Device Security
      Back to home
      1. Sittadel Knowledge Base
      2. Technical Operations
      3. Device Security

      Manage Defender for Endpoint IOCs

      Use this operation to add Indicator of Compromise (IOC) blocks for files, certificates, IPs, and URLs/domains.

      Role Requirements

      Procedure Scope: Administrators

      Required Group Membership: Admin.Security

      Handbook Reference

      Package: Device Security

      Domain: TBD

      Modifies: TBD

      2024-12-17_9-49-52

      When to Perform this Operation

      As Needed: Proactive or in Response to User/Security

      Technical Description and Importance

      Managing IOCs in Microsoft Defender for Endpoint enables precise control over potential threats by blocking specific files, certificates, IP addresses, and URLs/domains identified as malicious. This helps mitigate risks associated with known threats while maintaining system integrity and compliance with organizational security policies. By routinely updating and monitoring these blocks, businesses can reduce exposure to malicious activities and ensure that unauthorized access or data exfiltration attempts are minimized. Proactive IOC management empowers security teams to respond swiftly to emerging threats and maintain a robust defense posture.

      Management Options

      2024-12-17_10-15-21

      Block a Certificate:

      Purpose
      Add a certificate to the unsanctioned list to prevent its use.
      Use Case
      A certificate is identified as being used in phishing campaigns and must be blocked across endpoints.

      Block a File:

      Purpose
      Add a file hash to the unsanctioned list to prevent execution.
      Use Case
      A malicious executable detected in the environment must be blocked to avoid further spread.

      Block an IP:

      Purpose
      Add an IP address to the unsanctioned list to prevent communication.
      Use Case
      A command-and-control (C2) server IP is discovered and must be blocked to stop active threat activity.

      Block a URL/Domain:

      Purpose
      Add a URL or domain to the unsanctioned list to prevent access.
      Use Case
      A malicious domain is identified in phishing attempts and must be blocked to avoid data exfiltration.

      2024-12-17_10-15-21-1

      Operation Action Target
      Block a Certificate Addition Unsanctioned Certificates
      Block a File Hash Addition Unsanctioned File Hashes
      Block an IP Addition Unsanctioned IP Addresses
      Block a URL/Domain Addition Unsanctioned URLs/Domains

      Block a Certificate

      This operation adds a certificate to the unsanctioned list in Defender for Endpoint.

      Defender for Endpoint Certificate IOC Block

      Block a File

      This operation adds a file hash to the unsanctioned list in Defender for Endpoint.

      Defender for Endpoint File Hash IOC Block

      Block an IP

      This operation adds an IP address to the unsanctioned list in Defender for Endpoint.

      Defender for Endpoint IP IOC Block

      Block a URL/Domain

      This operation adds a URL or domain to the unsanctioned list in Defender for Endpoint.

      Defender for Endpoint URL/Domain IOC Block

      Need Assistance?

      Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.