- 11 Jul 2024
- 1 Minute to read
- PDF
Configure Automate Actions in Red Canary for Defender for Endpoint
- Updated on 11 Jul 2024
- 1 Minute to read
- PDF
Microsoft Defender for Endpoint enables the automated banning of Domains and IP Addresses using its Network Protection capabilities in block mode.
You can take advantage of this functionality by adding them as Automate Actions to a Playbook in Red Canary.
Prerequisites to using the Ban Domain / Ban IP actions
Please see Microsoft’s Documentation for more details.
URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. If Network Protection is not enabled, the banned domains / IPs will only be blocked in Microsoft Web Browsers. Network protection must be configured with PowerShell, GPO, MDM, or Intune and cannot be configured in Defender for Endpoint. For more information on Network Protection and configuration instructions, see Enable network protection.
The Antimalware client version must be 4.18.1906.x or later.
Supported on machines on Windows 10, version 1709 or later.
Ensure that Custom network indicators is enabled in Microsoft Defender Security Center > Settings > Advanced features. For more information, see Advanced features.
Banned Domains or IPs
Only external IPs can be banned. Bans cannot be created for internal IPs.
When running a Ban IP or Ban Domain action against a threat, all Network IOCs (indicator of compromise) associated with that threat that have a domain/IP will be banned. If that action runs for a single Network IOC, then just that IOC will have its domain/IP banned.
Affected machines and length of ban
When a ban is successfully applied, it will apply to all machines that are running Microsoft Defender for Endpoint and have Network Protection configured as described above. The ban is set indefinitely, and will remain until it is removed manually. You can manage your Banned IPs / Domains in the Microsoft Security Center under Settings > Indicators.