Service/URL category

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Service/URL category

L3 Networker

Microsoft Defender has a lot of endpoints it seems. I started a custom URL list with all the URLs needed for defender, created a policy in a global device template and said "Allow any source, any destination, using SSL, Web-Browsing, and windows defender atp app, using application default. I put the URL list I created in URL category area and didn't select a URL filter profile. 

 

It seems I have users hit things outside the URL list I created. I contacted TAC and they said its because the way the policy flow is for traffic. Basically left to right in the tabs on the policy. So what is the point or URL category exactly if it wont restrict your traffic to just the URL list I created?

3 REPLIES 3

Cyber Elite
Cyber Elite

are users successfully accessing things or are you seeing logs for things you didn't expect?

 

the way a rule like this works, is to allow the TCP handshake for everything that matches your first tuples: source, destination, port (you need to create a session first, before you get to the URL bit).

When the HTTP GET comes around (or the SNI can be intercepted), there is another rulebase lookup for this session

if the URL matches your criteria, it will hit, if it doesn't it will go further down the list to find a new match.

If a match is found, that new rule will take over (and your log will reflect that after the session is finished)

 

now in some cases there could be 'anomalies' that could result in weird logs:

if for example the http get goes out (for a url you did not intend to hit this rule) but the server stops responding, the session will eventually die and no new rule will be used to continue the session, so the log is written on the rule that allowed the initial handshake.

 

There could be logical explanation why you're seeing these logs

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I see lots of tcp-rst-from-client, but sometimes I see a tcp-fin from a non-microsoft IP, but maybe they are redirects. 

 

L3 Networker

Also the traffic I am allowing from an app perspective I see going to MS IPs using Windows-Defender-atp-endpoint but see session end as tcp-rst-from-server. 

  • 1955 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!