Forum Discussion

Tali Ash's avatar
Tali Ash
Former Employee
Nov 12, 2018

Default exclusions in Suspicious communication over DNS SA

You asked, we listened!   Since releasing the Suspicious communication over DNS alert in preview mode, we’ve heard from many of you and worked to improve accuracy and reliability. From today’s ...
Niv Dolgin's avatar
Niv Dolgin
Copper Contributor
Dec 19, 2021

Tali Ash Is there complete documentation containing a list of all default domain names in Microsoft's exclusions?

We're still generating the alert multi-times daily for excessive ('suspicious) sophosxl(.)net and e5(.)sk despite having modified the policy with our own exclusion. Our exclusions appear to be just be ignored by the policy. 

EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Dec 19, 2021
The list of exclusions is what you see in the exclusion list.
There are no overwrites in the code.
Not sure what you mean by "your own" exclusions, do you mean that the above 3 were removed from the list?
How exactly did you induce suspicious communication over dns ?
Just sending a simple DNS query will not suffice to trigger, doesn't matter how many times.
  • Niv Dolgin's avatar
    Niv Dolgin
    Copper Contributor
    Dec 30, 2021

    Hi EliOfek 

    Here's the screenshot of our alert (taken this morning, but generated every ~hour) showing that both domains trigger/induce the alert for both sophosxl.net and e5.sk:

    And selecting "Adjust Policy" allows an admin to create domain exclusions. Originally, this policy listed no domains (was blank) until I added the domains in the screenshot (below). I've also experimented with wildcard characters but saw no change in behavior (i.e., *.e5.sk or %.e5.sk). Despite our efforts, this policy seems to ignore domain name exclusions:

     

    Any suggestions?

    • EliOfek's avatar
      EliOfek
      Icon for Microsoft rankMicrosoft
      Dec 30, 2021

      Niv Dolgin 

      In the native portal it should look like this by default:

      If the list is empty it means it was cleared since the workspace was created.

      We exclude them by default as they are considered  harmless and very common.

      In the new security portal it should look like that:

       

      It seems that your screenshot is coming from Cloud App Security policy rules which are a different thing.
      I suggest you try to modify it using the native MDI portal <workspace>.atp.azure.com or using security.microsoft.com.
      Make it look like the pictures I added and you should be OK.



      • Niv Dolgin's avatar
        Niv Dolgin
        Copper Contributor
        Dec 30, 2021

        Thank you EliOfek! I thought the customized domain exclusions in the MCAS policy were kept in sync with the MDI exclusion lists - my mistake.

         

        Looks like the default sophosxls and spotify domains are missing from the MDI exclusions, although e5.sk is present. I'll proceed to add them back and monitor the MCAS alerts, thank you for the prompt reply.