Custom Indicators in Microsoft Defender: Your Practical Guide to Proactive Threat Management

In the ever-evolving landscape of cybersecurity, organizations need precise control over what's allowed, monitored, or blocked across their environment. Microsoft Defender's custom indicators feature provides exactly that, a powerful mechanism to enforce your organization's specific security policies at the endpoint level.

Understanding Custom Indicators

Custom Indicators of Compromise (IoCs) are essentially your organization's security rules for specific digital artifacts. Think of them as a precision instrument in your security toolkit, allowing you to explicitly allow, audit, warn, block, or even block-and-remediate specific files, IP addresses, URLs, domains, and code-signing certificates across your Defender for Endpoint deployment.

What makes custom indicators particularly valuable is their flexibility. You can scope them to specific device groups, set expiration dates for time-limited exceptions, and integrate them seamlessly into your broader threat detection and prevention strategy across both Defender for Endpoint and Defender XDR.

What Can You Control?

The breadth of indicator types gives you comprehensive coverage across the attack surface:

File Hash Indicators support all major actions (Allow, Audit, Warn, Block, and Block & Remediate) and work across Windows, macOS, and Linux environments. Whether you're dealing with malicious executables or need to monitor suspicious tool usage, file indicators provide the granular control you need.

IP Address Indicators support Allow, Audit, Warn, and Block actions, though they're limited to single external IPs, no CIDR ranges or internal addresses. They're perfect for blocking known command and control infrastructure or creating temporary exceptions for vendor services.

URL and Domain Indicators offer the same action set as IP addresses and automatically match subdomains when blocking entire domains. They're particularly useful for managing access to risky websites while providing warn-with-bypass options for acceptable use policy enforcement.

Certificate Indicators are more specialized, supporting only Allow and Block & Remediate actions. They're ideal for allowlisting trusted vendor certificates to prevent false positives from Attack Surface Reduction rules or other security controls.

Real-World Applications

Let's explore some practical scenarios where custom indicators shine:

Blocking Malicious Infrastructure

When your incident response team identifies a command-and-control server at 203.0.113.25, you can immediately create a blocking indicator scoped to all workstations with an appropriate expiration date. This stops ongoing beaconing attempts while your team investigates and remediates affected systems.

Managing Acceptable Use

Social media sites might pose productivity or data exfiltration risks. Rather than outright blocking, you can configure a warn action that redirects users to your acceptable use policy page while allowing a 15-minute bypass. This balances security with business flexibility and user education.

Preventing Ransomware Execution

When threat intelligence reveals a new ransomware variant, you can implement a Block & Remediate indicator using the file's SHA-256 hash. This not only prevents execution but actively removes the file if discovered, with alert generation ensuring your security team maintains visibility.

Supporting Development Workflows

Engineering teams often use specialized tools that might trigger security controls. By allowlisting your trusted vendor's code-signing certificate, you can ensure build pipelines run smoothly without compromising your broader security posture.

Deployment Considerations

Understanding the technical nuances ensures successful implementation:

Network indicators rely on Network Protection and SmartScreen being enabled. Block actions typically take effect after the TCP/TLS handshake, so you might see transient connection success events in logs before the block occurs. For non-Microsoft browsers, HTTPS domain blocking requires QUIC/HTTP3 and Encrypted Client Hello to be disabled.

File hash indicators require Defender Antivirus in active mode with cloud protection enabled. Hash precedence follows cryptographic strength, SHA-256 takes priority over SHA-1, which takes priority over MD5. Windows supports PE files, while macOS handles Mach-O executables, POSIX shell scripts, and AppleScript files.

Timing matters: File blocking indicators typically propagate within 15-30 minutes, though they can take up to two hours. URL and IP blocks usually apply within two hours but may take up to 48 hours to reach all devices. Certificate indicators can take up to three hours to propagate.

Scaling with Bulk Import

For organizations managing hundreds of indicators, the CSV import functionality supports up to 500 indicators per batch. This enables rapid deployment of threat intelligence feeds, incident response actions, or policy updates across your environment.

