Get access to IOCs in threat analytics in Microsoft Defender (preview)

Applies to:

• Microsoft Defender XDR

Each threat analytics report includes an indicators section that lists all indicators of compromise (IOCs) associated with the threat. Microsoft researchers update these IOCs in real time as they find new evidence related to the threat. This information helps your security operations center (SOC) and threat intelligence analysts with remediation and proactive hunting. The list also retains expired IOCs, so you can investigate past threats and understand their impact in your environment.

Because IOCs are valuable information in the context of prevalent threats and threat campaigns, only verified Microsoft Defender customers can access them. This article explains how you can check if you have access to the indicators section and how you unlock it if you don't.

View IOCs in threat analytics

To access the indicators section, go to the Threat analytics page, open the report about the tracked threat, and select the Indicators tab.

If you're a verified customer, you can immediately see the list of IOCs displayed in this section.

Otherwise, the page informs you that access to indicators is restricted.

Unlock access to indicators

To unlock the indicators section, follow these steps:

1. On the Indicators page, select Complete Verification
2. On the verification page that opens, provide the required information and supporting documents, if applicable
3. Select Submit verification request

The verification process might take at least an hour. After the process completes, refresh the Indicators tab. If your tenant is validated successfully, you see the list of IOCs displayed in this section.

If you still don't have access to the Indicators section after going through the verification process, contact the email address displayed on the page.

See also

• Threat analytics overview
• Understand the analyst report section
• Proactively find threats with advanced hunting