Microsoft Defender for Endpoint enables the automated banning of Domains and IP Addresses using its Network Protection capabilities in block mode.
You can take advantage of this functionality by adding them as Automate Actions to a Playbook in Red Canary.
Are there prerequisites to using the Ban Domain / Ban IP actions?
Yes. (please see Microsoft's Documentation for more details)
- URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. If Network Protection is not enabled, the banned domains / IPs will only be blocked in Microsoft Web Browsers. Network protection must be configured with PowerShell, GPO, MDM, or Intune and cannot be configured in Defender for Endpoint. For more information on Network Protection and configuration instructions, see Enable network protection.
- The Antimalware client version must be 4.18.1906.x or later.
- Supported on machines on Windows 10, version 1709 or later.
- Ensure that Custom network indicators is enabled in Microsoft Defender Security Center > Settings > Advanced features. For more information, see Advanced features.
Which Domain or IP will be banned?
Only external IPs can be banned. Bans cannot be created for internal IPs.
When running a Ban IP or Ban Domain action against a detection, all Network IOCs (indicator of compromise) associated with that Detection that have a domain/IP will be banned. If that action runs for a single Network IOC, then just that IOC will have its domain/IP banned.
Which machines will be affected? How long will the ban last?
When a ban is successfully applied, it will apply to all machines that are running Microsoft Defender for Endpoint and have Network Protection configured as described above. The ban is set indefinitely, and will remain until it is removed manually. You can manage your Banned IPs / Domains in the Microsoft Security Center under Settings > Indicators.