Forum Discussion
KappieKA
Sep 21, 2023Copper Contributor
Exclusions for Network Name Resolution
Hi all, I have deployed Defender for Identity in an infrastructure and now it has been discovered that the sensors are performing name resolution even on unknown IPs, e.g. a Linux-based honeypot ...
EliOfek
Sep 21, 2023Microsoft
Hi,
Currently there is not option to exclude ip/ranges from NNR.
Your observation is not accurate.
NNR does not contact an endpoint unless it contacted the DC.
The fact that it's a linux machien does not mean it can't connect to AD,
So this is by design that we will try to NNR a machine that connected.
Not sure what it means "scan" in larger packets. can you elaborate ?
The NNR payloads we send to endpoints are extremally small.
Currently there is not option to exclude ip/ranges from NNR.
Your observation is not accurate.
NNR does not contact an endpoint unless it contacted the DC.
The fact that it's a linux machien does not mean it can't connect to AD,
So this is by design that we will try to NNR a machine that connected.
Not sure what it means "scan" in larger packets. can you elaborate ?
The NNR payloads we send to endpoints are extremally small.
KappieKA
Sep 21, 2023Copper Contributor
Hi EliOfek,
thank you very much for your fast feedback. Unfortunately, I don't have the information first-hand, but from the network administrators, who are bothered by the fact that at certain times there are always a lot of requests going to various addresses.
I spontaneously searched for requests from the honeypot machine's IP address using Advanced Hunting
IdentityLogonEvents
| where IPAddress contains "XXX.XXX.XXX.XXX"
and found no log entry.
Do you know any good KQL query that I can use to analyse all possible requests to show that the honeypot first contacted the DC?
Kind Regards
Marco
- EliOfekSep 21, 2023MicrosoftSadly I am not a KQL/AH expert, but take into account that any communication from this machien to the DC machine might invoke this NNR request, not just authentications.
And yes, one of the downsides of NNR that in certain environments it can be quite noisy.
you might be able to reduce this noise by disabling some of the NNR methods that you know will not work well in your environment as long as you are left with at least one high certainty method that works.
This might reduce the noise by up to 66% in theory, depends on your exact scenario....