cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Live Response URL's

PJR_CDF
Iron Contributor

‎Sep 11 2023 01:00 AM

‎Sep 11 2023 01:00 AM

Live Response URL's

Hoping to clarify URL requirements for Live Response in Defender for Endpoint. The URLs listed in the Defender URLs spreadsheet online that reference being required for Live Response are:

 

*.wns.windows.com
login.microsoftonline.com
login.live.com

 

When you run the client analyzer tool, the MDEClientAnalyzer.txt file contains a results section called 

 

############# Connectivity Check for Live Response URL################

 

That section lists the following 2 URLs as being tested:

 

Host: global.notify.windows.com on Port: 443
Host: client.wns.windows.com on Port: 443

 

I can see no reference to global.notify.windows.com (or *.windows.com) in the URL spreadsheet?

 

In my testing I have been able to successfully connect via Live Response to servers that show failed connections to global.notify.windows in their MDEClientAnalyzer.txt files.

 

Can anyone confirm if global.notify.windows.com is a required URL for Live Response?

 

Thanks

324 Views
0 Likes
3 Replies
Reply
3 Replies
jbmartin6

‎Sep 11 2023 05:32 AM

‎Sep 11 2023 05:32 AM

Re: Live Response URL's

Well, (client.wns.windows.com) is covered by *.wns.windows.com, maybe there is a wildcard elsewhere in the reference that covers (global.notify.windows.com)
0 Likes
Reply
jbmartin6

‎Sep 11 2023 05:33 AM

‎Sep 11 2023 05:33 AM

Re: Live Response URL's

Ah sorry, I see you already considered that, my mistake I should have re-read before replying.
0 Likes
Reply
best response confirmed by PJR_CDF (Iron Contributor)
PJR_CDF

‎Sep 13 2023 02:55 AM - edited ‎Sep 13 2023 03:30 AM

‎Sep 13 2023 02:55 AM - edited ‎Sep 13 2023 03:30 AM

Solution

Re: Live Response URL's

I've found an older version of the Defender URLs spreadsheet that has an entry for

*.notify.windows.com

The latest version of the spreadsheet doesnt contain this URL anymore and only lists the following requirements for Live Response:

*.wns.windows.com
login.live.com
login.microsoftonline.com

 

Interestingly in the ChangeLog tab on the latest version of the spreadsheet, it notes that *.notify.windows.com was removed on the 25/01/22. I have a version I downloaded in May this year with that URL present. 

 

Regardless of the above it looks like perhaps they havent updated the connectivity analyzer to remove the test to global.notify.windows.com.

0 Likes
Reply