Environment
- EDR Server: 7.4.0 and Higher
- EDR Sensor: 7.1.1 - 7.2.0
Question
Why is an endpoint in isolation by the EDR Sensor communicating with an unknown IP address?
Answer
- Isolation does not prevent DNS queries; all UDP and TCP traffic on port 53 is allowed.
- EDR also permits all UDP port 67 (DHCP) traffic.
Additional Notes
A later sensor version will further limit the allowed traffic, so that the sensor will only permit TCP/UDP to the assigned DNS server.
Related Content