MDE URLs query - unitedkingdom.x.cp.wd.microsoft.com Vs. unitedkingdom.cp.wd.microsoft.com

Iron Contributor

Can someone from the product group/network team confirm the regarding the following query relating to Defender for Endpoint network traffic?

 

During testing I have seen traffic with a destination of unitedkingdom.cp.wd.microsoft.com being blocked by the proxy.

 

We have whitelisted all the URLs in the spreadsheet published by Microsoft and the current list of URLs includes the following entry which is similar to the one we are seeing blocked:

 

unitedkingdom.x.cp.wd.microsoft.com

 

Whilst this is similar to the URL it’s not the same. Traffic from our devices is being sent to unitedkingdom.cp.wd.microsoft.com and not unitedkingdom.x.cp.wd.microsoft.com.

 

So currently I believe we are correctly seeing traffic blocked based on the information in the spreadsheet.

 

I can also see lots of references in the excel spreadsheet to other x.cp.wd.microsoft.com URLs and wondered if perhaps the use of the “x” character in those URLs is supposed to be considered as a wildcard (which is confusing as that is traditionally signified by the use of an asterisk)?

 

As there are wildcard URLs in the spreadsheet signified by an actual asterisk. For example *.dm.microsoft.com,  I would assume the presence of "x" in a URL is to be taken as a literal character. Additionally if I ping unitedkingdom.x.cp.wd.microsoft.com, it resolves to an IP address which confirms a DNS entry for that exact hostname exists.

 

Anyone else seen this issue?

2 Replies
Hi, do you have any new insight? I'm facing the same situation with europe.cp.wd.microsoft.com.

@Fabian-7704 I'm afraid not - I heard nothing further on this