Forum Discussion
Exclusions for Network Name Resolution
Hi all,
I have deployed Defender for Identity in an infrastructure and now it has been discovered that the sensors are performing name resolution even on unknown IPs, e.g. a Linux-based honeypot that has no connection to the AD.
Furthermore, according to the firewall, the sensors "scan" in larger packets, which in turn causes the firewall to alert.
Does anyone know if it is possible to exclude certain IPs or ranges from the scan and is there any documentation on how the process works in detail?
Thanks in advance
- EliOfekMicrosoftHi,
Currently there is not option to exclude ip/ranges from NNR.
Your observation is not accurate.
NNR does not contact an endpoint unless it contacted the DC.
The fact that it's a linux machien does not mean it can't connect to AD,
So this is by design that we will try to NNR a machine that connected.
Not sure what it means "scan" in larger packets. can you elaborate ?
The NNR payloads we send to endpoints are extremally small.- KappieKACopper Contributor
Hi EliOfek,
thank you very much for your fast feedback. Unfortunately, I don't have the information first-hand, but from the network administrators, who are bothered by the fact that at certain times there are always a lot of requests going to various addresses.
I spontaneously searched for requests from the honeypot machine's IP address using Advanced Hunting
IdentityLogonEvents | where IPAddress contains "XXX.XXX.XXX.XXX"
and found no log entry.
Do you know any good KQL query that I can use to analyse all possible requests to show that the honeypot first contacted the DC?
Kind Regards
Marco
- EliOfekMicrosoftSadly I am not a KQL/AH expert, but take into account that any communication from this machien to the DC machine might invoke this NNR request, not just authentications.
And yes, one of the downsides of NNR that in certain environments it can be quite noisy.
you might be able to reduce this noise by disabling some of the NNR methods that you know will not work well in your environment as long as you are left with at least one high certainty method that works.
This might reduce the noise by up to 66% in theory, depends on your exact scenario....
- Martin_SchvartzmanMicrosoft