cyber security
App Risk Scoring in Microsoft Cloud App Security
Whitelist apps with Content Filtering in Microsoft Defender ATP (using Custom IOCs)
I recently published a video discussing how Microsoft Defender ATP can perform dynamic web content filtering for Windows 10 clients.
One question that came up was how can I block a category of content (e.g. video streaming services) but whitelist a specific video streaming website like YouTube?
The answer: Custom Domain/URL indicators in Microsoft Defender ATP. This blog will describe how.
Business Problem
I have web content filtering setup within Microsoft Defender ATP, with a global policy applied to all device groups, to block web traffic to streaming media & downloads websites:

But I have a business requirement to allow YouTube (example scenario for the marketing department to publish advertising videos.) How can I allow access to YouTube but still block other streaming sites?
Currently when browsing to YouTube with web content filtering enabled, I receive the following notification:

The Solution
Easy. With a custom indicator! Within Microsoft Defender ATP navigate to Settings -> Indicators -> URLs/Domains

Click on +Add Indicator and in the URL/Domain field type http://www.youtube.com then click Next

Click Allow as the Response Action , in the Title field type Allow YouTube and in the Description field type Allow YouTube (or some other description) and click Next

For Scope assume the default All devices in my scope and click Next then click Save.
IMPORTANT: If I wanted to whitelist YouTube but only for certain devices in the marketing department, then I would need to create a device group called “Marketing Devices” and add all the devices in the marketing department to that group – then scope this indicator policy to that group.
The indicator will be added to the list. Allow time for the change to propagate before testing.

Conclusion
It’s that easy! I recommend taking careful consideration however as you don’t want to be in the business of whitelisting applications. For situations that dictate it though, this is an easy solution to the problem.
If you want to learn more about custom indicators of compromise in Microsoft Defender ATP see the following video:
Dynamic Web Content Filtering in Microsoft Defender Advanced Threat Protection
Indicators of Compromise (IoCs) in Microsoft Defender ATP
Investigating Backdoor Attacks w/ Microsoft Defender ATP
Explained: Hybrid Azure Active Directory
No More Firewalls! How Zero-Trust Networks Are Reshaping Cybersecurity
Here’s my session from the RSA Cyber Security Conference in 2019 on Zero Trust. Enjoy!