Process - Global Block Lists

When Cybersecurity needs to block an IOC (Indicators of Compromise) we must ensure that we have an audit trail of the block to ensure that we can find information regarding the block in the future.

Types of IOCs we can block:

a. Email Address (ie. example@domain.com)

b. Email Domain (ie. Domain.com)

c. Email Server IP (ie. 123.456.789.123)

d. URL (ie. www.website.com)

e. IP Address (ie. 123.456.789.123)

f. FileHash (SHA1, SHA256)

To keep a centralized repo of all our blocks, you can access the file in the SharePoint.

Block Lists (Defender & Exchange).xlsx

and add the following information (dependent on type of IOC):

a. IOC

b. Related Ticket Number (ie. INC031234)

c. Justification (ie. Spam/Phishing Campaign)

d. Date Blocked

e. Reason (ie. Credential Harvest, Malicious Attachment)