Auto-update: nav, content, or metadata

kerodri · kerodri · commit d0244f7a40bc · 2025-07-07T13:27:48.000-06:00
diff --git a/all_links.md b/all_links.md
@@ -0,0 +1,33 @@
+# 🔗 Navigation URLs
+
+- [Home](https://tep.cyberpax.cloud/index/)
+- [Defender for Endpoint > Endpoint Detection and Response > Alert Tunning > Alert Tuning Quick‐Start Guide (Beginner Edition)](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Alert%20Tunning/Alert-Tuning-Quick%E2%80%90Start-Guide-%28Beginner-Edition%29/)
+- [Defender for Endpoint > Endpoint Detection and Response > Alert Tunning > Alert Tuning – Comprehensive Guide (Advanced Edition)](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Alert%20Tunning/Alert-Tuning-%E2%80%93-Comprehensive-Guide-%28Advanced-Edition%29/)
+- [Defender for Endpoint > Endpoint Detection and Response > Device Control > How To Configure Device Control On Macos, Use Case 1. Deny Write Access To All Usb Storage Except For Specific Vendorid And Productid Combinations (Jamf)](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Device%20Control/How-to-Configure-Device-Control-on-macOS%2C-Use-case-1.-Deny-write-access-to-all-USB-storage-except-for-specific-VendorID-and-ProductID-combinations-%28Jamf%29/)
+- [Defender for Endpoint > Endpoint Detection and Response > Device Control > Using The Device Control Policy Sample Builder](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Device%20Control/Using-the-device-control-policy-sample-builder/)
+- [Defender for Endpoint > Endpoint Detection and Response > Microsoft Defender Core Service > Ecs Connectivity Diagnostic](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Microsoft%20Defender%20Core%20Service/ecs_connectivity_diagnostic/)
+- [Defender for Endpoint > Endpoint Detection and Response > Tags > Data Driven Tags – Disabled And Isolated In Microsoft Defender For Endpoint](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Tags/Data-Driven%20Tags%20%E2%80%93%20Disabled%20and%20Isolated%20in%20Microsoft%20Defender%20for%20Endpoint/)
+- [Defender for Endpoint > Endpoint Detection and Response > Threat Vulnerability Management > Troubleshooting Guide (Tsg) Cve‐2023‐49210 – Openssl Vulnerability In Node‐Openssl Npm Package](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Threat%20Vulnerability%20Management/Troubleshooting-Guide-%28TSG%29-CVE%E2%80%902023%E2%80%9049210-%E2%80%93-OpenSSL-Vulnerability-in-node%E2%80%90openssl-NPM-Package/)
+- [Support Tips and Tools > Effective Case Notation Good Practices And Template](https://tep.cyberpax.cloud/Support%20Tips%20and%20Tools/Effective-Case-Notation-Good-practices-and-template/)
+- [Support Tips and Tools > How To Craft An Effective Root Cause Analysis (Rca)](https://tep.cyberpax.cloud/Support%20Tips%20and%20Tools/How-to-Craft-an-Effective-Root-Cause-Analysis-%28RCA%29/)
+- [Derecho informático > Delitos Informáticos En Costa Rica Mapeo Jurídico‐Técnico Y Controles Att&Ck](https://tep.cyberpax.cloud/Derecho%20inform%C3%A1tico/Delitos-Inform%C3%A1ticos-en-Costa-Rica-Mapeo-Jur%C3%ADdico%E2%80%90T%C3%A9cnico-y-Controles-ATT%26CK/)
+- [Derecho informático > Reflexión, Bienes Jurídicos Tutelados En Una Eventual Legislación De Ia En Costa Rica](https://tep.cyberpax.cloud/Derecho%20inform%C3%A1tico/Reflexi%C3%B3n%2C-Bienes-jur%C3%ADdicos-tutelados-en-una-eventual-legislaci%C3%B3n-de-IA-en-Costa-Rica/)
+- [Day-to-Day Stuff > Birthday Reminders](https://tep.cyberpax.cloud/Day-to-Day%20Stuff/birthday-reminders/)
+
+---
+
+# 📄 All Docs URLs
+
+- [/Day-to-Day Stuff/birthday-reminders/](https://tep.cyberpax.cloud/Day-to-Day%20Stuff/birthday-reminders/)
+- [/Defender for Endpoint/Endpoint Detection and Response/Alert Tunning/Alert-Tuning-Quick‐Start-Guide-(Beginner-Edition)/](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Alert%20Tunning/Alert-Tuning-Quick%E2%80%90Start-Guide-%28Beginner-Edition%29/)
