Blocking a TLD in defender for endpoint

George Zerphey 136 Reputation points
2023-05-04T19:00:20.2566667+00:00

We have received a request to block an entire TLD in all workstation with Defender for Endpoint. I know you can add domains and block them to do that, but I dont know if this extends to full TLDs.

BTW I tagged defender for cloud because i didnt see an option to tag defender for endpoint.

Does anyone know this is doable with some wildcard nonsense?

Thanks,

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,239 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 35,806 Reputation points Microsoft Employee
    2023-05-06T00:00:28.32+00:00

    Hi @George Zerphey ,

    I have not personally tested by adding .biz, but the MDE team has stated that blocking top level domains (.xyz) is not supported though the MDE URL indicators. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-ip-domain?view=o365-worldwide. You can block individual IPs / URLs.

    The documentation does not explicitly state that top-level domains cannot be blocked, so I have reached out and made a pull request to the guide and looped in the authors. I've also reached out to the Security team to propose this as a feature request and see if they can advise additional workarounds for this scenario.

    The MDE team advises that in order to block an entire top-level domain, you would need to use a firewall or DNS filtering service. Network device options would depend on your setup.

    I've shared your feedback with the Security team and recommend leaving feedback in the feedback forum as well. https://feedback.azure.com/

    Let me know if you have further questions or details about your scenario that you would like to share.

    *-

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.*

    3 people found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,676 Reputation points Microsoft Employee
    2023-05-04T20:16:45.04+00:00

    TLD? I am not familiar with the term.

    Maybe Defender for Cloud Apps is more what you need? It can block applications that might be represented by a broad IP/domain range.

    1 person found this answer helpful.