Whitelist apps with Content Filtering in Microsoft Defender ATP (using Custom IOCs)

I recently published a video discussing how Microsoft Defender ATP can perform dynamic web content filtering for Windows 10 clients.

One question that came up was how can I block a category of content (e.g. video streaming services) but whitelist a specific video streaming website like YouTube?

The answer: Custom Domain/URL indicators in Microsoft Defender ATP. This blog will describe how.

Business Problem

I have web content filtering setup within Microsoft Defender ATP, with a global policy applied to all device groups, to block web traffic to streaming media & downloads websites:

Screenshot showing streaming media sites are blocked

But I have a business requirement to allow YouTube (example scenario for the marketing department to publish advertising videos.) How can I allow access to YouTube but still block other streaming sites?

Currently when browsing to YouTube with web content filtering enabled, I receive the following notification:

Website blocked w/ web content filtering in Microsoft Defender ATP

The Solution

Easy. With a custom indicator! Within Microsoft Defender ATP navigate to Settings -> Indicators -> URLs/Domains

Indicators page in Microsoft Defender ATP

Click on +Add Indicator and in the URL/Domain field type http://www.youtube.com then click Next

Add URL/Domain Indicator

Click Allow as the Response Action , in the Title field type Allow YouTube and in the Description field type Allow YouTube (or some other description) and click Next

Action page for URL/Domain indicator

For Scope assume the default All devices in my scope and click Next then click Save.

IMPORTANT: If I wanted to whitelist YouTube but only for certain devices in the marketing department, then I would need to create a device group called “Marketing Devices” and add all the devices in the marketing department to that group – then scope this indicator policy to that group.

The indicator will be added to the list. Allow time for the change to propagate before testing.

YouTube allow indicator added

Conclusion

It’s that easy! I recommend taking careful consideration however as you don’t want to be in the business of whitelisting applications. For situations that dictate it though, this is an easy solution to the problem.

If you want to learn more about custom indicators of compromise in Microsoft Defender ATP see the following video:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s