsoft-defender-antivirus-windows) (in in active mode for third-party browsers, while first-party browsers like Edge work regardless of active or passive mode.) [Behavior Monitoring](/defender-endpoint/behavior-monitor) is enabled From ad2ab926a3a6b67e33ffd27072165e68c42e187a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 10 Dec 2024 09:28:02 -0800 Subject: [PATCH 2/3] Update indicator-ip-domain.md --- defender-endpoint/indicator-ip-domain.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defender-endpoint/indicator-ip-domain.md b/defender-endpoint/indicator-ip-domain.md index 94a77cf6b8..8392258ef8 100644 --- a/defender-endpoint/indicator-ip-domain.md +++ b/defender-endpoint/indicator-ip-domain.md @@ -15,7 +15,7 @@ ms.collection: ms.topic: conceptual ms.subservice: search.appverid: met150 -ms.date: 10/23/2024 +ms.date: 12/10/2024 --- # Create indicators for IPs and URLs/domains @@ -37,7 +37,7 @@ By creating indicators for IPs and URLs or domains, you can now allow or block I To block malicious IPs/URLs (as determined by Microsoft), Defender for Endpoint can use: - Windows Defender SmartScreen for Microsoft browsers -- Network Protection for non-Microsoft browsers, or calls made outside of a browser +- Network protection for non-Microsoft browsers, or calls made outside of a browser The threat-intelligence data set to block malicious IPs/URLs is managed by Microsoft. @@ -65,7 +65,7 @@ It's important to understand the following prerequisites prior to creating indic ### Microsoft Defender Antivirus version requirements -This feature is available if your organization uses [Microsoft Defender Antivirus](/defender-endpoint/microsoft-defender-antivirus-windows) (in in active mode for third-party browsers, while first-party browsers like Edge work regardless of active or passive mode.) +This feature is available if your organization uses [Microsoft Defender Antivirus](/defender-endpoint/microsoft-defender-antivirus-windows). Microsoft Defender Antivirus must be in active mode for non-Microsoft browsers. With Microsoft browsers, like Edge, this feature works whether Microsoft Defender Antivirus is in active or passive mode). [Behavior Monitoring](/defender-endpoint/behavior-monitor) is enabled From f03f5a33fe805ad7b4aa72576f23faf916352a71 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 10 Dec 2024 09:30:12 -0800 Subject: [PATCH 3/3] Update indicator-ip-domain.md --- defender-endpoint/indicator-ip-domain.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/defender-endpoint/indicator-ip-domain.md b/defender-endpoint/indicator-ip-domain.md index 8392258ef8..06481bcd9f 100644 --- a/defender-endpoint/indicator-ip-domain.md +++ b/defender-endpoint/indicator-ip-domain.md @@ -65,15 +65,15 @@ It's important to understand the following prerequisites prior to creating indic ### Microsoft Defender Antivirus version requirements -This feature is available if your organization uses [Microsoft Defender Antivirus](/defender-endpoint/microsoft-defender-antivirus-windows). Microsoft Defender Antivirus must be in active mode for non-Microsoft browsers. With Microsoft browsers, like Edge, this feature works whether Microsoft Defender Antivirus is in active or passive mode). +- Your organization uses [Microsoft Defender Antivirus](/defender-endpoint/microsoft-defender-antivirus-windows). Microsoft Defender Antivirus must be in active mode for non-Microsoft browsers. With Microsoft browsers, like Edge, Microsoft Defender Antivirus can be in active or passive mode. -[Behavior Monitoring](/defender-endpoint/behavior-monitor) is enabled +- [Behavior Monitoring](/defender-endpoint/behavior-monitor) is enabled. -[Cloud-based protection](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus) is turned on. +- [Cloud-based protection](/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus) is turned on. -[Cloud Protection network connectivity](/defender-endpoint/configure-network-connections-microsoft-defender-antivirus) is functional +- [Cloud Protection network connectivity](/defender-endpoint/configure-network-connections-microsoft-defender-antivirus) is turned on. -The antimalware client version must be `4.18.1906.x` or later. See [Monthly platform and engine versions](/defender-endpoint/microsoft-defender-antivirus-updates). +- The antimalware client version must be `4.18.1906.x` or later. See [Monthly platform and engine versions](/defender-endpoint/microsoft-defender-antivirus-updates). ### Network Protection requirements @@ -142,7 +142,9 @@ Policy conflict handling for domains/URLs/IP addresses differ from policy confli In the case where multiple different action types are set on the same indicator (for example, **block**, **warn**, and **allow**, action types set for Microsoft.com), the order those action types would take effect is: 1. Allow + 2. Warn + 3. Block "Allow" overrides "warn," which overrides "block", as follows: `Allow` > `Warn` > `Block`. Therefore, in the previous example, `Microsoft.com` would be allowed. @@ -175,6 +177,7 @@ The result is that categories 1-4 are all blocked. This is illustrated in the fo 3. Select **Add item**. 4. Specify the following details: + - Indicator - Specify the entity details and define the expiration of the indicator. - Action - Specify the action to be taken and provide a description. - Scope - Define the scope of the machine group.