Connectivity Failures by Domain

Hunt Hypothesis

Adversaries may attempt to disrupt or evade detection by causing connectivity failures to Defender for Endpoint URLs, which could mask their lateral movement or data exfiltration activities. Proactively hunting for such anomalies in Azure Sentinel can help identify potential sabotage or evasion tactics early, improving incident response and reducing dwell time.

KQL Query

let TargetURLs = dynamic(['winatp-gw-cus.microsoft.com', 'winatp-gw-eus.microsoft.com', 'winatp-gw-weu.microsoft.com',
    'winatp-gw-neu.microsoft.com', 'winatp-gw-uks.microsoft.com', 'winatp-gw-ukw.microsoft.com', 'winatp-gw-usgv.microsoft.com',
    'winatp-gw-usgt.microsoft.com', 'eu.vortex-win.data.microsoft.com', 'us.vortex-win.data.microsoft.com',
    'uk.vortex-win.data.microsoft.com', 'events.data.microsoft.com', 'settings-win.data.microsoft.com', 'eu-v20.events.data.microsoft.com',
    'uk-v20.events.data.microsoft.com', 'us-v20.events.data.microsoft.com', 'us4-v20.events.data.microsoft.com',
    'us5-v20.events.data.microsoft.com', 'ctldl.windowsupdate.com']);
DeviceNetworkEvents
| where isnotempty(RemoteUrl) and ActionType == 'ConnectionFailed'
| extend Domain = case(RemoteUrl contains "//", parse_url(RemoteUrl).Host, RemoteUrl)
| where Domain in(TargetURLs)
| summarize (LastConnectionFailure, DeviceName) = arg_max(Timestamp, DeviceName), ConnectionFailures = count(), DistinctMachines = dcount(DeviceId) by Domain
| order by DistinctMachines desc

Analytic Rule Definition

id: a4f7b0f0-93ad-47c9-bcce-dc08d8d04818
name: Connectivity Failures by Domain
description: |
  This query is designed to help troubleshoot connectivity issues to Microsoft Defender for Endpoint URLs.
  It provides a summary of the number of failures which occurred, the number of distinct machines that failed
  to connect to the URL, and sorts them by the sum of the overall number of failures recorded.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
tactics:
- Malware, component
query: |
  let TargetURLs = dynamic(['winatp-gw-cus.microsoft.com', 'winatp-gw-eus.microsoft.com', 'winatp-gw-weu.microsoft.com',
      'winatp-gw-neu.microsoft.com', 'winatp-gw-uks.microsoft.com', 'winatp-gw-ukw.microsoft.com', 'winatp-gw-usgv.microsoft.com',
      'winatp-gw-usgt.microsoft.com', 'eu.vortex-win.data.microsoft.com', 'us.vortex-win.data.microsoft.com',
      'uk.vortex-win.data.microsoft.com', 'events.data.microsoft.com', 'settings-win.data.microsoft.com', 'eu-v20.events.data.microsoft.com',
      'uk-v20.events.data.microsoft.com', 'us-v20.events.data.microsoft.com', 'us4-v20.events.data.microsoft.com',
      'us5-v20.events.data.microsoft.com', 'ctldl.windowsupdate.com']);
  DeviceNetworkEvents
  | where isnotempty(RemoteUrl) and ActionType == 'ConnectionFailed'
  | extend Domain = case(RemoteUrl contains "//", parse_url(RemoteUrl).Host, RemoteUrl)
  | where Domain in(TargetURLs)
  | summarize (LastConnectionFailure, DeviceName) = arg_max(Timestamp, DeviceName), ConnectionFailures = count(), DistinctMachines = dcount(DeviceId) by Domain
  | order by DistinctMachines desc

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Malware, component

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Troubleshooting/Connectivity Failures by Domain.yaml)

False Positive Guidance

Scenario: Scheduled Microsoft Defender for Endpoint Updates
Description: The system may fail to connect to Microsoft Defender for Endpoint URLs during scheduled update checks or patching processes.
Filter/Exclusion: Exclude connections to update.microsoft.com or defenderforendpoint.com during known update windows (e.g., 2:00 AM - 3:00 AM).
Scenario: Admin Task: Microsoft Intune Policy Sync
Description: Admins may trigger connectivity failures to Microsoft Intune URLs when syncing device policies or configurations.
Filter/Exclusion: Exclude traffic to intune.microsoft.com or graph.microsoft.com during scheduled Intune sync times (e.g., 10:00 AM - 11:00 AM).
Scenario: System Maintenance: Windows Server Backup Job
Description: A backup job running on a Windows Server may attempt to connect to Microsoft Azure or other cloud services, causing false positives.
Filter/Exclusion: Exclude traffic initiated by the wbadmin service or tasks scheduled via Task Scheduler with the name Windows Server Backup.
Scenario: User-Initiated Microsoft 365 Login
Description: Users logging into Microsoft 365 may cause temporary connectivity spikes to Microsoft Graph URLs, which could be flagged as failures.
Filter/Exclusion: Exclude traffic from user sessions using microsoft.com or graph.microsoft.com during login hours (e.g., 8:00 AM - 6:00 PM).
Scenario: Network Monitoring Tool: Microsoft Network Monitor (NMM)
Description: A network monitoring tool like Microsoft Network Monitor may periodically connect to Microsoft services for diagnostics, causing false positives.
Filter/Exclusion: Exclude traffic originating from the Microsoft Network Monitor service or processes with the name `