Use this operation to add or remove Indicators of Compromise (IOCs) for Defender for Endpoint.
Role Requirements
Procedure Scope: Administrators
Required Group Membership: Admin.Security
Handbook Reference
Package: Device Security
Domain: Endpoint Indicator Management
Modifies: Allowed File Hashes, Allowed URLs/Domains, Allowed IP Addresses, Allowed Certificates, Blocked File Hashes, Blocked URLs/Domains, Blocked IP Addresses, Blocked Certificates
When to Perform this Operation
As Needed: Proactive or in Response to User/Security
Technical Description and Importance
Managing IOCs in Defender for Endpoint ensures that security teams can proactively allow or block specific threats based on intelligence. By adding allowed IOCs, organizations can ensure that trusted entities are not falsely flagged as threats, while blocking IOCs prevents known malicious entities from executing or communicating within the environment. Regularly updating IOCs based on threat intelligence supports proactive threat management and minimizes false positives. This operation is essential for aligning security enforcement with evolving organizational needs and emerging threats.
Management Options
- Allow a Certificate
- Allow a File Hash
- Allow an IP
- Allow a URL/Domain
- Block a Certificate
- Block a File
- Block an IP
- Block a URL/Domain
Allow a Certificate:
Purpose
Adds a certificate to the allow list to prevent false positives.
Use Case
A legitimate software vendor's certificate is mistakenly flagged as malicious.
Allow a File:
Purpose
Adds a file hash to the allow list, ensuring it is not blocked.
Use Case
A business-critical application file is misclassified as a threat.
Allow an IP:
Purpose
Adds an IP address to the allow list to permit network communication.
Use Case
A company's remote office IP is mistakenly blocked.
Allow a URL/Domain:
Purpose
Adds a URL or domain to the allow list to enable access.
Use Case
A partner organization's website is erroneously blocked.
Block a Certificate:
Purpose
Blocks a certificate to prevent execution of signed malware.
Use Case
A compromised certificate is being used for code signing attacks.
Block a File:
Purpose
Blocks a file hash to prevent execution of malicious files.
Use Case
A known ransomware file hash must be proactively blocked.
Block an IP:
Purpose
Blocks an IP address to prevent network communication.
Use Case
A known command-and-control server must be blocked.
Block a URL/Domain:
Purpose
Blocks a URL or domain to prevent malicious web activity.
Use Case
A phishing website impersonating a trusted service needs to be blocked.
| Operation | Action | Target |
| Allow a Certificate | Addition | Allowed Certificates |
| Allow a File Hash | Addition | Allowed File Hashes |
| Allow an IP | Addition | Allowed IP Addresses |
| Allow a URL/Domain | Addition | Allowed URLs/Domains |
| Block a Certificate | Removal | Blocked Certificates |
| Block a File Hash | Removal | Blocked File Hashes |
| Block an IP | Removal | Blocked IP Addresses |
| Block a URL/Domain | Removal | Blocked URLs/Domains |
Allow a Certificate
This operation adds a certificate to the allowed list, preventing it from being flagged as a threat.
1. Defender for Endpoint Certificate IOC Allowance
Allow a File Hash
This operation adds a file hash to the allow list, ensuring it is not blocked.
1. Defender for Endpoint File Hash IOC Allowance
Allow an IP
This operation adds an IP address to the allow list to enable network access.
1. Defender for Endpoint IP IOC Allowance
Allow a URL/Domain
This operation adds a URL or domain to the allow list, allowing traffic.
1. Defender for Endpoint URL/Domain IOC Allowance
Block a Certificate
This operation adds a certificate to the block list to prevent execution.
1. Defender for Endpoint Certificate IOC Block
Block a File
This operation blocks a specific file hash from execution.
1. Defender for Endpoint File Hash IOC Block
Block an IP
This operation blocks an IP address from communicating within the network.
1. Defender for Endpoint IP IOC Block
Block a URL/Domain
This operation blocks a URL or domain from being accessed.
1. Defender for Endpoint URL/Domain IOC Block
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.