Adversaries may exfiltrate data or establish command-and-control channels by leveraging Defender for Endpoint telemetry URLs to communicate covertly. SOC teams should proactively hunt for unusual or unexpected telemetry connections in Azure Sentinel to identify potential exfiltration or C2 activities.
KQL Query
let TargetURLs = dynamic(['winatp-gw-cus.microsoft.com', 'winatp-gw-eus.microsoft.com', 'winatp-gw-weu.microsoft.com',
'winatp-gw-neu.microsoft.com', 'winatp-gw-uks.microsoft.com', 'winatp-gw-ukw.microsoft.com', 'winatp-gw-usgv.microsoft.com',
'winatp-gw-usgt.microsoft.com', 'eu.vortex-win.data.microsoft.com', 'us.vortex-win.data.microsoft.com',
'uk.vortex-win.data.microsoft.com', 'events.data.microsoft.com', 'settings-win.data.microsoft.com', 'eu-v20.events.data.microsoft.com',
'uk-v20.events.data.microsoft.com', 'us-v20.events.data.microsoft.com', 'us4-v20.events.data.microsoft.com',
'us5-v20.events.data.microsoft.com', 'ctldl.windowsupdate.com']);
DeviceNetworkEvents
//scope here by MachineGroup, etc.
| where isnotempty(RemoteUrl)
| extend Domain = case(RemoteUrl contains "//", parse_url(RemoteUrl).Host, RemoteUrl)
| where Domain in(TargetURLs)
| summarize Connections = dcount(DeviceId) by ActionType, bin(Timestamp, 1d)
| render linechart
id: 676912f9-0e47-4599-889a-7b90a3542382
name: Defender for Endpoint Telemetry
description: |
View Defender for Endpoint telemetry URLs and their connection status, view trendline over 30 days.
Use to investigate possible telemetry and/or connectivity issues.
[email protected].
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
query: |
let TargetURLs = dynamic(['winatp-gw-cus.microsoft.com', 'winatp-gw-eus.microsoft.com', 'winatp-gw-weu.microsoft.com',
'winatp-gw-neu.microsoft.com', 'winatp-gw-uks.microsoft.com', 'winatp-gw-ukw.microsoft.com', 'winatp-gw-usgv.microsoft.com',
'winatp-gw-usgt.microsoft.com', 'eu.vortex-win.data.microsoft.com', 'us.vortex-win.data.microsoft.com',
'uk.vortex-win.data.microsoft.com', 'events.data.microsoft.com', 'settings-win.data.microsoft.com', 'eu-v20.events.data.microsoft.com',
'uk-v20.events.data.microsoft.com', 'us-v20.events.data.microsoft.com', 'us4-v20.events.data.microsoft.com',
'us5-v20.events.data.microsoft.com', 'ctldl.windowsupdate.com']);
DeviceNetworkEvents
//scope here by MachineGroup, etc.
| where isnotempty(RemoteUrl)
| extend Domain = case(RemoteUrl contains "//", parse_url(RemoteUrl).Host, RemoteUrl)
| where Domain in(TargetURLs)
| summarize Connections = dcount(DeviceId) by ActionType, bin(Timestamp, 1d)
| render linechart
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Tasks
Description: A legitimate scheduled task (e.g., Task Scheduler job) is configured to connect to Microsoft Defender for Endpoint telemetry endpoints as part of system health checks or updates.
Filter/Exclusion: Exclude connections initiated by tasks with names containing “Microsoft” or “Defender” and originating from the Task Scheduler service.
Scenario: Microsoft Endpoint Configuration Manager (MECM) Client Communication
Description: The MECM client regularly communicates with Microsoft services, including Defender for Endpoint telemetry endpoints, to sync policies and configuration.
Filter/Exclusion: Exclude connections from the SMS Executive or MECM Client processes, or filter by IP ranges associated with Microsoft’s public cloud infrastructure.
Scenario: Windows Update or Patching Jobs
Description: Windows Update or patching jobs may connect to Microsoft telemetry endpoints to report system status or download updates.
Filter/Exclusion: Exclude connections from the wuauserv service or processes related to Windows Update or Windows Server Update Services (WSUS).
Scenario: Microsoft Intune Device Health Attestation
Description: Intune may communicate with Defender for Endpoint telemetry endpoints to report device health status and compliance.
Filter/Exclusion: Exclude connections from the Microsoft Intune service or processes with names containing “Intune” or “Microsoft Device Health”.
Scenario: Microsoft Defender for Endpoint Agent Self-Health Checks
Description: The Defender for Endpoint agent performs periodic self-health checks and may connect to telemetry endpoints to report status or request updates.
Filter/Exclusion: Exclude connections from the Microsoft Defender for Endpoint service or processes with names containing “Defender” or “Microsoft Defender”.