Appendix C: AVD Firewall Reference
This appendix provides the Azure Firewall rule reference for Azure Virtual Desktop deployments in GCC High. Rules are organized by function tier, from infrastructure baseline to customer-specific application access. For architecture context and the network topology, see Scenario: Azure Virtual Desktop.
Rule Structure and Priority Model
Rules are organized into application rule collections and network rule collections. Within each collection, rules are evaluated top-to-bottom. Collections are evaluated lowest-priority-number first. The deny-all catch-all at priority 4096 terminates any traffic not matched by an explicit allow.
In the Azure Firewall UI, Application rule collections and Network rule collections are configured in separate tabs with independent priority numbering. A network rule at Priority 200 and an application rule at Priority 200 do not conflict — they are evaluated independently. Network rules are evaluated before application rules for matching traffic. The tables below use the same priority range (200) for both customer application rules and network rules; this is intentional and correct in Azure Firewall's data model.
Application rule collections (FQDN-based, for TCP/HTTP/HTTPS traffic):
| Priority | Collection | Scope |
|---|---|---|
| 100 | AVD-Control-Plane | AVD gateway, broker, agent endpoints (sovereign) |
| 110 | Identity-And-Auth | Entra ID, ADFS, MSA, certificate services |
| 120 | M365-GCC-High | Exchange, Teams, SharePoint, Office clients |
| 130 | Windows-Management | Windows Update, telemetry, activation, NTP |
| 140 | Defender-For-Endpoint | MDE cloud submission, threat intel, portal |
| 200–299 | Customer-* | Customer-specific application rules (see template) |
| 4096 | Deny-All-Log | Catch-all deny with logging |
Network rule collections (IP/port-based, evaluated before application rules for matching traffic):
| Priority | Collection | Scope |
|---|---|---|
| 200 | Essential-Ports | DNS, IMDS, Azure health probe, KMS, FSLogix SMB (pooled host pools only — omit for personal/assigned) |
| 210 | Teams-Media | Teams audio/video UDP ports |
| 220 | Azure-Services | Service tag-based rules for Azure platform traffic |
Application Rule Collections
Priority 100: AVD-Control-Plane
These FQDNs are required for session host registration, agent updates, and user session brokering. None of these can be removed without breaking AVD functionality.
AVD agent packages are delivered through blob storage (AVD-Storage) and the CDN (AVD-Infra-CDN) — no separate wildcard *.microsoft.com rule is needed here. Windows OS updates and MDE endpoints are handled by their own collections at Priority 130 and 140, where they can be audited and managed independently.
- GCC High
- Commercial
| Rule Name | Protocol | Target FQDNs | Purpose |
|---|---|---|---|
| AVD-Gateway | HTTPS:443 | *.wvd.microsoft.us | Session brokering and gateway |
| AVD-Service-Bus | HTTPS:443 | *.servicebus.usgovcloudapi.net | Agent-to-control-plane messaging |
| AVD-Storage | HTTPS:443 | *.blob.core.usgovcloudapi.net | Agent package and session host image downloads |
| AVD-KV | HTTPS:443 | *.vault.usgovcloudapi.net | Key Vault access for disk encryption |
| AVD-ARM | HTTPS:443 | management.usgovcloudapi.net | Azure Resource Manager |
| AVD-Graph | HTTPS:443 | graph.microsoft.us | Microsoft Graph (Intune policy sync) |
| AVD-Infra-CDN | HTTPS:443 | agenthubprod.azureedge.us | Agent hub CDN |
| AVD-RD-Broker | HTTPS:443 | rdbroker.wvd.microsoft.us, rdbroker2.wvd.microsoft.us | RD broker (direct) |
| Rule Name | Protocol | Target FQDNs | Purpose |
|---|---|---|---|
| AVD-Gateway | HTTPS:443 | *.wvd.microsoft.com | Session brokering and gateway |
| AVD-Service-Bus | HTTPS:443 | *.servicebus.windows.net | Agent-to-control-plane messaging |
| AVD-Storage | HTTPS:443 | *.blob.core.windows.net | Agent package and session host image downloads |
| AVD-KV | HTTPS:443 | *.vault.azure.net | Key Vault access |
| AVD-ARM | HTTPS:443 | management.azure.com | Azure Resource Manager |
| AVD-Graph | HTTPS:443 | graph.microsoft.com | Microsoft Graph |
| AVD-Infra-CDN | HTTPS:443 | agenthubprod.azureedge.net | Agent hub CDN |
| AVD-RD-Broker | HTTPS:443 | rdbroker.wvd.microsoft.com, rdbroker2.wvd.microsoft.com | RD broker (direct) |
Azure Firewall supports the WindowsVirtualDesktop FQDN tag, which automatically includes the Microsoft-managed list of required AVD FQDNs and is kept current by Microsoft. If your firewall supports FQDN tags, use the tag for Priority 100 instead of maintaining individual FQDNs. In GCC High, confirm the tag resolves to .us endpoints.