The CSV format includes fields for indicator type and value, action, title, description, expiration time, severity, RBAC groups, MITRE ATT&CK techniques, and alert generation preferences. This structured approach ensures consistency and enables automation in your security operations.

Integration Strategy

Custom indicators don't exist in isolation. They complement your broader Microsoft 365 security stack:

The Tenant Allow/Block List in Defender for Office 365 controls email and Teams filtering during mail flow and time-of-click scenarios. Endpoint indicators govern device-level web browsing and file execution through Defender for Endpoint. For comprehensive protection such as blocking a phishing campaign, deploy both: block the malicious URL in email and block its domain at the endpoint.

When indicator conflicts occur, the system follows clear precedence rules. For network indicators targeting the same resource, Allow takes precedence over Warn, which takes precedence over Block. For file and certificate indicators, the system considers other controls like Windows Defender Application Control, AppLocker, antivirus exclusions, and SmartScreen, while favoring more secure hash types.

Best Practices

Successful indicator management requires thoughtful governance:

Use appropriate scopes to limit blast radius. A business exception for the marketing team shouldn't apply to your entire estate.

Set realistic expiration dates. Temporary exceptions for vendor testing shouldn't become permanent security gaps through neglect.

Generate alerts judiciously. Block & Remediate actions on known malware warrant alerts; allowlisting a trusted certificate probably doesn't.

Document thoroughly. Six months from now, your team needs to understand why an indicator exists and whether it's still relevant.

Monitor and tune. Regularly review your indicators for expired items, conflicting rules, or opportunities to consolidate.

Custom Indicators in Microsoft Defender: Implementation Examples & Step-by-Step Guide

Building on the fundamentals of custom indicators, let's dive into practical implementation examples that you can adapt for your own environment. I'll walk you through the specific steps and provide ready-to-use configurations.

Implementation Method Overview

You can create custom indicators through three primary methods:

1. Microsoft Defender Portal (GUI) - Best for single indicators or learning

2. PowerShell/API - Ideal for automation and integration

3. CSV Bulk Import - Perfect for deploying multiple indicators simultaneously

Let's explore practical examples using each approach.

Example 1: Block a Malicious IP Address (Command & Control Server)

Scenario

Your SOC team has identified ongoing beaconing to a known C2 server at IP address 198.51.100.42. You need to immediately block all outbound connections to this host across your workstation fleet.

Via Microsoft Defender Portal

Step 1: Navigate to the Defender Portal

• Go to https://security.microsoft.com

• Navigate to Settings > Endpoints > Indicators

Step 2: Create the Indicator

• Click + Add indicator

• Select IP addresses

Step 3: Configure the Indicator

Indicator type: IP address
IP address: 198.51.100.42
Action: Block
Scope: Select device groups > "All Workstations"
Title: Block Cobalt Strike C2 Infrastructure
Description: Active C2 server identified in incident INC-2025-0847. Block all outbound connections.
Severity: High
Recommended actions: Review firewall logs for affected devices; investigate beaconing hosts
Category: CommandAndControl
MITRE techniques: T1071.001 (Application Layer Protocol: Web Protocols)
Generate alert: Yes
Expires on: 2026-08-13 (1 year from now)

Step 4: Submit and Verify

• Click Save

• Verify propagation status in the Indicators list

• Expected propagation time: Within 2 hours (up to 48 hours for all devices)

Via PowerShell (Microsoft Graph API)

powershell

# Install the Microsoft Graph PowerShell module if not already installed
# Install-Module Microsoft.Graph -Scope CurrentUser

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "ThreatIndicators.ReadWrite.OwnedBy"

# Define the indicator
$indicatorParams = @{
    "@odata.type" = "#microsoft.graph.security.ipAddress"
    ipAddress = "198.51.100.42"
    action = "block"
    title = "Block Cobalt Strike C2 Infrastructure"
    description = "Active C2 server identified in incident INC-2025-0847. Block all outbound connections."
    expirationDateTime = "2026-08-13T00:00:00Z"
    severity = "high"
    rbacGroupNames = @("All Workstations")
    category = "CommandAndControl"
    recommendedActions = "Review firewall logs for affected devices; investigate beaconing hosts"
    generateAlert = $true
}