+- [/Defender for Endpoint/Endpoint Detection and Response/Alert Tunning/Alert-Tuning-–-Comprehensive-Guide-(Advanced-Edition)/](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Alert%20Tunning/Alert-Tuning-%E2%80%93-Comprehensive-Guide-%28Advanced-Edition%29/)
+- [/Defender for Endpoint/Endpoint Detection and Response/Device Control/How-to-Configure-Device-Control-on-macOS,-Use-case-1.-Deny-write-access-to-all-USB-storage-except-for-specific-VendorID-and-ProductID-combinations-(Jamf)/](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Device%20Control/How-to-Configure-Device-Control-on-macOS%2C-Use-case-1.-Deny-write-access-to-all-USB-storage-except-for-specific-VendorID-and-ProductID-combinations-%28Jamf%29/)
+- [/Defender for Endpoint/Endpoint Detection and Response/Device Control/Using-the-device-control-policy-sample-builder/](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Device%20Control/Using-the-device-control-policy-sample-builder/)
+- [/Defender for Endpoint/Endpoint Detection and Response/Microsoft Defender Core Service/ecs_connectivity_diagnostic/](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Microsoft%20Defender%20Core%20Service/ecs_connectivity_diagnostic/)
+- [/Defender for Endpoint/Endpoint Detection and Response/Tags/Data-Driven Tags – Disabled and Isolated in Microsoft Defender for Endpoint/](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Tags/Data-Driven%20Tags%20%E2%80%93%20Disabled%20and%20Isolated%20in%20Microsoft%20Defender%20for%20Endpoint/)
+- [/Defender for Endpoint/Endpoint Detection and Response/Threat Vulnerability Management/Troubleshooting-Guide-(TSG)-CVE‐2023‐49210-–-OpenSSL-Vulnerability-in-node‐openssl-NPM-Package/](https://tep.cyberpax.cloud/Defender%20for%20Endpoint/Endpoint%20Detection%20and%20Response/Threat%20Vulnerability%20Management/Troubleshooting-Guide-%28TSG%29-CVE%E2%80%902023%E2%80%9049210-%E2%80%93-OpenSSL-Vulnerability-in-node%E2%80%90openssl-NPM-Package/)
+- [/Derecho informático/Delitos-Informáticos-en-Costa-Rica-Mapeo-Jurídico‐Técnico-y-Controles-ATT&CK/](https://tep.cyberpax.cloud/Derecho%20inform%C3%A1tico/Delitos-Inform%C3%A1ticos-en-Costa-Rica-Mapeo-Jur%C3%ADdico%E2%80%90T%C3%A9cnico-y-Controles-ATT%26CK/)
+- [/Derecho informático/Reflexión,-Bienes-jurídicos-tutelados-en-una-eventual-legislación-de-IA-en-Costa-Rica/](https://tep.cyberpax.cloud/Derecho%20inform%C3%A1tico/Reflexi%C3%B3n%2C-Bienes-jur%C3%ADdicos-tutelados-en-una-eventual-legislaci%C3%B3n-de-IA-en-Costa-Rica/)
+- [/Support Tips and Tools/Effective-Case-Notation-Good-practices-and-template/](https://tep.cyberpax.cloud/Support%20Tips%20and%20Tools/Effective-Case-Notation-Good-practices-and-template/)
+- [/Support Tips and Tools/How-to-Craft-an-Effective-Root-Cause-Analysis-(RCA)/](https://tep.cyberpax.cloud/Support%20Tips%20and%20Tools/How-to-Craft-an-Effective-Root-Cause-Analysis-%28RCA%29/)
+- [/index/](https://tep.cyberpax.cloud/index/)
diff --git a/docs/Defender for Endpoint/Endpoint Detection and Response/mde_connectivity_channels.md b/docs/Defender for Endpoint/Endpoint Detection and Response/mde_connectivity_channels.md
@@ -0,0 +1,132 @@
+# Understanding Microsoft Defender for Endpoint Connectivity Channels: What They Do and Why They Matter
+
+When deploying Microsoft Defender for Endpoint (MDE), organizations are often told which endpoints and services must be accessible. However, what’s frequently missing is **why** these channels exist and **what functionality breaks** if they're blocked. This article explains each core connectivity channel, provides real-world examples, and clarifies the difference between standard and streamlined connectivity.
