Then you can use this list in any rule in any chain of any table of the firewall. It's especially helpful because without the address list, if you have nat rules and filter rules and masquerade rules all having to do with the same set of addresses, if you add or remove any addresses from the set, then you'd have to go update all of your chains. If all of the chains refer to the same address list, changing the address list immediately affects all of the rules which refer to it.
You match an address list in your rules by using the criteria: src-address-list=blacklist or dst-address-list=blacklist In Winbox / Webfig, the address list matchers are in the 'advanced' tab.
So for instance, to accomplish what the original poster asked, you would add the offending IP address to the blacklist and have a rule in the input chain: /ip firewall filter add chain=input src-address-list=blacklist action=drop
I rarely use the output chain in Mikrotiks, but this is one place I will do it: /ip firewall filter add chain=output dst-address-list=blacklist action=drop
However, this firewall 'mode' is not the best for a secure filter. It allows everything except specific exceptions. (blocked hosts) which you must manually detect and react to. (You can make firewall rules that automatically detect port scans and brute force attempts on telnet / ssh and add the sources to blacklists but that's beyond the scope of this post)
It's better to make your Mikrotik drop all input traffic on the WAN interface that it didn't request (e.g. ping replies, dns replies, http replies, etc). Suppose ether1 is the WAN interface: /ip firewall filter add chain=input in-interface=ether1 connection-state=!established,related action=drop One rule blocks the Internet from being able to initiate any interaction with your mikrotik at all. No blacklist is required. ===