# Create the indicator
New-MgSecurityThreatIntelligenceIndicator -BodyParameter $indicatorParams
```

---

## Example 2: Block a Phishing Domain with Subdomain Coverage

### Scenario
You've discovered a phishing campaign using the domain "secure-microsoft-verify.com" with multiple subdomains (login.secure-microsoft-verify.com, portal.secure-microsoft-verify.com, etc.). You need comprehensive blocking.

### Via Microsoft Defender Portal
```
Indicator type: Domain
Domain: secure-microsoft-verify.com
Action: Block
Scope: All devices
Title: Block Microsoft impersonation phishing domain
Description: Active credential harvesting campaign. Domain automatically blocks all subdomains.
Severity: High
Category: Phishing
MITRE techniques: T1566.002 (Phishing: Spearphishing Link)
Generate alert: Yes
Expires on: 2027-01-01

Key Point: When you block a domain, Defender automatically blocks all subdomains. So blocking "secure-microsoft-verify.com" will also block "login.secure-microsoft-verify.com", "portal.secure-microsoft-verify.com", etc.

Via CSV Bulk Import

Create a file named phishing_domains.csv:

csv

indicatorType,indicatorValue,action,title,description,expirationTime,severity,recommendedActions,rbacGroups,category,mitretechniques,GenerateAlert
DomainName,secure-microsoft-verify.com,Block,Block Microsoft impersonation phishing domain,Active credential harvesting campaign,2027-01-01T00:00:00.0Z,High,Add to email security gateway blocklist,All Devices,Phishing,T1566.002,True
DomainName,office365-secure-login.net,Block,Block Office 365 impersonation domain,Related phishing infrastructure,2027-01-01T00:00:00.0Z,High,Add to email security gateway blocklist,All Devices,Phishing,T1566.002,True
DomainName,microsoft-account-verification.org,Block,Block account verification scam,Credential theft attempt,2027-01-01T00:00:00.0Z,High,Add to email security gateway blocklist,All Devices,Phishing,T1566.002,True
```

**Import Steps:**
1. In Defender Portal, go to **Settings** > **Endpoints** > **Indicators**
2. Click **Import** > Choose your CSV file
3. Review the preview
4. Click **Import** (supports up to 500 indicators per batch)

---

## Example 3: Warn Users About Social Media with Bypass Option

### Scenario
You want to discourage social media use during work hours but allow bypasses for legitimate business needs (social media marketing team, communications, etc.). When users attempt to access social media, they see a warning and can bypass for 15 minutes.

### Via Microsoft Defender Portal
```
Indicator type: URL
URL: https://facebook.com/
Action: Warn
Allow bypass: Yes (15 minutes)
Custom notification page: Yes
Notification page URL: https://intranet.contoso.com/policies/acceptable-use
Notification title: Social Media Access Warning
Notification text: Access to social media sites should be limited to business purposes. Please review our acceptable use policy. If you have a legitimate business need, you may bypass this warning for 15 minutes.
Scope: All Devices (exclude "Marketing Team" device group)
Title: Warn on Facebook access
Description: AUP enforcement with bypass for business use
Severity: Informational
Category: CustomPolicy
Generate alert: No
Expires on: No expiration
```

**Additional Social Media Sites:**

Repeat for:
- https://twitter.com/
- https://instagram.com/
- https://linkedin.com/ (maybe Allow for corporate use)
- https://tiktok.com/
- https://reddit.com/

---

## Example 4: Block and Remediate Ransomware by File Hash

### Scenario
Threat intelligence indicates a new LockBit variant is actively spreading. You have the SHA-256 hash and need to block execution and automatically remove it if found.

### Via Microsoft Defender Portal
```
Indicator type: File hash
Hash type: SHA256
Hash value: a4b2c8d9e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8
Action: Block and remediate
Generate alert: Yes
Alert title: LockBit Ransomware Detected
Scope: All devices
Title: Block LockBit 3.0 ransomware variant
Description: Active ransomware campaign. Hash confirmed malicious by MSTIC. Auto-remediation enabled.
Severity: High
Recommended actions: Isolate affected devices; review execution timeline; check for lateral movement
Category: Execution
MITRE techniques: T1204.002 (User Execution: Malicious File), T1486 (Data Encrypted for Impact)
Expires on: 2028-01-01

