Within a Security Operations Center (SOC), the outcome of a successful investigation often results in a blocking action. Once the analyst has spotted a malicious file (via its SHA256 Hash) or identified a "Command & Control" server (via its IP address or domain name), he must ensure that this threat can never again interact with the company's network.
In the Microsoft 365 ecosystem, this operation consists of injecting aIndicator of Compromise (IOC)"Block" type in Defender for Endpoint.
Yet a common mistake among junior administrators is to configure these blocks permanently ("Never expire"). This practice invariably leads to major network outages a few months later. Find out why industry “Best Practice” requires strict validity of90 daysand how the Akuity SOC orchestrator applies this rule by default.
The IOC blocking mechanism in Microsoft Defender
Microsoft Defender for Endpoint has a powerful feature: custom threat indicator management. Accessible via native API/api/indicators, this feature allows administrators to set priority rules that override the decisions of the base antivirus.
When an action is set to "Block", the behavior is radical:
- File hash (SHA256):If Windows Defender detects a file matching this hash on a user's hard drive, execution is blocked and the file is automatically quarantined or deleted.
- IP addresses / domains:Thanks to Defender's network protection (Network Protection), any incoming or outgoing communication to this infrastructure is blocked directly at the network layer of the machine, regardless of the application used (Chrome, Edge, or a hidden script).
Why is permanent blocking (Never Expire) dangerous?
An analyst's first instinct is to think:“If this server hosts malware today, I want to block it forever”. This logic overlooks a fundamental technical reality of the Internet:infrastructure recycling.
- The ephemerality of Cloud IPs:The vast majority of attacks today come from virtual servers rented from AWS, Google Cloud, DigitalOcean or OVH. Cybercriminal rents server, gets IP
192.168.x.x(for the example), launches its attack, then destroys the server. A few days later, this same public IP address is reassigned by the cloud provider to a perfectly legitimate startup. If you have blocked this IP permanently, your employees will no longer be able to access this startup's site. - Domain name cleaning (Sinkholing):When a malicious domain name is spotted by the authorities (Europol, FBI), it is often seized (Sinkholed). It ceases to be a threat and sometimes serves as a secure redirect server to identify victims.
- Pollution of firewalls:Accumulating thousands of obsolete blocking rules slows down filtering engines and creates a maintenance nightmare (technical debt) for network teams who will one day have to find out why a particular partner service is inaccessible.
The 90 Day Golden Rule: Perfect Balance
The cybersecurity industry (notably Threat Intelligence teams like those at AlienVault OTX) considers that the “useful” lifespan of an Indicator of Compromise linked to network infrastructure is very short. An attacker IP address often changes in less than 48 hours.
The duration of90 days (3 months)offers the perfect balance:
- It largely covers the duration of an active or persistent attack (APT) campaign.
- It gives the company time to correct the original vulnerability (Patch Management).
- It ensures that the Microsoft Defender block list (Indicators list) self-cleans itself, preventing future false positives on recycled IP addresses.
Intelligent automation with Akuity SOC
In traditional admin portals, setting the exact expiration date requires calculating the days manually on a calendar. For the SOC analyst in the midst of emergency remediation, this is unnecessary friction.
The orchestratorAkuity SOCapplies “Security by Design”. In the platform's Ticket Panel, when the analyst clicks on the remediation action“Block IOC”(blockIocOnTenant), the middleware takes care of the technical logic.
After validation of the analyst's double authentication (AAL2 level essential to modify global rules affecting the entire tenant), the system forges the payload of the request for the Defender API. It automatically injects the action parameter into it"Block"and generates an expiration date of exactlyNow + 90 Days.
The analyst does not have to worry about maintaining his list of IOCs. The system instantly protects itself against the current attack, while avoiding creating technical debt for months to come.
Industrialize your Threat Intelligence without creating technical debt.> Learn how to intelligently manage your block lists via our moduleEvaluating and blocking IOCs with AlienVault.