This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 9%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E8%3C/text%3E%3C/svg%3E)
Hi,
I'm trying to add URL Indicators in MS Defender but it doesn't seem to work. I've created a CSV file (based on the sample file provided by Microsoft). I did not fill in the columns for ExpirationTime, RecommendedActions, RbacGroups, Category, Mitretechniques as these are optional.
When I try to import the file in Defender it says the URL is invalid. However, when I manually add a single URL via the 'Add Item' option and not the import function it accepts the URL without issue.
Does anyone know what's causing this? Defender itself does not provide any information / cause other than saying the URL is invalid.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains
URL/IP allow and block requires that the Microsoft Defender for Endpoint component Network Protection is enabled in block mode.
Create an indicator for IPs, URLs, or domains from the settings page
In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
Select the IP addresses or URLs/Domains tab.
Select Add item.
Specify the following details:
Indicator - Specify the entity details and define the expiration of the indicator.
Action - Specify the action to be taken and provide a description.
Scope - Define the scope of the machine group.
Review the details in the Summary tab, then select Save.
Note
There may be up to 2 hours of latency between the time a policy is created and the URL or IP being blocked on the device.
Please check the link bellow.
And see if it helps,
Thank you
--If the reply is helpful, please Upvote and Accept as answer--
Hi,
I understand how to add individual URLs/Domains. As mentioned in my post my issue lies with the import function.
"When I try to import the file in Defender it says the URL is invalid. However, when I manually add a single URL via the 'Add Item' option and not the import function it accepts the URL without issue."
If I add an individual URL, Defender accepts it. If I add the same URL via the import function it says the URL is invalid.