Create a Post
Showing results for 
Search instead for 
Did you mean: 

Updateable Objects: how to list members; which one(s) for Microsoft Defender for Endpoints?

Hi all,

Struggling with opening least-privilege outbound permit rules for on-premise systems running (or to-be running) MS Defender for Endpoints (MDE).  Most ports are 80 or 443, so client systems generally don't have any issue; internal servers are a different matter.

MS provides the endpoints to which MDE-enabled systems need to connect here: Configure device proxy and Internet connection settings | Microsoft Docs (URL current as of writing, filename mde-urls.xlsx).  However, there are many wildcarded entries, eg


* logs, I see test MDE boxes connecting to sub-sub-domains, eg, and I'm not sure Domain objects, (non-FQDN) would work efficiently (or at all?) with sub-sub-domains, nor that reverse look-ups will always work.

I'd (obviously) prefer to use built-in Updateable Objects, but the only apparently appropriate EU one is "Azure Advanced Threat Protection Public Services" - which the description states is derived from -  (>80k line JSON...)

After a while of successful testing, I note drops from test boxes, despite the Allow to "Azure Advanced Threat Protection Public Services" - I suspect that there are IPs in the MDE requirements that are not in the Azure list; it may be considered a completely different service (Defender docs are a mess, generally, and the interaction with Azure is obscure).


- Is there a command I can use to dump the current contents (ie the specific IPs/ranges) in an Updateable Object?

- Is there (or will there be) an UO specific for Defender for Endpoints which will maintain/support the requirements in the first URL above?

Thanks if you got this far.




0 Kudos
4 Replies

Answer to the first question, you will need to use two commands:

dynamic_objects -uo_show

object name : CP_MS_Office365_Worldwide
range 0 :
range 1 :
range 2 :



domains_tool -uo "Office365 Worldwide Services"

Domain tool looking for domains for 'Office365 Worldwide Services' and its children objects:

Domains name list for 'Skype for Business Online and Microsoft Teams Worldwide Services':

[5] *



Nothing to add to the discussion but thanks for sharing the commands - have often caught myself wishing I could see "inside" the UO's.

0 Kudos

Np, dynamic objects one is a bit of a "hidden" one as it's not shown in command "help". Domains tools actually has it in the help.

Remember that you can use -d flag to see actual IP addresses for specific domains and there you can see if it was resolved from wildcard entry (subdomain flag will be set to yes)

0 Kudos

Many thanks!

0 Kudos