From 35a6bfe75d2fed8453ffb5a492cbb913e77d97a7 Mon Sep 17 00:00:00 2001 From: delorean Date: Tue, 9 Jul 2024 02:26:23 -0500 Subject: [PATCH] updated edr provider endpoints --- common/ref.go | 115 ++++++++++++++++++++++++++++++++------------------ 1 file changed, 73 insertions(+), 42 deletions(-) diff --git a/common/ref.go b/common/ref.go index 215fd69..38212f5 100644 --- a/common/ref.go +++ b/common/ref.go @@ -7,31 +7,41 @@ type DomInfo struct { var Domains = map[string]DomInfo{ // Microsoft Defender for Endpoint - //https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls - "ussus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, + // https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls "download.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, // dynamic "go.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 1600}, // dynamic + "security.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, + "settings-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, // dynamic + "windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300}, + "ctldl.windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 1800}, + "wdcp.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, + "wd.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300}, + "wdcpalt.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, + "checkappexec.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, + "smartscreen-prod.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, + "vortex-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 120}, + "update.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, + "download.windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300}, + "definitionupdates.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300}, + "delivery.mp.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300}, + "fe3cr.delivery.mp.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, + "ussus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "ussus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "wsus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, - "security.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, "wseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "wsus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "ussus3westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "wsus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "wsuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "ussus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, - "settings-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, // dynamic "usseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "wsus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "usseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "ussus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "ussuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, - "ctldl.windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 980}, "ussus4eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, - "vortex-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 120}, "wseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "ussuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, - "windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300}, "ussus3eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "ussus4westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, "wsuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60}, @@ -132,6 +142,7 @@ var Domains = map[string]DomInfo{ "data-epgw-asia-northeast-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, "probe-dist.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, "probe-dist-eu-west-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, + "probe-dist-dns.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 3600}, "data-epgw.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300}, "cybereason.com": DomInfo{Vendor: "Cybereason", TTL: 300}, @@ -146,6 +157,7 @@ var Domains = map[string]DomInfo{ "cdn-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, "auth.ui.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, "uam.api.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "api.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, "cds-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, "trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, "sw-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, @@ -162,7 +174,6 @@ var Domains = map[string]DomInfo{ "cds-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, "cdn-au001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, "sw-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, - "api.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, "sw-sgp001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, "dxlweb-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, "cdn-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, @@ -170,43 +181,60 @@ var Domains = map[string]DomInfo{ "dxl-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, "dxl-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, "cdn-eu001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60}, + "iam.cloud.trellix.com": DomInfo{Vendor: "Trellix", TTL: 10}, + "iam-rs.cloud.trellix.com": DomInfo{Vendor: "Trellix", TTL: 10}, + "gsd.cloud.trellix.com": DomInfo{Vendor: "Trellix", TTL: 10}, // Cortex XDR / Palo Alto Networks // https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access - "panw-xdr-evr-prod-au.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "lrc-eu.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, - "global-content-profiles-policy.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "panw-xdr-evr-prod-uk.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "lrc-ch.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, - "lrc-jp.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, - "panw-xdr-evr-prod-qt.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "panw-xdr-evr-prod-pl.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "pendo-static-5664029141630976.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "panw-xdr-evr-prod-sg.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "lrc-uk.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, - "lrc-us.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, - "lrc-tw.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 1800}, - "panw-xdr-evr-prod-eu.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "lrc-ca.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, - "paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30}, - "lrc-fa.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30}, - "panw-xdr-evr-prod-in.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "panw-xdr-evr-prod-fa.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "panw-xdr-evr-prod-ca.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "lrc-pl.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, - "lrc-qt.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "panw-xdr-evr-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "lrc-de.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "panw-xdr-installers-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "panw-xdr-evr-prod-ch.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "lrc-in.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, - "panw-xdr-evr-prod-de.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "lrc-au.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, - "panw-xdr-evr-prod-tw.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "login.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, - "lrc-sg.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, - "panw-xdr-evr-prod-jp.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, - "panw-xdr-payloads-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-au.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-eu.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "global-content-profiles-policy.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-uk.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-ch.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "lrc-jp.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "panw-xdr-evr-prod-qt.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-pl.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "pendo-static-5664029141630976.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-sg.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-uk.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "lrc-us.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "lrc-tw.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 1800}, + "panw-xdr-evr-prod-eu.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-ca.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30}, + "lrc-fa.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30}, + "panw-xdr-evr-prod-in.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-fa.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-ca.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-pl.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "lrc-qt.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-de.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-installers-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-ch.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-in.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "panw-xdr-evr-prod-de.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "lrc-au.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "panw-xdr-evr-prod-tw.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "login.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "lrc-sg.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "panw-xdr-evr-prod-jp.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-payloads-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "distributions.traps.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "distributions-prod-fed.traps.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "cortex-gateway.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30}, + "gw-app-proxy.us.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "xdr-ova-installers-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "identity.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "identity.gslb.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 5}, + "identity.gcp.gslb.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 5}, + "lrc-fed.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400}, + "panw-xdr-installers-prod-fr.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-payloads-prod-fr.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "global-content-profiles-policy-prod-fr.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "panw-xdr-evr-prod-fr.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, + "app-proxy.federal.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300}, // Singularity / SentinelOne "eu1-oauth.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300}, @@ -249,6 +277,9 @@ var Domains = map[string]DomInfo{ "api-gateway.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, "swupdate.brightmail.com": DomInfo{Vendor: "Symantec", TTL: 3600}, "symantec.com": DomInfo{Vendor: "Symantec", TTL: 600}, + "licensing.dmas.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600}, + "api.us.dmas.symantec.com": DomInfo{Vendor: "Symantec", TTL: 1800}, // could be wrong + "api.eu.dmas.symantec.com": DomInfo{Vendor: "Symantec", TTL: 1800}, // Tanium "docs-es.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},