topic Re: Updateable Objects: how to list members; which one(s) for Microsoft Defender for Endpoints? in General Topics

Updateable Objects: how to list members; which one(s) for Microsoft Defender for Endpoints?

autopoiesis — Tue, 16 Nov 2021 17:14:21 GMT

Hi all,

Struggling with opening least-privilege outbound permit rules for on-premise systems running (or to-be running) MS Defender for Endpoints (MDE). Most ports are 80 or 443, so client systems generally don't have any issue; internal servers are a different matter.

MS provides the endpoints to which MDE-enabled systems need to connect here: Configure device proxy and Internet connection settings | Microsoft Docs (URL current as of writing, filename mde-urls.xlsx). However, there are many wildcarded entries, eg

*.wd.microsoft.com

*.oms.opinsights.azure.com

...in logs, I see test MDE boxes connecting to sub-sub-domains, eg europe.cp.wd.microsoft.com, and I'm not sure Domain objects, (non-FQDN) would work efficiently (or at all?) with sub-sub-domains, nor that reverse look-ups will always work.

I'd (obviously) prefer to use built-in Updateable Objects, but the only apparently appropriate EU one is "Azure Advanced Threat Protection Public Services" - which the description states is derived from https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211115.json - (>80k line JSON...)

After a while of successful testing, I note drops from test boxes, despite the Allow to "Azure Advanced Threat Protection Public Services" - I suspect that there are IPs in the MDE requirements that are not in the Azure list; it may be considered a completely different service (Defender docs are a mess, generally, and the interaction with Azure is obscure).

Questions

- Is there a command I can use to dump the current contents (ie the specific IPs/ranges) in an Updateable Object?

- Is there (or will there be) an UO specific for Defender for Endpoints which will maintain/support the requirements in the first URL above?

Thanks if you got this far.

Cheers,

auto

Re: Updateable Objects: how to list members; which one(s) for Microsoft Defender for Endpoints?

Kaspars_Zibarts — Wed, 17 Nov 2021 07:09:04 GMT

Answer to the first question, you will need to use two commands:

dynamic_objects -uo_show

object name : CP_MS_Office365_Worldwide
range 0 : 13.107.6.152 13.107.6.153
range 1 : 13.107.6.171 13.107.6.171
range 2 : 13.107.18.10 13.107.18.11

...

domains_tool -uo "Office365 Worldwide Services"

Domain tool looking for domains for 'Office365 Worldwide Services' and its children objects:

Domains name list for 'Skype for Business Online and Microsoft Teams Worldwide Services':

[1] teams.microsoft.com
[2] meetings.sfbassets.com
[3] webdirca1.online.lync.com
[4] cid-193d7751c51219f2.users.storage.live.com
[5] *.skype.com

...

Re: Updateable Objects: how to list members; which one(s) for Microsoft Defender for Endpoints?

Ruan_Kotze — Wed, 17 Nov 2021 07:28:16 GMT

Nothing to add to the discussion but thanks for sharing the commands - have often caught myself wishing I could see "inside" the UO's.

Re: Updateable Objects: how to list members; which one(s) for Microsoft Defender for Endpoints?

Kaspars_Zibarts — Wed, 17 Nov 2021 08:16:53 GMT

Np, dynamic objects one is a bit of a "hidden" one as it's not shown in command "help". Domains tools actually has it in the help.

Remember that you can use -d flag to see actual IP addresses for specific domains and there you can see if it was resolved from wildcard entry (subdomain flag will be set to yes)

Re: Updateable Objects: how to list members; which one(s) for Microsoft Defender for Endpoints?

autopoiesis — Thu, 18 Nov 2021 09:15:00 GMT

Many thanks!