Forum Discussion
KappieKA
Sep 21, 2023Copper Contributor
Exclusions for Network Name Resolution
Hi all, I have deployed Defender for Identity in an infrastructure and now it has been discovered that the sensors are performing name resolution even on unknown IPs, e.g. a Linux-based honeypot ...
KappieKA
Sep 21, 2023Copper Contributor
Hi EliOfek,
thank you very much for your fast feedback. Unfortunately, I don't have the information first-hand, but from the network administrators, who are bothered by the fact that at certain times there are always a lot of requests going to various addresses.
I spontaneously searched for requests from the honeypot machine's IP address using Advanced Hunting
IdentityLogonEvents
| where IPAddress contains "XXX.XXX.XXX.XXX"
and found no log entry.
Do you know any good KQL query that I can use to analyse all possible requests to show that the honeypot first contacted the DC?
Kind Regards
Marco
EliOfek
Microsoft
Sep 21, 2023Sadly I am not a KQL/AH expert, but take into account that any communication from this machien to the DC machine might invoke this NNR request, not just authentications.
And yes, one of the downsides of NNR that in certain environments it can be quite noisy.
you might be able to reduce this noise by disabling some of the NNR methods that you know will not work well in your environment as long as you are left with at least one high certainty method that works.
This might reduce the noise by up to 66% in theory, depends on your exact scenario....
And yes, one of the downsides of NNR that in certain environments it can be quite noisy.
you might be able to reduce this noise by disabling some of the NNR methods that you know will not work well in your environment as long as you are left with at least one high certainty method that works.
This might reduce the noise by up to 66% in theory, depends on your exact scenario....