SOLVED

Exclusions for Network Name Resolution

Copper Contributor

Hi all,

 

I have deployed Defender for Identity in an infrastructure and now it has been discovered that the sensors are performing name resolution even on unknown IPs, e.g. a Linux-based honeypot that has no connection to the AD.

Furthermore, according to the firewall, the sensors "scan" in larger packets, which in turn causes the firewall to alert.

Does anyone know if it is possible to exclude certain IPs or ranges from the scan and is there any documentation on how the process works in detail?

 

Thanks in advance

4 Replies
Hi,
Currently there is not option to exclude ip/ranges from NNR.
Your observation is not accurate.
NNR does not contact an endpoint unless it contacted the DC.
The fact that it's a linux machien does not mean it can't connect to AD,
So this is by design that we will try to NNR a machine that connected.

Not sure what it means "scan" in larger packets. can you elaborate ?
The NNR payloads we send to endpoints are extremally small.

Hi @Eli Ofek,

thank you very much for your fast feedback. Unfortunately, I don't have the information first-hand, but from the network administrators, who are bothered by the fact that at certain times there are always a lot of requests going to various addresses.

I spontaneously searched for requests from the honeypot machine's IP address using Advanced Hunting

IdentityLogonEvents
| where IPAddress contains "XXX.XXX.XXX.XXX"

and found no log entry.

Do you know any good KQL query that I can use to analyse all possible requests to show that the honeypot first contacted the DC?

 

Kind Regards

Marco

Sadly I am not a KQL/AH expert, but take into account that any communication from this machien to the DC machine might invoke this NNR request, not just authentications.

And yes, one of the downsides of NNR that in certain environments it can be quite noisy.
you might be able to reduce this noise by disabling some of the NNR methods that you know will not work well in your environment as long as you are left with at least one high certainty method that works.
This might reduce the noise by up to 66% in theory, depends on your exact scenario....
best response confirmed by KappieKA (Copper Contributor)
Solution

@Eli Ofek @KappieKA 

Actually, we do have an option to exclude an IP / CIDR  ranges from NNR.

But you'll need to open a support ticket for that, as it's something that needs to be configured in the backend.

 

 

1 best response

Accepted Solutions
best response confirmed by KappieKA (Copper Contributor)
Solution

@Eli Ofek @KappieKA 

Actually, we do have an option to exclude an IP / CIDR  ranges from NNR.

But you'll need to open a support ticket for that, as it's something that needs to be configured in the backend.

 

 

View solution in original post