为 IP 和 URL/域创建指示器Create indicators for IPs and URLs/domains

适用于:Applies to:

提示

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

Defender for Endpoint 可以阻止 Microsoft 视为恶意 IP/URL、通过适用于 Microsoft 浏览器的 Windows Defender SmartScreen,以及针对非 Microsoft 浏览器或在浏览器外进行调用的网络保护。Defender for Endpoint can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser.

针对这一点的威胁情报数据集已由 Microsoft 管理。The threat intelligence data set for this has been managed by Microsoft.

通过创建 IP 和 URL 或域的指示器,你现在可以基于自己的威胁情报允许或阻止 IP、URL 或域。By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. 如果你认为某些组的风险大于或低于其他组,可以通过设置页面或计算机组来这样做。You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.

备注

不支持无Inter-Domain IP (CIDR) 表示法。Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.

准备工作Before you begin

在创建 IPS、URL 或域的指示器之前,了解以下先决条件非常重要:It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:

  • URL/IP 允许和阻止依赖于 Defender for Endpoint 组件网络保护在阻止模式下启用。URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. 有关网络保护和配置说明详细信息,请参阅启用 网络保护For more information on Network Protection and configuration instructions, see Enable network protection.
  • 反恶意软件客户端版本必须为 4.18.1906.x 或更高版本。The Antimalware client version must be 4.18.1906.x or later.
  • 在 Windows 10 版本 1709 或更高版本上支持的计算机。Supported on machines on Windows 10, version 1709 or later.
  • 确保 Microsoft Defender 安全中心中的 自定义网络指示器已启用> 设置>高级功能Ensure that Custom network indicators is enabled in Microsoft Defender Security Center > Settings > Advanced features. 有关详细信息,请参阅高级 功能For more information, see Advanced features.
  • 有关 iOS 上的指示器支持,请参阅 配置自定义指示器For support of indicators on iOS, see Configure custom indicators.

重要

只能将外部 IP 添加到指示器列表。Only external IPs can be added to the indicator list. 无法为内部 IP 创建指示器。Indicators cannot be created for internal IPs. 对于 Web 保护方案,我们建议使用 Microsoft Edge 中的内置功能。For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge 利用 网络保护 来检查网络流量,并允许阻止 TCP、HTTP 和 HTTPS (TLS) 。Microsoft Edge leverages Network Protection to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). 如果存在冲突的 URL 指示器策略,则应用较长的路径。If there are conflicting URL indicator policies, the longer path is applied. 例如,URL 指示器策略 https:\\support.microsoft.com/en-us/office 优先于 URL 指示器策略 https:\\support.microsoft.comFor example, the URL indicator policy https:\\support.microsoft.com/en-us/office takes precedence over the URL indicator policy https:\\support.microsoft.com.

备注

对于所有其他进程,Web 保护方案利用网络保护进行检查和强制执行:For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:

  • 所有三种协议均支持 IPIP is supported for all three protocols
  • 没有 CIDR 块或 IP 范围 (仅支持单个 IP 地址) Only single IP addresses are supported (no CIDR blocks or IP ranges)
  • 只有在第 (浏览器、边缘) ,才能阻止加密的 URL (Internet Explorer完整路径) Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
  • 加密的 URL (FQDN) 可以在第一方浏览器或边缘 (Internet Explorer外部阻止) Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)
  • 完整 URL 路径块可以应用于域级别以及所有未加密的 URLFull URL path blocks can be applied on the domain level and all unencrypted URLs

备注

延迟时间可能最多为 2 小时 (通常) 操作和阻止的 URL 和 IP 之间的延迟时间通常较少。There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

从设置页面为 IP、URL 或域创建指示器Create an indicator for IPs, URLs, or domains from the settings page

  1. 在导航窗格中,选择"设置 > ""指示器"。In the navigation pane, select Settings > Indicators.

  2. 选择 "IP 地址或 URL/域" 选项卡。Select the IP addresses or URLs/Domains tab.

  3. 选择 "添加项目"。Select Add item.

  4. 指定以下详细信息:Specify the following details:

    • Indicator - 指定实体详细信息并定义指示器的过期时间。Indicator - Specify the entity details and define the expiration of the indicator.
    • 操作 - 指定要采取的操作并提供说明。Action - Specify the action to be taken and provide a description.
    • Scope - 定义计算机组的范围。Scope - Define the scope of the machine group.
  5. 查看"摘要"选项卡中的详细信息,然后单击"保存 "。Review the details in the Summary tab, then click Save.