Create indicators for IPs and URLs/domains

Applies to:


Want to experience Defender for Endpoint? Sign up for a free trial.

Defender for Endpoint can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser.

The threat intelligence data set for this has been managed by Microsoft.

By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.


Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.

Before you begin

It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:

  • URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see Enable network protection.
  • The Antimalware client version must be 4.18.1906.x or later.
  • Supported on machines on Windows 10, version 1709 or later.
  • Ensure that Custom network indicators is enabled in Microsoft Defender Security Center > Settings > Advanced features. For more information, see Advanced features.
  • For support of indicators on iOS, see Configure custom indicators.


Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages Network Protection to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). If there are conflicting URL indicator policies, the longer path is applied. For example, the URL indicator policy https:\\ takes precedence over the URL indicator policy https:\\


For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:

  • IP is supported for all three protocols
  • Only single IP addresses are supported (no CIDR blocks or IP ranges)
  • Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
  • Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)
  • Full URL path blocks can be applied on the domain level and all unencrypted URLs


There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Create an indicator for IPs, URLs, or domains from the settings page

  1. In the navigation pane, select Settings > Indicators.

  2. Select the IP addresses or URLs/Domains tab.

  3. Select Add item.

  4. Specify the following details:

    • Indicator - Specify the entity details and define the expiration of the indicator.
    • Action - Specify the action to be taken and provide a description.
    • Scope - Define the scope of the machine group.
  5. Review the details in the Summary tab, then click Save.