Now you can Contain IP addresses of undiscovered devices

By /

Listen to this Post

Microsoft Defender for Endpoint (MDE) now supports containing IP addresses associated with undiscovered or non-onboarded devices in preview. This feature helps prevent attackers from spreading laterally to other uncompromised devices.

👉 Key Benefit: Unlike the existing “Contain a device” feature (which works only on discovered devices), this new capability blocks malicious activity at the network level, even if the device isn’t managed by Defender.

🔗 Reference: Microsoft Defender for Endpoint IP Containment

You Should Know:

1. How IP Containment Works

  • Defender for Endpoint isolates suspicious IPs at the network layer, blocking inbound/outbound traffic.
  • Ideal for unmanaged devices (IoT, legacy systems) that can’t run EDR agents.

2. Verify IP Containment via PowerShell

 Check if an IP is contained 
Get-MdeMachineNetworkInfo -IPAddress "192.168.1.100" | Select-Object IsContained

3. Linux Command to Test Blocked IPs

 Test connectivity to a contained IP 
ping 192.168.1.100 
curl -v http://192.168.1.100 
 Expected: Timeout/Connection refused

4. Windows Firewall Rule for Manual Containment

 Block IP via Windows Firewall 
New-NetFirewallRule -DisplayName "Block Contained IP" -Direction Outbound -RemoteAddress 192.168.1.100 -Action Block

5. Network Debugging with `tcpdump` (Linux)

 Capture traffic to/from a contained IP 
sudo tcpdump -i eth0 host 192.168.1.100

6. Defender ATP API for Automation

 Use API to contain an IP (replace API_KEY) 
curl -X POST "https://api.securitycenter.microsoft.com/api/machines/contain" \ 
-H "Authorization: Bearer API_KEY" \ 
-H "Content-Type: application/json" \ 
-d '{"IPAddress": "192.168.1.100"}'

What Undercode Say

Microsoft’s IP containment is a game-changer for hybrid environments where legacy devices lack EDR coverage. Combine this with:
– SIEM rules (e.g., Splunk/Sentinel alerts for contained IP traffic).
– NAC solutions (Cisco ISE, Aruba ClearPass) to enforce network segmentation.
– Linux hardening: Use iptables/nftables to mirror Defender’s containment: 

iptables -A INPUT -s 192.168.1.100 -j DROP

For Windows, audit containment via:

Get-MpThreatDetection | Where-Object { $_.Contained -eq $true }

Expected Output:

  • Contained IPs show `IsContained: True` in Defender’s portal.
  • Blocked traffic logs in Windows Firewall (Get-NetFirewallLog).
  • SIEM alerts for unauthorized access attempts.

🔗 Learn More: Microsoft Security Docs

References:

Reported By: Markolauren Xdr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: