In my last blog, I wrote about web content filtering in MDATP and how it now allows you to block website categories on the client across all apps. Category blockers are great because, with one easy checkbox, you ban hundreds of thousands of dangerous on inappropriate websites. Nothing is perfect, though, and anyone who’s ever worked a helpdesk or SOC will attest that false positives and false negatives are common.
The engine for MDATP web content filtering is Cyren, and you can check if a website is caught by its category rules using their online category check tool. This takes a bit of time, as each check is subject to a Google reCAPTCHA test. If you’re migrating anything of scale to MDATP, you don’t have the time to do this, and also do not want to risk important websites later being swept up by category rules even if they are fine for now. When you allowed or blocked websites on your existing solution, it’s assumed you’ve done the due diligence, and you want to take the remediation you’ve applied against those (potential) false positives and false negatives with you.
As previously explained, MDATP manages fine-grained allow and block lists through the concept of Indicators of Compromise (or just indicators). Indicators can be used for domains, specific URLs, and IP addresses. They also support files and certificates. Within the indicator rules management page, we can use a CSV import to quickly get the lists we export from the existing solution into MDATP.
Before we get into the guide, some upfront considerations.
- Indicators always win against other rules types.
- If indicators conflict, the most restrictive (block) wins.
- You cannot include internal IP addresses or IPv6 addresses in indicators.
- You cannot import “metadata” about indicators. For example, you may wish to retain who and when an indicator was created or last updated on your previous protection system. Instead, the time and user of the import job is used.
- Only SmartScreen browsers such as Edge Chromium and Legacy support specific HTTPS page rules. An HTTP page rule will work across browsers. This is because when you browse with HTTPS, anything past the domain name cannot be seen (decrypted). This is important as more and more websites, rightly, encrypt their web traffic.
- As an aside, check out Why No HTTPS? for a great name-and-shame of the web’s most visited sites that don’t run on HTTPS.
Importing the CSV
You import a UTF-8-BOM encoded comma-delimited CSV with your domains, URLs, and IP addresses. All three types of an indicator can be included in the same file, even though on the web interface domains/URLs and IPs are managed in separate pages.
The import is done in Microsoft Defender Security Centre > Settings > Rules > Indicators > Import (in any of the import tabs)
A Microsoft example of the MDATP CSV is available here. You can download this for use a template.
The below tables below show how your data must be formatted in the import with an example. There are some important points to note so worth a read before you end up banging your head off the table figuring out what you’ve done wrong.
Value | Details |
IndicatorType | In the context of web filtering, this should be DomainName, Url, or IpAddress. A DomainName is a high level indicator, such as google.com or yahoo.com, while a Url is a specific page on a website, such as google.com/news. |
IndicatorValue | For a DomainName, this can be prefixed with www. or not. For example, facebook.com and www.facebook.com will both block Facebook. For a Url, you must include the protocol prefix. For example, https://www.google.com/news. IpAddress must be a publicly routable IPv4 address. |
ExpirationTime | When the indicator should cease applying in ISO 8601 format (no time, only date). Rarely see this in production, but it's an option. You must choose a time in the future, for obvious reasons, but frustratingly the import job won't tell you if you've not done this. Instead, it reports the line has failed to import with no details. So double check this before running your job. |
Action | Valid options are Alert, AlertAndBlock, or Allow, which all do pretty much what they say on the tin. |
Severity | Valid options are Informational, Low, Medium, or High. You will see the severity in MDATP alerts, reports, threat hunting, etc. |
Title | The name of your rule. |
Description | The description of your rule. Best practice is that it generally includes a reason/justification. |
RecommendedActions | These are presented against alerts for the security administrator to review. They are plain text; this doesn't do anything for MDATP remediation. |
RbacGroups | The device group(s) the indicator is applicable to. If left blank, it is applied to all devices the imported has authority to. If a group is in the file but doesn't exist in MDATP, you won't be able to import the file (a warning is presented and you're told specifically what group and line of the import). |
IndicatorType | IndicatorValue | ExpirationTime | Action | Severity | Title | Description | RecommendedActions | RbacGroups |
DomainName | reddit.com | 2020-08-13T00:00:00.0000000 | Alert | Informational | Monitor Reddit | We are monitoring the use of Reddit. | DeviceGroup1,DeviceGroup2 | |
DomainName | www.youtube.com | Allowed | Low | Allow YouTube | YouTube is now permitted in the company. | UnassignedGroup | ||
Url | https://www.youtube.com/microsoft | AlertAndBlock | Medium | Block Microsoft's YouTube | We are banning Microsoft's channel. | Review user's activity. | ||
IpAddress | 192.0.78.9 | Alert | High | Alert about WordPress IP | We are monitoring activity to this IP. |