Multiple Ransomware Hashes via CSV

Create ransomware_hashes.csv:

csv

indicatorType,indicatorValue,action,title,description,expirationTime,severity,recommendedActions,rbacGroups,category,mitretechniques,GenerateAlert
FileSha256,a4b2c8d9e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8,BlockAndRemediate,Block LockBit 3.0 variant,Active ransomware campaign,2028-01-01T00:00:00.0Z,High,Isolate device; investigate patient zero,All Devices,Execution,T1204.002,True
FileSha256,b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6,BlockAndRemediate,Block LockBit dropper variant 2,Secondary payload observed,2028-01-01T00:00:00.0Z,High,Isolate device; investigate patient zero,All Devices,Execution,T1204.002,True
FileSha256,c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7,BlockAndRemediate,Block LockBit encryption module,Encryption component,2028-01-01T00:00:00.0Z,High,Isolate device; investigate patient zero,All Devices,Execution,T1486,True
```

**Prerequisites Check:**
- Defender Antivirus must be in **Active mode**
- Cloud-delivered protection must be **Enabled**
- File hash computation must be **Enabled**

---

## Example 5: Allow Trusted Vendor Certificate (Prevent False Positives)

### Scenario
Your organization uses Atlassian tools (Jira, Confluence), and Attack Surface Reduction rules are flagging their auto-updater as suspicious. You need to allowlist their code-signing certificate to prevent disruption.

### Via Microsoft Defender Portal

**Step 1:** Obtain the Certificate
- Right-click the blocked executable
- Properties > Digital Signatures > Details > View Certificate
- Details tab > Copy to File > Export as .CER or .PEM
- Note the thumbprint

**Step 2:** Create the Indicator
```
Indicator type: Certificate
Certificate file: Upload AtlassianCodeSigning.cer
OR
Certificate thumbprint: 3A6B9F2C8D1E4F7A5B8C9E0D2F1A3B6C8D9E4F5A7B8C0D1E3F4A6B7C9D8E1F2A
Action: Allow
Scope: Engineering Workstations, IT Operations
Title: Allow Atlassian code-signing certificate
Description: Prevent ASR false positives on Jira/Confluence auto-updater
Severity: Informational
Category: CustomPolicy
Generate alert: No
Expires on: 2027-12-31 (check certificate validity period)
```

**Important Notes:**
- Only **leaf certificates** are supported (not root or intermediate)
- You **cannot block** Microsoft-signed certificates
- Propagation can take up to 3 hours

---

## Example 6: Audit Suspicious Tool Usage (Detection Without Blocking)

### Scenario
You want to monitor the use of PsExec and other Sysinternals tools in your finance department without blocking them (they may have legitimate use cases), but you want to generate alerts for investigation.

### Via Microsoft Defender Portal
```
Indicator type: File hash
Hash type: SHA256
Hash value: [PsExec SHA-256 hash]
Action: Audit only
Generate alert: Yes
Alert title: PsExec Execution Detected in Finance
Scope: Finance Laptops, Finance Desktops
Title: Monitor PsExec usage in Finance department
Description: Track execution for potential lateral movement detection. Do not block.
Severity: Medium
Recommended actions: Review user context; validate business justification; check for suspicious parent processes
Category: LateralMovement
MITRE techniques: T1570 (Lateral Tool Transfer)
Expires on: No expiration
```

**Why Audit Mode?**
- Allows legitimate administrative use
- Generates visibility for security monitoring
- Enables investigation of suspicious patterns
- Can be escalated to Block if abuse is detected

---

## Example 7: Temporary Business Exception for Vendor Access

### Scenario
Your marketing team is conducting a 3-month campaign with a vendor whose analytics platform is being flagged. You need a time-limited exception.

### Via Microsoft Defender Portal
```
Indicator type: URL
URL: https://analytics.vendorplatform.com/tracking/
Action: Allow
Scope: Marketing Laptops, Marketing Workstations
Title: Temporary exception for Q4 marketing campaign analytics
Description: Vendor: MarketingCorp. Campaign duration: Aug-Oct 2025. Auto-expires after campaign.
Severity: Low
Category: CustomPolicy
Generate alert: No
Expires on: 2025-11-01 (automatically removes after campaign)
```

**Best Practice:** Set clear expiration dates for temporary exceptions to prevent security drift.

---

## Example 8: Multi-Layer Protection (Email + Endpoint)

### Scenario
You've identified a phishing campaign. Implement comprehensive blocking across both email and endpoint layers.

### Layer 1: Tenant Allow/Block List (Defender for Office 365)

**Email/Teams URL Blocking:**
1. Navigate to https://security.microsoft.com
2. **Email & collaboration** > **Policies & rules** > **Threat policies**
3. **Tenant Allow/Block Lists** > **URLs** tab
4. Add URL: `phishing-campaign.badactor.com`
5. Block type: URL
6. Remove on: 2026-08-13

### Layer 2: Custom Indicator (Defender for Endpoint)

**Endpoint Web Browsing Block:**
```
Indicator type: Domain
Domain: phishing-campaign.badactor.com
Action: Block
Scope: All devices
Title: Block phishing campaign domain (endpoint layer)
Description: Coordinated with email blocking. Multi-layer defense.
Severity: High
Category: Phishing
MITRE techniques: T1566.002
Generate alert: Yes
Expires on: 2026-08-13

