Forum Discussion

PJR_CDF's avatar
PJR_CDF
Iron Contributor
Sep 11, 2023

Live Response URL's

Hoping to clarify URL requirements for Live Response in Defender for Endpoint. The URLs listed in the Defender URLs spreadsheet online that reference being required for Live Response are:

 

*.wns.windows.com
login.microsoftonline.com
login.live.com

 

When you run the client analyzer tool, the MDEClientAnalyzer.txt file contains a results section called 

 

############# Connectivity Check for Live Response URL################

 

That section lists the following 2 URLs as being tested:

 

Host: global.notify.windows.com on Port: 443
Host: client.wns.windows.com on Port: 443

 

I can see no reference to global.notify.windows.com (or *.windows.com) in the URL spreadsheet?

 

In my testing I have been able to successfully connect via Live Response to servers that show failed connections to global.notify.windows in their MDEClientAnalyzer.txt files.

 

Can anyone confirm if global.notify.windows.com is a required URL for Live Response?

 

Thanks

  • PJR_CDF's avatar
    PJR_CDF
    Sep 13, 2023

    I've found an older version of the Defender URLs spreadsheet that has an entry for

    *.notify.windows.com

    The latest version of the spreadsheet doesnt contain this URL anymore and only lists the following requirements for Live Response:

    *.wns.windows.com
    login.live.com
    login.microsoftonline.com

     

    Interestingly in the ChangeLog tab on the latest version of the spreadsheet, it notes that *.notify.windows.com was removed on the 25/01/22. I have a version I downloaded in May this year with that URL present. 

     

    Regardless of the above it looks like perhaps they havent updated the connectivity analyzer to remove the test to global.notify.windows.com.

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    Well, (client.wns.windows.com) is covered by *.wns.windows.com, maybe there is a wildcard elsewhere in the reference that covers (global.notify.windows.com)
    • jbmartin6's avatar
      jbmartin6
      Iron Contributor
      Ah sorry, I see you already considered that, my mistake I should have re-read before replying.
      • PJR_CDF's avatar
        PJR_CDF
        Iron Contributor

        I've found an older version of the Defender URLs spreadsheet that has an entry for

        *.notify.windows.com

        The latest version of the spreadsheet doesnt contain this URL anymore and only lists the following requirements for Live Response:

        *.wns.windows.com
        login.live.com
        login.microsoftonline.com

         

        Interestingly in the ChangeLog tab on the latest version of the spreadsheet, it notes that *.notify.windows.com was removed on the 25/01/22. I have a version I downloaded in May this year with that URL present. 

         

        Regardless of the above it looks like perhaps they havent updated the connectivity analyzer to remove the test to global.notify.windows.com.

Resources