Microsoft Defender ATP supports custom IOCs for URLs, IP addresses, and domains

Published Sep 13 2019 11:16 AM 15.2K Views

Microsoft Defender Advanced Threat Protection (ATP) provides a variety of tools to protect you from phishing or malicious sites. There’s Microsoft Defender SmartScreen for Microsoft Edge, and Microsoft Defender ATP network protection for other browsers and HTTP or HTTPS calls outside of the browser. Even with this high-quality protection, Microsoft recognizes that security operations teams need to tailor web and internet protection based on the needs of the organization. You can now do so straight from the Microsoft Defender Security Center console.


This new feature, now in public preview, leverages network protection in block mode and the latest version of the antimalware platform. We recommend that organizations enable network protection in audit mode first, and then move to block mode. Your organization may be using different methods to update the antimalware platform, which may cause some of your client machines to be on different versions of the platform. We recommend that you update all your machines to use this functionality.


Now that we have the prerequisites out of the way, let’s talk about why an organization may need to do this. First, malicious actors use highly tuned social engineering techniques, where a phishing URL or IP address may only be served to a very small set of enterprise users. As a result, hunters in a security operations groups may find malicious URLs before Microsoft and thus need fast tools for shutting them down in their organization. Second, organizations would often buy threat intelligence feeds with malicious URLs and want to use them to augment Microsoft’s threat intelligence. Last, there are times when Microsoft’s intelligence and machine learning may make a malicious verdict for an internet indicator that can impact the productivity of a small set within the organization, such as a security research team. Security operations groups will then want to allow these indicators, so their users can access them.


Getting Started 

Let’s get started. To review the URLs, IP addresses, and domains in the allow or block list, follow these steps:


1. Sign into Microsoft Defender Security Center and go to Settings > Rules > Indicators




2. Select the IP addresses tab to view a list of IPs




3. Select URLs/Domains to view the list of URLs and domains




To add a URL, IP address, or domain to the block or allow list, follow these steps:


1. From the Indicators setting, navigate to either the IP Addresses or URLs/Domains tab

2. Select Add Indicator from the action bar



3. Enter the URL or IP address, and select Next


4. Choose from the following actions, enter a title and description for the indicator, and select Next:

  1. Allow –Allow the URL or IP in the organization, regardless of Microsoft determination
  2. Alert only – Allow users to access the indicator, but raise an alert
  3. Alert and block – Block users or processes from accessing the URL or IP address, and raise an alert; show block notification to user with message to contact IT department
  4. Warn – Notify users when they’re accessing an untrusted URL or UP address, but allow users to dismiss the warning


5. Select either All machines in scope or Select from list, which allows you to target a specific machine group, and select Next




6. Select Save


To remove a URL or IP from the block or allow list

1. From either the IP Addresses or URLs/Domains tab, select the indicator you want to delete

2. Select Delete




Microsoft views this capability as a good way to tune your current web protection capabilities. It’s also worth emphasizing that these settings are communicated between the client and Microsoft’s cloud, so it will be in place wherever the device travels – in distributed offices, at airports, or at the local coffee shop. We will continue to iterate here to bring Security Operations more customization of indicators to protect their organizations. We welcome and appreciate your feedback.


Occasional Contributor

Hi Zach. I've been trying to use the MCAS integration with Network Indicators but I'm not seeing any Unsanctioned Apps flowing in to the URLs/Domains on the Indicators page. Is there some lag I can expect for URLs to flow through or something else I should be checking? I have all of the pre-reqs from the MCAS integration feature sorted. 


Hey Tristan, there is some lag. But this depends on whether the machine is already enabled for network protection. 


Some questions: 

* Are you able to add an indicator just through MDATP (using above flow) for this device?


If not - have you met these prerequisites?

  • URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see Protect your network.
  • The Antimalware client version must be 4.18.1906.x or later.
  • Supported on machines on Windows 10, version 1709 or later.
  • Ensure that Custom network indicators is enabled in Microsoft Defender Security Center > Settings > Advanced features. For more information, see Advanced features.
Occasional Contributor

Hi Zach, 


Thanks. I was going to try to add an indicator through MD-ATP, but the initial problem I have is that the unsanctioned apps don't seem to appear in the URLs/Domains tab of the Indicators page in the Defender Security Center. I had assumed I would see them there before I could expect it to work on the endpoint. I have met the pre-reqs. 





Occasional Contributor

Hi Zach, 


I have manually added a URL indicator in Defender Security Center, and I can now see that URL is blocked on the endpoint approximately 30-50 minutes later. However, the MCAS unsanctioned apps are still a) not present in the Defender Security Center, and b) not blocked on the endpoint. Is this capability released yet? I haven't see any announcements, but have just tried it out based on the documentation. I had previously understood this was forthcoming, and thought I missed an announcement since it is now documented. 





Is the action "Warn" user still available? We do not see this in console more.

Occasional Contributor


If I have 2 indicators for the same URL - 1 with a block and 1 with an allow which will apply? We have an unsanctioned app from MCAS that is blocked but have specific users that require access to this app. Instead of sanctioning the app for all users is it possible to override for a specific computer group in MDATP to allow access?



Occasional Visitor

Hi Zach, 


Is there anyway to introduce a URL and differentiate capital letters? I have a path like if I create the rule system changes the URL to, the problem is that ATP distinguish the capital letter in the url and continue blocking the site. 


thank you

New Contributor

How network filtering/protection feature works with other browsers? As we cannot find the extensions: Microsoft Defender Browser Protection & Application Guard Extension in chrome web store

Senior Member

Hi I was wondering where can you establish application whitelisting

Version history
Last update:
‎Sep 13 2019 11:16 AM
Updated by: