SOLVED

Live Response URL's

Iron Contributor

Hoping to clarify URL requirements for Live Response in Defender for Endpoint. The URLs listed in the Defender URLs spreadsheet online that reference being required for Live Response are:

 

*.wns.windows.com
login.microsoftonline.com
login.live.com

 

When you run the client analyzer tool, the MDEClientAnalyzer.txt file contains a results section called 

 

############# Connectivity Check for Live Response URL################

 

That section lists the following 2 URLs as being tested:

 

Host: global.notify.windows.com on Port: 443
Host: client.wns.windows.com on Port: 443

 

I can see no reference to global.notify.windows.com (or *.windows.com) in the URL spreadsheet?

 

In my testing I have been able to successfully connect via Live Response to servers that show failed connections to global.notify.windows in their MDEClientAnalyzer.txt files.

 

Can anyone confirm if global.notify.windows.com is a required URL for Live Response?

 

Thanks

3 Replies
Well, (client.wns.windows.com) is covered by *.wns.windows.com, maybe there is a wildcard elsewhere in the reference that covers (global.notify.windows.com)
Ah sorry, I see you already considered that, my mistake I should have re-read before replying.
best response confirmed by PJR_CDF (Iron Contributor)
Solution

I've found an older version of the Defender URLs spreadsheet that has an entry for

*.notify.windows.com

The latest version of the spreadsheet doesnt contain this URL anymore and only lists the following requirements for Live Response:

*.wns.windows.com
login.live.com
login.microsoftonline.com

 

Interestingly in the ChangeLog tab on the latest version of the spreadsheet, it notes that *.notify.windows.com was removed on the 25/01/22. I have a version I downloaded in May this year with that URL present. 

 

Regardless of the above it looks like perhaps they havent updated the connectivity analyzer to remove the test to global.notify.windows.com.

1 best response

Accepted Solutions
best response confirmed by PJR_CDF (Iron Contributor)
Solution

I've found an older version of the Defender URLs spreadsheet that has an entry for

*.notify.windows.com

The latest version of the spreadsheet doesnt contain this URL anymore and only lists the following requirements for Live Response:

*.wns.windows.com
login.live.com
login.microsoftonline.com

 

Interestingly in the ChangeLog tab on the latest version of the spreadsheet, it notes that *.notify.windows.com was removed on the 25/01/22. I have a version I downloaded in May this year with that URL present. 

 

Regardless of the above it looks like perhaps they havent updated the connectivity analyzer to remove the test to global.notify.windows.com.

View solution in original post