The previous *.microsoft.com wildcard was a catch-all that may have been covering undocumented agent endpoints. If you observe agent registration failures after deploying these specific rules, run Query 1 (All Denied Traffic) to identify the specific FQDNs being blocked. Add them to the appropriate tier (AVD-Control-Plane for agent endpoints, Windows-Management for OS functions) and document the rationale.
Priority 110: Identity-And-Auth
Required for Entra ID authentication, token issuance, MFA, and certificate validation.
- GCC High
- Commercial
| Rule Name | Protocol | Target FQDNs | Purpose |
|---|---|---|---|
| Entra-Auth | HTTPS:443 | login.microsoftonline.us | OAuth2/OIDC token endpoint |
| Entra-Auth-Alt | HTTPS:443 | login.microsoftonline.com | Fallback (some SDKs use .com first) |
| MSFTAuth | HTTPS:443 | *.msftauth.net, *.msauth.net | Auth redirect endpoints |
| Auth-CDN | HTTPS:443 | *.aadcdn.msftauth.net | Azure AD login page UI assets — if blocked, sign-in page renders broken with no visible error |
| Entra-ADFS | HTTPS:443 | *.microsoftonline-p.com | ADFS federation |
| Cert-Services | HTTP:80, HTTPS:443 | *.entrust.net, *.digicert.com, *.globalsign.com | CRL/OCSP for certificate validation |
| Windows-Auth | HTTPS:443 | device.login.microsoftonline.us | Device registration |
| PRT-Refresh | HTTPS:443 | enterpriseregistration.windows.net | PRT (Primary Refresh Token) |
| Rule Name | Protocol | Target FQDNs | Purpose |
|---|---|---|---|
| Entra-Auth | HTTPS:443 | login.microsoftonline.com | OAuth2/OIDC token endpoint |
| MSFTAuth | HTTPS:443 | *.msftauth.net, *.msauth.net | Auth redirect endpoints |
| Auth-CDN | HTTPS:443 | *.aadcdn.msftauth.net | Azure AD login page UI assets |
| Entra-ADFS | HTTPS:443 | *.microsoftonline-p.com | ADFS federation |
| Cert-Services | HTTP:80, HTTPS:443 | *.entrust.net, *.digicert.com, *.globalsign.com | CRL/OCSP |
| Windows-Auth | HTTPS:443 | device.login.microsoftonline.com | Device registration |
| PRT-Refresh | HTTPS:443 | enterpriseregistration.windows.net | PRT refresh |
Priority 120: M365-GCC-High
Required for Microsoft 365 services. In GCC High, all M365 traffic uses .us endpoints. The .com fallback rules handle a subset of services (Teams presence, Outlook mobile sync) that still route through commercial endpoints in GCC High tenants.