+
+For official documentation on configuring your environment, including connectivity requirements, visit:
+**[Microsoft Learn - Configure Microsoft Defender for Endpoint in your environment](https://learn.microsoft.com/en-us/defender-endpoint/configure-environment)**
+
+---
+
+## 🧐 CNC Channel (Command and Control)
+
+**Purpose:** Provides centralized control from the Microsoft Defender cloud to the endpoint client (Sense).
+
+**Payloads and Traffic:**
+- Heartbeat signals (WinATP traffic)
+- Sensor and OS version info
+- Remote command dispatching:
+  - Isolate device
+  - Restrict app execution
+  - Run antivirus scan
+  - Collect investigation package
+  - Start Live Response session
+  - Trigger automated investigation
+  - Configure troubleshooting mode
+  - Offboarding commands
+
+**Why It Matters:**
+Blocking CNC traffic prevents remote security actions. For instance, you wouldn’t be able to isolate a compromised device during an incident. Live Response sessions and forensic data collection would fail.
+
+**Example from ECS Configuration:** The ECS (Experimentation and Configuration Service) sends configuration payloads via CNC to enforce settings such as enabling a feature or toggling troubleshooting mode. URLs like `*.ecs.office.com` must be reachable to ensure consistent policy enforcement. ECS ensures product health and supports controlled rollouts without impacting all users at once.
+
+---
+
+## 📡 Cyber Channel (Telemetry and Reporting)
+
+**Purpose:** Sends telemetry data and security event logs from the device to Microsoft Defender’s cloud backend.
+
+**Payloads and Events:**
+- Device and component versions (Defender AV, MOCAMP, engine, definitions)
+- Response action results (e.g., AV scan outcome, package collection success)
+- Raw telemetry: `DeviceInfoEvents`, `RegistryEvents`, `NetworkEvents`, `FileEvents`, etc.
+- Alert and incident data
+- Timeline event population
+- Security recommendations
+- Software inventories and vulnerability insights
+- Tags pushed through registry keys
+
+**Why It Matters:**
+Without telemetry, the device becomes invisible to SecOps teams. No alerts, incident timelines, or vulnerability reports will show up in the portal. Hunting and correlation tools lose value.
+
+**Example:** A blocked Cyber Channel would prevent reporting of discovered vulnerabilities and KB patch statuses, impacting compliance visibility.
+
+---
+
+## 🗺️ Maps Channel (Cloud-Based Protection)
+
+**Purpose:** Supports Microsoft Defender Antivirus and Endpoint Detection and Response (EDR) cloud functionalities.
+
+**Key Services:**
+- Real-time cloud lookups for suspicious files
+- Custom indicators (hashes, IPs, URLs)
+- Network protection enforcement
+- Web content filtering
+- EDR block mode
+- Tamper Protection toggled via MDE portal
+
+**Why It Matters:**
+Cloud-delivered protection is essential for detecting emerging threats and enforcing org-specific threat indicators. Without it, devices fall back to outdated, local-only detection.
+
+**Example:** If `*.wdcp.microsoft.com` or `*.wd.microsoft.com` is blocked, the endpoint cannot perform real-time cloud lookups, severely degrading AV performance.
+
+---
+
+## 🔍 Standard vs Streamlined Connectivity
+
+Microsoft supports two connectivity models:
+
+### Standard Connectivity:
+- Requires access to a broader range of domains and URLs.
+- Granular separation between features, updates, and telemetry paths.
+- Full-featured but complex to configure in restricted environments.
