delorean/patdown
3
Fork 0
Code Issues Pull Requests Packages Projects Releases 3 Wiki Activity

updated edr provider endpoints

Browse Source
This commit is contained in:
delorean 2024-07-09 02:26:23 -05:00
parent bfd20e8d28
commit 35a6bfe75d
1 changed files with 73 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
common/ref.go
View File

@ -8,30 +8,40 @@ type DomInfo struct {
var Domains = map[string]DomInfo{
// Microsoft Defender for Endpoint
// https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide#services-and-urls
"ussus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"download.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, // dynamic
"go.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 1600}, // dynamic
"security.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600},
"settings-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, // dynamic
"windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300},
"ctldl.windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 1800},
"wdcp.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600},
"wd.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300},
"wdcpalt.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600},
"checkappexec.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600},
"smartscreen-prod.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600},
"vortex-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 120},
"update.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600},
"download.windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300},
"definitionupdates.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300},
"delivery.mp.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300},
"fe3cr.delivery.mp.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600},
"ussus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsus2westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"security.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600},
"wseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus3westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus2eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"settings-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 3600}, // dynamic
"usseu1northprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsus1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"usseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus1eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussuk1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ctldl.windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 980},
"ussus4eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"vortex-win.data.microsoft.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 120},
"wseu1westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"windowsupdate.com": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 300},
"ussus3eastprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"ussus4westprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
"wsuk1southprod.blob.core.windows.net": DomInfo{Vendor: "Microsoft Defender for Endpoint", TTL: 60},
@ -132,6 +142,7 @@ var Domains = map[string]DomInfo{
"data-epgw-asia-northeast-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"probe-dist.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"probe-dist-eu-west-1.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"probe-dist-dns.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 3600},
"data-epgw.cybereason.net": DomInfo{Vendor: "Cybereason", TTL: 300},
"cybereason.com": DomInfo{Vendor: "Cybereason", TTL: 300},
@ -146,6 +157,7 @@ var Domains = map[string]DomInfo{
"cdn-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"auth.ui.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"uam.api.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"api.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cds-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
@ -162,7 +174,6 @@ var Domains = map[string]DomInfo{
"cds-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-au001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-usw002.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"api.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"sw-sgp001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxlweb-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
@ -170,6 +181,9 @@ var Domains = map[string]DomInfo{
"dxl-usw004.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"dxl-usw003.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"cdn-eu001.manage.trellix.com": DomInfo{Vendor: "Trellix", TTL: 60},
"iam.cloud.trellix.com": DomInfo{Vendor: "Trellix", TTL: 10},
"iam-rs.cloud.trellix.com": DomInfo{Vendor: "Trellix", TTL: 10},
"gsd.cloud.trellix.com": DomInfo{Vendor: "Trellix", TTL: 10},
// Cortex XDR / Palo Alto Networks
// https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access
@ -207,6 +221,20 @@ var Domains = map[string]DomInfo{
"lrc-sg.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"panw-xdr-evr-prod-jp.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-payloads-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"distributions.traps.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"distributions-prod-fed.traps.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"cortex-gateway.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 30},
"gw-app-proxy.us.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"xdr-ova-installers-prod-us.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"identity.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"identity.gslb.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 5},
"identity.gcp.gslb.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 5},
"lrc-fed.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 14400},
"panw-xdr-installers-prod-fr.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-payloads-prod-fr.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"global-content-profiles-policy-prod-fr.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"panw-xdr-evr-prod-fr.storage.googleapis.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
"app-proxy.federal.paloaltonetworks.com": DomInfo{Vendor: "Palo Alto Networks", TTL: 300},
// Singularity / SentinelOne
"eu1-oauth.mobile.sentinelone.net": DomInfo{Vendor: "SentinelOne", TTL: 300},
@ -249,6 +277,9 @@ var Domains = map[string]DomInfo{
"api-gateway.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"swupdate.brightmail.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"symantec.com": DomInfo{Vendor: "Symantec", TTL: 600},
"licensing.dmas.symantec.com": DomInfo{Vendor: "Symantec", TTL: 3600},
"api.us.dmas.symantec.com": DomInfo{Vendor: "Symantec", TTL: 1800}, // could be wrong
"api.eu.dmas.symantec.com": DomInfo{Vendor: "Symantec", TTL: 1800},
// Tanium
"docs-es.tanium.com": DomInfo{Vendor: "Tanium", TTL: 300},