- GCC High
- Commercial
| Rule Name | Protocol | Target FQDNs | Purpose |
|---|---|---|---|
| EXO | HTTPS:443 | *.mail.protection.office365.us, *.outlook.office365.us | Exchange Online |
| Teams-Signaling | HTTPS:443 | *.teams.microsoft.us, teams.microsoft.us | Teams signaling (sovereign) |
| Teams-CDN | HTTPS:443 | *.skype.com, *.sfbassets.com | Teams static assets (via commercial CDN) |
| Teams-CDN-Static | HTTPS:443 | statics.teams.cdn.office.net, *.teams.cdn.office.net | Teams static content CDN |
| Teams-Legacy | HTTPS:443 | *.lync.com | Legacy Lync/Teams endpoints — presence, federation, Live Events |
| Teams-LiveEvents | HTTPS:443 | *.broadcast.skype.com | Teams Live Events streaming |
| SharePoint | HTTPS:443 | *.sharepoint.us | SharePoint Online |
| Office-Apps | HTTPS:443 | *.office365.us, *.office.com | Office web apps |
| M365-Common | HTTPS:443 | *.microsoftonline.com | M365 auth subdomains not covered by Priority 110 |
| Intune-Portal | HTTPS:443 | *.manage.microsoft.us | Intune GCC High |
| Intune-Discovery | HTTPS:443 | enrollment.manage.microsoft.us | MDM enrollment discovery |
| Office-CDN | HTTPS:443 | *.officeapps.live.com, *.cdn.office.net | Office click-to-run CDN |
| Rule Name | Protocol | Target FQDNs | Purpose |
|---|---|---|---|
| EXO | HTTPS:443 | *.mail.protection.outlook.com, *.outlook.office365.com | Exchange Online |
| Teams-Signaling | HTTPS:443 | *.teams.microsoft.com, teams.microsoft.com | Teams signaling |
| Teams-CDN | HTTPS:443 | *.skype.com, *.sfbassets.com | Teams static assets |
| Teams-CDN-Static | HTTPS:443 | statics.teams.cdn.office.net, *.teams.cdn.office.net | Teams static content CDN |
| Teams-Legacy | HTTPS:443 | *.lync.com | Legacy Lync/Teams endpoints |
| Teams-LiveEvents | HTTPS:443 | *.broadcast.skype.com | Teams Live Events streaming |
| SharePoint | HTTPS:443 | *.sharepoint.com | SharePoint Online |
| Office-Apps | HTTPS:443 | *.office365.com, *.office.com | Office web apps |
| M365-Common | HTTPS:443 | *.microsoftonline.com | M365 auth subdomains not covered by Priority 110 |
| Intune-Portal | HTTPS:443 | *.manage.microsoft.com | Intune portal |
| Intune-Discovery | HTTPS:443 | enrollment.manage.microsoft.com | MDM enrollment |
| Office-CDN | HTTPS:443 | *.officeapps.live.com, *.cdn.office.net | Office CDN |
Teams audio and video (real-time media) use UDP ports 3478–3481 and 49152–53247 (ephemeral). These cannot be matched by FQDN-based application rules because UDP traffic is evaluated by Azure Firewall network rules only. See Network Rules: Teams-Media below.
Priority 130: Windows-Management
Required for Windows Update, telemetry, license activation, and NTP. These FQDNs are common to all Windows session hosts regardless of AVD.
| Rule Name | Protocol | Target FQDNs | Purpose |
|---|---|---|---|
| Windows-Update | HTTPS:443 | *.update.microsoft.com, update.microsoft.com | Windows Update |
| WU-Delivery | HTTPS:443 | *.delivery.mp.microsoft.com | Delivery Optimization CDN |
| WU-Catalog | HTTPS:443 | catalog.update.microsoft.com | WSUS catalog |
| NCSI | HTTP:80 | www.msftconnecttest.com | Network connectivity indicator |
| Telemetry | HTTPS:443 | *.events.data.microsoft.com, settings-win.data.microsoft.com | Diagnostic telemetry |
| Activation | HTTPS:443 | *.activation.sls.microsoft.com, licensing.mp.microsoft.com | Windows/Office license activation |
| SmartScreen | HTTPS:443 | *.smartscreen.microsoft.com, *.urs.microsoft.com | SmartScreen reputation |
| Watson | HTTPS:443 | *.watson.microsoft.com | Error reporting |
| OCSP-Microsoft | HTTP:80 | ocsp.msocsp.com, mscrl.microsoft.com | Microsoft certificate revocation |
Priority 140: Defender-For-Endpoint
Required for MDE sensor communication, cloud-delivered protection, and threat intelligence updates.
