This guide will show an administrator how to create a block of a specific application based on certificate association.
Role Requirements
Procedure Scope: Administrators
Required Group Membership: Admin.Security
Handbook Reference
Package: Device Security
Domain: Endpoint Indicator Management
Modifies: Unsanctioned Certificates
Defender for Endpoint Certificate IOC Block
- Navigate to the Certificates – Microsoft Defender portal, select Add Item.
- Click Chose File and upload the malicious certificate, select Next.
- For the response action, select Block and Remediate. This will block the certificate, along with take automated response against the file if found, such as removing the file depending on how the Microsoft automated response goes. Enter a Title and Description for the block, with the intent of giving future context if the rule is to be reviewed at a later date. Click Next.
- Click Save on the next page after reviewing the IOC. Actions should take effect in less than 4 hours.
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.