Defender for Identity and RDP connections to external IPs

Adalfarus · ‎Apr 12 2024

I am worried that Defender for Identity may be communicating with external IP addresses. Is there any way to disable this feature? It seems suspicious to me when I notice traffic from DC RDP to external IP addresses. Additionally, we suspect that such activity could possibly lead to blacklisting.

P.S. Any best practice how to configure Defender for Identity?

DylanInfosec · ‎Apr 12 2024

Hi @Adalfarus ,

Understanding your concern and as you point out with the MS Docs this is expected behavior as DFI will work to resolve IP addresses found within the raw activity events. I suggest you investigate a bit more as to the source of these events because it definitely seems something worth looking into. If you can trace an IP you're seeing DFI reach out back to it's activity event source on the "offending" DC you might find something that needs patching.(maybe)

Nevertheless, for the immediate question at hand can you block this traffic at the firewall?

Source = zone/subnet of the DC's; source port = 3389; destination = untrust/wan; destination port = any

Best,

Dylan

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Defender for Identity and RDP connections to external IPs

Defender for Identity and RDP connections to external IPs

Re: Defender for Identity and RDP connections to external IPs