- GCC High
- Commercial
| Rule Name | Protocol | Target FQDNs | Purpose |
|---|---|---|---|
| MDE-Portal | HTTPS:443 | *.security.microsoft.us | Defender portal (GCC High) |
| MDE-ATP-West | HTTPS:443 | *.winatp-gw-usw.microsoft.com | MDE cloud west |
| MDE-ATP-East | HTTPS:443 | *.winatp-gw-use.microsoft.com | MDE cloud east |
| MDE-CNC | HTTPS:443 | *.oms.opinsights.azure.us | MDE → Log Analytics (GCC High) |
| MDE-Cloud-Prot | HTTPS:443 | *.wdcp.microsoft.com, *.wdcpalt.microsoft.com | Cloud-delivered protection |
| MDE-SmartScreen | HTTPS:443 | *.smartscreen-prod.microsoft.com | SmartScreen cloud |
| MDE-NIS | HTTPS:443 | *.updates.microsoft.com | NIS signature updates |
| MDE-Cert | HTTP:80 | crl.microsoft.com, ctldl.windowsupdate.com | Certificate revocation |
| Rule Name | Protocol | Target FQDNs | Purpose |
|---|---|---|---|
| MDE-Portal | HTTPS:443 | *.security.microsoft.com | Defender portal |
| MDE-ATP-West | HTTPS:443 | *.winatp-gw-cus.microsoft.com | MDE cloud |
| MDE-ATP-East | HTTPS:443 | *.winatp-gw-eus.microsoft.com | MDE cloud east |
| MDE-CNC | HTTPS:443 | *.oms.opinsights.azure.com | MDE → Log Analytics |
| MDE-Cloud-Prot | HTTPS:443 | *.wdcp.microsoft.com, *.wdcpalt.microsoft.com | Cloud-delivered protection |
| MDE-SmartScreen | HTTPS:443 | *.smartscreen-prod.microsoft.com | SmartScreen cloud |
| MDE-NIS | HTTPS:443 | *.updates.microsoft.com | NIS signature updates |
| MDE-Cert | HTTP:80 | crl.microsoft.com, ctldl.windowsupdate.com | CRL |
The rules above cover the most commonly needed MDE endpoints. Microsoft's full list of required MDE URLs is significantly longer (covering streaming telemetry, advanced hunting, automated investigation, and threat intelligence feeds). The *.microsoft.com wildcard in AVD-Agent-Update (Priority 100) provides implicit coverage for many of these, but that wildcard is broad by design.
If your security posture requires narrower rules (no wildcard *.microsoft.com), consult the official MDE URL list for your environment:
- GCC High: Microsoft Defender for Endpoint — US Government service URLs
- Commercial: Microsoft Defender for Endpoint — network connections
For most AVD deployments, the Priority 140 rules plus the Priority 100 *.microsoft.com wildcard provide working coverage. Use the deny-log KQL queries to identify any gaps after deployment.
Network Rule Collections
Priority 200: Essential-Ports
These rules allow traffic that cannot be expressed as FQDNs (IP-based or protocol-based infrastructure requirements).
| Rule Name | Protocol | Source | Destination | Destination Port | Purpose |
|---|---|---|---|---|---|
| DNS | UDP, TCP | Session host subnet | Any | 53 | DNS resolution (use Azure DNS or your DNS resolver IP) |
| IMDS | TCP | Session host subnet | 169.254.169.254 | 80 | Azure Instance Metadata Service — required for VM identity tokens |
| Azure-HealthProbe | TCP | Session host subnet | 168.63.129.16 | 80 | Azure load balancer health probe — required for VM reachability |
| NTP | UDP | Session host subnet | Any | 123 | NTP time sync |
| KMS | TCP | Session host subnet | AzureCloud.USGovVirginia, AzureCloud.USGovArizona | 1688 | Windows license activation (KMS path, GCC High) |
| FSLogix-SMB | TCP | Session host subnet | Storage.USGovVirginia, Storage.USGovArizona | 445 | FSLogix profile container mount — SMB to Azure Files (GCC High). Pooled host pools only — omit for personal/assigned pools. |
169.254.169.254 (IMDS) and 168.63.129.16 (health probe) are link-local addresses that Azure uses for internal platform communication. If your UDR sends all traffic to the firewall and these destinations are blocked by the deny-all rule, VMs will lose their managed identity tokens and health probe responses — causing enrollment failures, Intune policy application errors, and VM unavailability in the load balancer.
FSLogix mounts profile containers as VHDs over SMB (TCP 445) from the session host to an Azure Files share. The Priority 220 Storage-Gov service tag rule covers HTTPS:443 (REST API) but not SMB. This rule is only needed if you are deploying a pooled (multi-session) host pool with FSLogix.
For personal (assigned) pools, FSLogix is not used — user profiles persist on the VM's OS disk. Remove or omit the FSLogix-SMB rule from the firewall policy to keep the rule set tight.
