Custom Indicators

No - I have added a request to the MSFT Docs team to make the documentation more clear since it does not explicitly state this, but when you try to enter *.site.com it won't let you proceed to the next page so it appears subdomain wildcards are not supported. The full path blocking like http://site.com/folder/* does appear to be accepted by the wizard but the documentation does not make it clear if it interprets the wildcard. I recommend testing this yourself (note: it takes up to 2 hours before the setting takes effect). https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain