Tooling Allowlist to include URLs
Nicholas Gusto
When partners work with third-party vendors for IR, Forensics, etc., sometimes those teams need to use additional tooling that is difficult to do when a host is isolated.
The partner in this example has a team needing to use CrowdStrike and the allowlist the app says it needs is by URL only and there are about 30 of them. They would like the option to add the URLs or select specific tools instead of having to lookup each IP tied to the URL, add IP, rinse, repeat, etc.
J
Jim Ducroiset
This is a need to have for DFIR, we work with NinjaOne as well and they only use dynamic IP's for remote access. Having clients dispersed all over, we do not always have the luxury of boots on the ground for incident response. Although Huntress does a good job at cleaning up where it can, in an instance where it cannot, having and alternate means of endpoint access while the host is isolated utilizing an already installed management tool becomes a need to have.
We have tried alternate methods of doing this, but most would require an additional agent. Even when trying to automate a collection sending to a secure S3 bucket, it would still require the use of a URL to send the collection out.
S
Sebastian S.
I think screenconnect cloud instances are also using dynamic ips
B
Brian Cook
100% would love this, NinjaOne is another tool that really doesn’t publish IPs and want you to list by URL as they change all the time.
C
Corey DeGrandchamp
Brian Cook Ninja does publish IPs but they seem hit or miss, not sure if they're updated as much as the URL list.
I agree though regardless, it would be great if we could allow-list URLs in the same manner.