In my last blog, I wrote about web content filtering in MDATP and how it now allows you to block website categories on the client across all apps. Category blockers are great because, with one easy checkbox, you ban hundreds of thousands of dangerous on inappropriate websites. Nothing is perfect, though, and anyone who’s ever worked a helpdesk or SOC will attest that false positives and false negatives are common.
The engine for MDATP web content filtering is Cyren, and you can check if a website is caught by its category rules using their online category check tool. This takes a bit of time, as each check is subject to a Google reCAPTCHA test. If you’re migrating anything of scale to MDATP, you don’t have the time to do this, and also do not want to risk important websites later being swept up by category rules even if they are fine for now. When you allowed or blocked websites on your existing solution, it’s assumed you’ve done the due diligence, and you want to take the remediation you’ve applied against those (potential) false positives and false negatives with you.
As previously explained, MDATP manages fine-grained allow and block lists through the concept of Indicators of Compromise (or just indicators). Indicators can be used for domains, specific URLs, and IP addresses. They also support files and certificates. Within the indicator rules management page, we can use a CSV import to quickly get the lists we export from the existing solution into MDATP.
Before we get into the guide, some upfront considerations.
- Indicators always win against other rules types.
- If indicators conflict, the most restrictive (block) wins.
- You cannot include internal IP addresses or IPv6 addresses in indicators.
- You cannot import “metadata” about indicators. For example, you may wish to retain who and when an indicator was created or last updated on your previous protection system. Instead, the time and user of the import job is used.
- Only SmartScreen browsers such as Edge Chromium and Legacy support specific HTTPS page rules. An HTTP page rule will work across browsers. This is because when you browse with HTTPS, anything past the domain name cannot be seen (decrypted). This is important as more and more websites, rightly, encrypt their web traffic.
- As an aside, check out Why No HTTPS? for a great name-and-shame of the web’s most visited sites that don’t run on HTTPS.
Importing the CSV
You import a UTF-8-BOM encoded comma-delimited CSV with your domains, URLs, and IP addresses. All three types of an indicator can be included in the same file, even though on the web interface domains/URLs and IPs are managed in separate pages.
The import is done in Microsoft Defender Security Centre > Settings > Rules > Indicators > Import (in any of the import tabs)
A Microsoft example of the MDATP CSV is available here. You can download this for use a template.
The below tables below show how your data must be formatted in the import with an example. There are some important points to note so worth a read before you end up banging your head off the table figuring out what you’ve done wrong.
[wptb id=454] [wptb id=451]