+
+### Streamlined Connectivity:
+- Introduced for simpler firewall/proxy configurations.
+- Consolidates MDE services under fewer FQDNs like:
+  - `*.endpoint.security.microsoft.com`
+  - `*.events.data.microsoft.com`
+  - `*.ecs.office.com`
+- Offers nearly the same capabilities with reduced overhead.
+
+**From Attached Files:** The spreadsheet `mde-streamlined-urls-commercial.xlsx` shows that many URLs for sensor telemetry, Live Response, and feature configuration are unified under the streamlined model, reducing friction for security teams.
+
+---
+
+## 📂 URL-to-Feature Mapping Table
+
+| Feature / Capability            | Channel       | Example Domains (FQDNs)                           | Streamlined Available |
+|-------------------------------|----------------|--------------------------------------------------|------------------------|
+| Device Isolation / Response    | CNC            | `*.endpoint.security.microsoft.com`              | ✅                     |
+| ECS Config & Troubleshooting   | CNC            | `*.ecs.office.com`                               | ✅                     |
+| Sensor and OS Version Reports | CNC/Cyber      | `*.events.data.microsoft.com`                    | ✅                     |
+| Telemetry Events & Alerts      | Cyber          | `*.events.data.microsoft.com`                    | ✅                     |
+| Defender AV Cloud Protection   | Maps           | `*.wdcp.microsoft.com`, `*.wd.microsoft.com`     | ✅                     |
+| Web Content Filtering          | Maps           | `*.microsoft.com`, `*.cloudfilter.net` (region-dependent) | ✅               |
+| Vulnerability Management       | Cyber          | `*.endpoint.security.microsoft.com`              | ✅                     |
+| Live Response / Package Upload | CNC/Cyber      | `*.endpoint.security.microsoft.com`, `*.events.data.microsoft.com` | ✅      |
+
+---
+
+## 🌐 Regional Considerations
+
+MDE connectivity varies slightly based on data residency requirements. From the uploaded spreadsheets:
+
+| Region            | Example FQDNs                                                       |
+|------------------|---------------------------------------------------------------------|
+| Commercial        | `*.endpoint.security.microsoft.com`, `*.ecs.office.com`            |
+| GCC High & DoD    | `*.endpoint.security.microsoft.us`, `*.config.ecs.dod.teams.microsoft.us` |
+| GCC Moderate      | `*.gccmod.ecs.office.com`                                           |
+
+Ensure endpoints in regulated environments like the US Government use the region-specific FQDNs listed in the [official documentation](https://learn.microsoft.com/en-us/defender-endpoint/configure-environment).
+
+---
+
+## 🚧 Final Thoughts
+
+Proper configuration of MDE connectivity is not just a best practice — it’s a **requirement** for effective detection, response, and protection. Every blocked call reduces visibility or disables key functionality. ECS and streamlined connectivity models help simplify management while ensuring full-feature coverage.
+
+Ensure the right domains are always reachable, monitor connectivity health, and use logs (like heartbeat or command telemetry) to validate end-to-end operation.
+
+For the most current list of required endpoints and their functions, always refer to:
+**[Microsoft Learn - Configure Microsoft Defender for Endpoint in your environment](https://learn.microsoft.com/en-us/defender-endpoint/configure-environment)**
+
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -23,6 +23,7 @@ nav:
         : Defender for Endpoint/Endpoint Detection and Response/Device Control/How-to-Configure-Device-Control-on-macOS,-Use-case-1.-Deny-write-access-to-all-USB-storage-except-for-specific-VendorID-and-ProductID-combinations-(Jamf).md
       - Using The Device Control Policy Sample Builder: Defender for Endpoint/Endpoint
           Detection and Response/Device Control/Using-the-device-control-policy-sample-builder.md
+    - Mde Connectivity Channels: Defender for Endpoint/Endpoint Detection and Response/mde_connectivity_channels.md
     - Microsoft Defender Core Service:
       - Ecs Connectivity Diagnostic: Defender for Endpoint/Endpoint Detection and
           Response/Microsoft Defender Core Service/ecs_connectivity_diagnostic.md
