SNS1693 Changes to Microsoft O365 Subscribed Lists - MWG - What If I'm Not Using all Lists?
SNS1693 Describes in detail how Microsoft has changed the delivery of updates to their endpoint lists for various Microsoft O365 services. Please familiarize yourself with that article and the Microsoft article before proceeding further!
Microsoft changed the delivery mechanism from XML to REST API. This in and of itself would not have caused any changes to operation of the subscribed lists. What has impacted the operation is that Microsoft also drastically changed their endpoint groupings with little advance notice. To maintain best compatibility with existing related subscribed lists McAfee has mapped the new groups and endpoints to the best match in the existing subscribed lists. However as noted in the article,
"Depending on what services are allowed in the Office 365 Bypass rule set (or depending on what lists are used in the customers policy), services previously blocked might be allowed or services previously allowed might be blocked. To ensure that all Office 365 services are allowed, consider using the official Office 365 Bypass rule set from the rule library and enable the bypass for all services."
Following this directive may not be possible for all customers. The MS lists include numerous third party sites URLs and IPs that a given customer may wish to filter instead of bypassing. McAfee is encouraging customers to continue to use their existing dynamic rulesets (using subscribed lists), however, If following the directive of using all O365 subscribed lists is not immediately viable due to the risk of unanticipated mapping changes without adequate time for testing, please contact support and request assistance. Support can help with developing a ruleset that includes "static lists" based off of the final MS XML source. You will need to provide the specific lists that are needed.
Dependent upon your needs, you could run the static ruleset above your current dynamic ruleset (using the dynamic subscribed lists) and then implement custom logging in your dynamic ruleset. This will allow your system to continue to bypass everything that is currently being bypassed and still add and log when Microsoft makes dynamic endpoint changes. Note that logging will not work in WGCS but the other static rules and dynamic rules will work in WGCS.
Attached ruleset is an example but does not include all lists.
The first subordinate ruleset (Bypass Microsoft (Office 365) Services (Static OLD)) uses static lists generated through request from support. The second subordinate ruleset (Bypass Microsoft (Office 365) Services), the one using the subscribed lists dynamically, was modified from original to add logging (actions changed to continue; logging and Stop Cycle added as rules at end.).