Forum Discussion

KappieKA's avatar
KappieKA
MCT
Sep 21, 2023
Solved

Exclusions for Network Name Resolution

Hi all,   I have deployed Defender for Identity in an infrastructure and now it has been discovered that the sensors are performing name resolution even on unknown IPs, e.g. a Linux-based honeypot ...
Investigations
microsoft 365 defender
Sensor
  • Martin_Schvartzman's avatar
    Martin_Schvartzman
    Sep 21, 2023

    EliOfek KappieKA 

    Actually, we do have an option to exclude an IP / CIDR  ranges from NNR.

    But you'll need to open a support ticket for that, as it's something that needs to be configured in the backend.

     

     

EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Sep 21, 2023
Hi,
Currently there is not option to exclude ip/ranges from NNR.
Your observation is not accurate.
NNR does not contact an endpoint unless it contacted the DC.
The fact that it's a linux machien does not mean it can't connect to AD,
So this is by design that we will try to NNR a machine that connected.

Not sure what it means "scan" in larger packets. can you elaborate ?
The NNR payloads we send to endpoints are extremally small.
Martin_Schvartzman's avatar
Martin_Schvartzman
Icon for Microsoft rankMicrosoft
Sep 21, 2023

EliOfek KappieKA 

Actually, we do have an option to exclude an IP / CIDR  ranges from NNR.

But you'll need to open a support ticket for that, as it's something that needs to be configured in the backend.

 

 

Resources