Result: Users are protected from:

• Phishing emails containing the URL (email flow blocking)

• Clicking links in emails/Teams (time-of-click protection)

• Direct browser navigation to the domain (endpoint web protection)

Common Issues and Solutions

Issue: IP blocks not working

Solution:

• Verify Network Protection is enabled: Get-MpPreference | Select-Object EnableNetworkProtection

• Enable if needed: Set-MpPreference -EnableNetworkProtection Enabled

Issue: HTTPS URL blocks only work in Edge

Solution:

• For Chrome/Firefox, disable QUIC and ECH at the network level

• Consider using domain-level blocks instead of specific HTTPS paths

Issue: Certificate indicator not applying

Solution:

• Confirm you're using the leaf certificate, not root/intermediate

• Verify Defender AV is in active mode: Get-MpComputerStatus

• Check cloud protection: Get-MpPreference | Select-Object MAPSReporting

Best Practices Summary

1. Start with Audit - For new indicators, use Audit mode first to validate impact

2. Use Device Groups - Scope indicators appropriately; avoid blanket "All Devices" unless necessary

3. Set Expiration Dates - Prevent indicator sprawl with appropriate expiration

4. Document Thoroughly - Use descriptive titles and detailed descriptions

5. Monitor Effectiveness - Use Advanced Hunting to validate indicators are working

6. Regular Cleanup - Review expired and obsolete indicators monthly

7. Layer Defenses - Combine endpoint indicators with email filtering for comprehensive protection

8. Test in Pilot - Validate blocking behavior with a test group before broad deployment

Conclusion

Custom indicators represent a mature, flexible approach to threat management that bridges the gap between broad security policies and specific organizational needs. Whether you're responding to active incidents, enforcing acceptable use policies, or creating surgical exceptions for business processes, indicators provide the precision control modern security operations demand.

The key to success lies in understanding the capabilities and limitations of each indicator type, planning your scope and timing carefully, and integrating indicators into your broader security strategy rather than treating them as standalone controls.

As threats evolve and business requirements change, custom indicators give you the agility to adapt your defenses in minutes rather than days, a critical capability in today's threat landscape.