Share via

O365 MS Defender URL indicator - URL is invalid

80463912 0 Reputation points
2023-05-15T12:55:00.8833333+00:00

Hi,

I'm trying to add URL Indicators in MS Defender but it doesn't seem to work. I've created a CSV file (based on the sample file provided by Microsoft). I did not fill in the columns for ExpirationTime, RecommendedActions, RbacGroups, Category, Mitretechniques as these are optional.

When I try to import the file in Defender it says the URL is invalid. However, when I manually add a single URL via the 'Add Item' option and not the import function it accepts the URL without issue.

Does anyone know what's causing this? Defender itself does not provide any information / cause other than saying the URL is invalid.

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud Apps
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,766 Reputation points
    2023-05-18T15:25:16.3466667+00:00

    Hello there,

    It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains

    URL/IP allow and block requires that the Microsoft Defender for Endpoint component Network Protection is enabled in block mode.

    Create an indicator for IPs, URLs, or domains from the settings page

    In the navigation pane, select Settings > Endpoints > Indicators (under Rules).

    Select the IP addresses or URLs/Domains tab.

    Select Add item.

    Specify the following details:

    Indicator - Specify the entity details and define the expiration of the indicator.

    Action - Specify the action to be taken and provide a description.

    Scope - Define the scope of the machine group.

    Review the details in the Summary tab, then select Save.

    Note

    There may be up to 2 hours of latency between the time a policy is created and the URL or IP being blocked on the device.

    Please check the link bellow.

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-ip-domain?view=o365-worldwide

    And see if it helps,

    Thank you

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments
  2. 80463912 0 Reputation points
    2023-05-22T08:19:03.81+00:00

    Hi,

    I understand how to add individual URLs/Domains. As mentioned in my post my issue lies with the import function.

    "When I try to import the file in Defender it says the URL is invalid. However, when I manually add a single URL via the 'Add Item' option and not the import function it accepts the URL without issue."

    If I add an individual URL, Defender accepts it. If I add the same URL via the import function it says the URL is invalid.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.