Nov 12 2018 06:17 AM
You asked, we listened!
Since releasing the Suspicious communication over DNS alert in preview mode, we’ve heard from many of you and worked to improve accuracy and reliability.
From today’s version (v2.54), 3 common domains customers were excluding are now excluded by default.
To change this configuration, go to the Exclusions page and add or remove as needed.
As always, we welcome your feedback, suggestions, and ideas about how to improve your Azure ATP experience.
Thanks,
Tali
Nov 15 2018 05:06 PM
What is the basis for adding those particular domains? They aren't "common" for us at all, so I removed them.
Do you intend to add other domains in future? If so will we be notified somehow, e.g. via O365 Message Center?
Nov 18 2018 02:19 AM - edited Nov 18 2018 02:22 AM
Hi Paul,
These 3 domains are the most popular in organizations with Azure ATP, most of Suspicious communication over DNS alerts were opened on them. In addition we observed that these 3 are also the most popular domains customers excluded from this alert. All 3 domains are known domains which owned by known companies that send to the domains data regarding their applications.
e5.sk - Eset
sophosxl.net - Sophos
spotify.com - Spotify
Therefore we decided to exclude these 3 domains by default, which will help for a lot of customers from doing it by their own, and give an option to remove it for others.
If we will see such similar need in the future to exclude more domains by default we will do it, and currently the communication channel is through the communities and it will also be updated in Azure ATP release notes.
Thanks,
Tali
Nov 19 2018 04:35 PM
I don't really agree with the decision but thank you for the clarification.
Dec 19 2021 09:19 AM
@Tali Ash Is there complete documentation containing a list of all default domain names in Microsoft's exclusions?
We're still generating the alert multi-times daily for excessive ('suspicious) sophosxl(.)net and e5(.)sk despite having modified the policy with our own exclusion. Our exclusions appear to be just be ignored by the policy.
Dec 19 2021 12:31 PM
Dec 30 2021 05:15 AM
Hi @Eli Ofek
Here's the screenshot of our alert (taken this morning, but generated every ~hour) showing that both domains trigger/induce the alert for both sophosxl.net and e5.sk:
And selecting "Adjust Policy" allows an admin to create domain exclusions. Originally, this policy listed no domains (was blank) until I added the domains in the screenshot (below). I've also experimented with wildcard characters but saw no change in behavior (i.e., *.e5.sk or %.e5.sk). Despite our efforts, this policy seems to ignore domain name exclusions:
Any suggestions?
Dec 30 2021 05:47 AM
In the native portal it should look like this by default:
If the list is empty it means it was cleared since the workspace was created.
We exclude them by default as they are considered harmless and very common.
In the new security portal it should look like that:
It seems that your screenshot is coming from Cloud App Security policy rules which are a different thing.
I suggest you try to modify it using the native MDI portal <workspace>.atp.azure.com or using security.microsoft.com.
Make it look like the pictures I added and you should be OK.
Dec 30 2021 08:39 AM
Thank you @Eli Ofek! I thought the customized domain exclusions in the MCAS policy were kept in sync with the MDI exclusion lists - my mistake.
Looks like the default sophosxls and spotify domains are missing from the MDI exclusions, although e5.sk is present. I'll proceed to add them back and monitor the MCAS alerts, thank you for the prompt reply.