If you are using a pooled deployment and FSLogix-SMB is missing:
- FSLogix cannot mount the profile container at user login
- Windows falls back to a local temporary profile — silently, with no user-visible error
- Any work saved to Documents, Desktop, or other redirected paths during the session is lost when the session host is replaced or rebooted
- In a multi-session pool where multiple users share a host, local profile accumulation also causes disk pressure
For Commercial pooled deployments, replace the service tags with Storage.EastUS / Storage.WestUS (or the regions matching your storage account).
Priority 210: Teams-Media
Teams real-time audio and video require UDP. Azure Firewall cannot inspect UDP by FQDN — these ports must be opened by IP range or service tag.
| Rule Name | Protocol | Source | Destination | Destination Ports | Purpose |
|---|---|---|---|---|---|
| Teams-STUN-TURN | UDP | Session host subnet | AzureCloud.usgovvirginia, AzureCloud.usgovariz | 3478–3481 | STUN/TURN for Teams media relay |
| Teams-Media-Ephemeral | UDP | Session host subnet | AzureCloud | 49152–53247 | Teams audio/video media streams |
Teams uses ephemeral UDP ports (49152–53247) for peer-to-peer and relay media. The Microsoft transport relay selects from this range based on session negotiation. Narrowing the range causes intermittent audio/video failures that are difficult to diagnose because HTTPS signaling continues to work.
Priority 220: Azure-Services
Service tag-based rules for Azure platform services that do not have corresponding FQDN application rules. Network rules evaluate before application rules, so service tag rules here are only added where no FQDN rule in Priority 100–140 already covers the same traffic.
Storage (TCP:443) and ServiceBus (TCP:443) are not included here — they are covered by the FQDN application rules AVD-Storage and AVD-Service-Bus in Priority 100. Adding service tag rules for those services would cause the network rule to intercept the traffic before the FQDN rule is reached, making the FQDN rules non-functional.
AzureActiveDirectory and AzureMonitor are included here as service tags because their IP ranges extend beyond what a single FQDN wildcard reliably covers — Entra ID and Azure Monitor route through a broad set of Microsoft infrastructure IPs that can vary by region.
| Rule Name | Protocol | Source | Destination (Service Tag) | Destination Ports | Purpose |
|---|---|---|---|---|---|
| AzureActiveDirectory | TCP | Session host subnet | AzureActiveDirectory | 443 | Entra ID IP range coverage (supplements FQDN rules in Priority 110) |
| AzureMonitor | TCP | Session host subnet | AzureMonitor | 443 | Log Analytics, diagnostics, Azure Monitor |
Customer Application Rule Template
Customer-specific applications are added at Priority 200–299. Each customer deployment adds its own collection with a unique priority number within that range.
Assessment Checklist
Before deploying, inventory the applications your AVD users will access and categorize each:
- Government portals — agency-specific web applications (common: SAM.gov, USASpending.gov, MAX.gov)
- File sharing / transfer — SFTP servers, managed file transfer services, large file upload portals
- Line-of-business SaaS — CRM, ERP, project management, HR systems
- Authentication chains — OAuth providers for those SaaS apps (may require additional auth FQDNs)
- Vendor-specific tooling — specialized software with cloud licensing or telemetry (e.g., engineering software license servers, GIS platforms)
- Video conferencing (non-Teams) — Zoom, Webex, Google Meet each have their own FQDN/port requirements
- Print/scan services — cloud print services if local printing is required from AVD sessions
Template Structure
Collection: Customer-[AppName]
Priority: 200 (increment by 1 for each additional collection)
Action: Allow
Rules:
[AppName]-Primary HTTPS:443 [primary FQDNs] Primary application
[AppName]-Auth HTTPS:443 [auth FQDNs] OAuth/SAML auth chain
[AppName]-CDN HTTPS:443 [CDN FQDNs] Static assets / CDN
[AppName]-API HTTPS:443 [API FQDNs] API endpoints
Common Categories and Known FQDNs
| Category | Common FQDNs to Add | Notes |
|---|---|---|
| Salesforce | *.salesforce.com, *.force.com, *.my.salesforce.com | The *.my.salesforce.com entry is required — the base *.salesforce.com does not cover custom subdomain auth redirects |
| ServiceNow | *.service-now.com, *.servicenow.com | Two domains used across product versions |
| Zoom | *.zoom.us, *.zoomgov.com, *.zoom.com | UDP 8801–8802 may be needed for media; add network rule if required |
| Workday | *.workday.com, *.myworkday.com, *.wd[n].myworkday.com | wd[n] varies by tenant; identify your tenant's subdomain first |
| Adobe Acrobat (cloud) | *.acrobat.com, *.arclabs.com, *.adobelogin.com | License activation uses *.adobelogin.com — if missing, Acrobat starts in trial mode |
| Esri / ArcGIS | *.arcgis.com, *.esri.com, *.arcgisonline.com | GIS platform with many CDN subdomains; start with wildcard, narrow after logging |
Before adding the deny-all rule, run the firewall in allow-with-logging mode for 2–4 weeks with session hosts in production use. Export the firewall logs, extract the unique FQDNs, and use them to build your customer-specific rule collections. The KQL queries in the Troubleshooting section below are designed for this workflow.
