Sep 21 2023 06:27 AM - edited Sep 21 2023 06:28 AM
Hi all,
I have deployed Defender for Identity in an infrastructure and now it has been discovered that the sensors are performing name resolution even on unknown IPs, e.g. a Linux-based honeypot that has no connection to the AD.
Furthermore, according to the firewall, the sensors "scan" in larger packets, which in turn causes the firewall to alert.
Does anyone know if it is possible to exclude certain IPs or ranges from the scan and is there any documentation on how the process works in detail?
Thanks in advance
Sep 21 2023 06:30 AM
Sep 21 2023 06:39 AM
Hi @EliOfek,
thank you very much for your fast feedback. Unfortunately, I don't have the information first-hand, but from the network administrators, who are bothered by the fact that at certain times there are always a lot of requests going to various addresses.
I spontaneously searched for requests from the honeypot machine's IP address using Advanced Hunting
IdentityLogonEvents
| where IPAddress contains "XXX.XXX.XXX.XXX"
and found no log entry.
Do you know any good KQL query that I can use to analyse all possible requests to show that the honeypot first contacted the DC?
Kind Regards
Marco
Sep 21 2023 07:05 AM
Sep 21 2023 09:41 AM
SolutionSep 21 2023 09:41 AM
SolutionActually, we do have an option to exclude an IP / CIDR ranges from NNR.
But you'll need to open a support ticket for that, as it's something that needs to be configured in the backend.