This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
autopoiesis
Explorer
‎2021-11-16 09:14 AM

Updateable Objects: how to list members; which one(s) for Microsoft Defender for Endpoints?

Hi all,

Struggling with opening least-privilege outbound permit rules for on-premise systems running (or to-be running) MS Defender for Endpoints (MDE).  Most ports are 80 or 443, so client systems generally don't have any issue; internal servers are a different matter.

MS provides the endpoints to which MDE-enabled systems need to connect here: Configure device proxy and Internet connection settings | Microsoft Docs (URL current as of writing, filename mde-urls.xlsx).  However, there are many wildcarded entries, eg

*.wd.microsoft.com

*.oms.opinsights.azure.com

...in logs, I see test MDE boxes connecting to sub-sub-domains, eg europe.cp.wd.microsoft.com, and I'm not sure Domain objects, (non-FQDN) would work efficiently (or at all?) with sub-sub-domains, nor that reverse look-ups will always work.

I'd (obviously) prefer to use built-in Updateable Objects, but the only apparently appropriate EU one is "Azure Advanced Threat Protection Public Services" - which the description states is derived from https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Publi... -  (>80k line JSON...)

After a while of successful testing, I note drops from test boxes, despite the Allow to "Azure Advanced Threat Protection Public Services" - I suspect that there are IPs in the MDE requirements that are not in the Azure list; it may be considered a completely different service (Defender docs are a mess, generally, and the interaction with Azure is obscure).

Questions

- Is there a command I can use to dump the current contents (ie the specific IPs/ranges) in an Updateable Object?

- Is there (or will there be) an UO specific for Defender for Endpoints which will maintain/support the requirements in the first URL above?

Thanks if you got this far.

Cheers,

auto

 

0 Kudos
4 Replies
Kaspars_Zibarts
Employee Employee
Employee
‎2021-11-16 11:09 PM

Answer to the first question, you will need to use two commands:

dynamic_objects -uo_show

object name : CP_MS_Office365_Worldwide
range 0 : 13.107.6.152 13.107.6.153
range 1 : 13.107.6.171 13.107.6.171
range 2 : 13.107.18.10 13.107.18.11

...

 

domains_tool -uo "Office365 Worldwide Services"

Domain tool looking for domains for 'Office365 Worldwide Services' and its children objects:

Domains name list for 'Skype for Business Online and Microsoft Teams Worldwide Services':

[1] teams.microsoft.com
[2] meetings.sfbassets.com
[3] webdirca1.online.lync.com
[4] cid-193d7751c51219f2.users.storage.live.com
[5] *.skype.com

...

Ruan_Kotze
Advisor
‎2021-11-16 11:28 PM
In response to Kaspars_Zibarts

Nothing to add to the discussion but thanks for sharing the commands - have often caught myself wishing I could see "inside" the UO's.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2021-11-17 12:16 AM
In response to Ruan_Kotze

Np, dynamic objects one is a bit of a "hidden" one as it's not shown in command "help". Domains tools actually has it in the help.

Remember that you can use -d flag to see actual IP addresses for specific domains and there you can see if it was resolved from wildcard entry (subdomain flag will be set to yes)

0 Kudos
autopoiesis
Explorer
‎2021-11-18 01:15 AM
In response to Kaspars_Zibarts

Many thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events