Firewall Troubleshooting KQL
These queries run against the Log Analytics workspace connected to your Azure Firewall diagnostic settings. The firewall must have diagnostic settings configured to send AzureFirewallApplicationRule and AzureFirewallNetworkRule logs to the workspace.
Query 1: All Denied Traffic (Triage)
Use this first to surface every denied connection — both application and network rule denials — sorted by frequency. High-frequency denials are the most impactful to investigate.
AzureDiagnostics
| where Category in ("AzureFirewallApplicationRule", "AzureFirewallNetworkRule")
| where msg_s contains "Deny"
| extend
RuleCollection = extract(@"Rule Collection:\s*([^.]+)", 1, msg_s),
SourceIP = extract(@"from\s+([\d.]+):\d+", 1, msg_s),
DestFQDN = extract(@"to\s+([\S]+):\d+", 1, msg_s),
DestPort = extract(@"to\s+[\S]+:(\d+)", 1, msg_s),
Protocol = extract(@"Protocol:\s*(\S+)", 1, msg_s)
| summarize DenyCount = count(), LastSeen = max(TimeGenerated) by SourceIP, DestFQDN, DestPort, Protocol, RuleCollection
| order by DenyCount desc
| take 100
Query 2: Single Host Investigation
When a user reports a specific application is broken, filter to their session host IP to see only their denied connections.
// Replace with the session host private IP of the affected user's session
let TargetIP = "10.x.x.x";
AzureDiagnostics
| where Category in ("AzureFirewallApplicationRule", "AzureFirewallNetworkRule")
| where msg_s contains "Deny"
| where msg_s contains TargetIP
| extend
SourceIP = extract(@"from\s+([\d.]+):\d+", 1, msg_s),
DestFQDN = extract(@"to\s+([\S]+):\d+", 1, msg_s),
DestPort = extract(@"to\s+[\S]+:(\d+)", 1, msg_s),
Protocol = extract(@"Protocol:\s*(\S+)", 1, msg_s)
| where SourceIP == TargetIP
| project TimeGenerated, SourceIP, DestFQDN, DestPort, Protocol
| order by TimeGenerated desc
Query 3: FQDN Baseline (Before Deny-All Activation)
Run this during the allow-with-logging validation period to build your customer application rule list. This query shows every unique FQDN reached by session hosts — sorted by frequency — which becomes the input for building Priority 200+ customer collections.
// Set time range to cover representative business usage (1–2 weeks recommended)
AzureDiagnostics
| where Category == "AzureFirewallApplicationRule"
| where msg_s contains "Allow"
| extend
DestFQDN = extract(@"to\s+([\S]+):\d+", 1, msg_s),
DestPort = extract(@"to\s+[\S]+:(\d+)", 1, msg_s),
SourceIP = extract(@"from\s+([\d.]+):\d+", 1, msg_s)
| where isnotempty(DestFQDN)
// Exclude already-documented infrastructure FQDNs to focus on unknown destinations
| where DestFQDN !endswith ".microsoft.com"
and DestFQDN !endswith ".microsoft.us"
and DestFQDN !endswith ".windows.net"
and DestFQDN !endswith ".usgovcloudapi.net"
| summarize
HitCount = count(),
UniqueHosts = dcount(SourceIP),
LastSeen = max(TimeGenerated)
by DestFQDN, DestPort
| order by HitCount desc
Export the results of Query 3 to CSV and sort by HitCount. The top entries by hit count are the applications your users depend on most heavily. Group the FQDNs by application (often recognizable by domain) and build one customer rule collection per application. Low-frequency FQDNs that appear from only one or two hosts are candidates for closer review before allowing.
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.