Description

Users can add IoCs to blocklists from the Indicators page. When setting up the blocklist, they can choose to apply it globally or per policy.

The option to add an IoC to blocklists appears in the more actions menu and the Take action menu in the Indicator deatails flyout. The option is only available to IoCs of type file and containing a sha256, sha1, or md5 filehash. Other IoC types don't offer this option.

Related:

• [TIP] Add to blocklist functionality kibana#148516
• [TIP] fix add to blocklist flyout title kibana#150895 - Changes title of flyout to Add blocklist
• [TIP] disable add to blocklist feature if user doesn't have write privilege kibana#149710 - Checks for

Notes

• Check if users create new blocklists from the Indicators page or can they only add entries to existing blocklists.
• Steps for creating and managing blocklists are available here. Can link to these as needed in indicator docs.

Doc updates

• Add a new section to the Indicators of compromise topic.