Hello and welcome to the let's Talk. Azure podcast with your host Sam Foote and Alan Armstrong. If you're new here, we're a pair of Azure and Microsoft 365 focused it security professionals.
It's episode 20 of season five. Sam and I had a recent discussion around blind spots in your environments. We had a talk about why discovering devices in your network is so important and how you start to get visibility. Here are a few things we why is discovering devices on your network important? How can you find devices using Microsoft technology? What are the benefits of being discovered, of finding discovered devices and providing the information into Defender XDR and how is it licensed?
We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot for us for you to show the support to the show. It's a reggae episode, so let's dive in. Hey, Alan, how was your holiday? Hey, Sam. It was good. Busy being on the beach and at the hotel and things like that. All right. How was your week?
All right, enough of that. We don't, we don't want to hit. Well, we do because I asked the question, but yeah, we don't. I don't think we want to know the answer, that's for sure. I'm glad you had a good week. Did you, did you have enough time in your week to fully digest, build?
No, don't think I had a quick look. Quick look at it. There's definitely a few things that caught my eye on there, especially around here. Co pilot for 365. About this new teams co pilot coming into play. Oh yeah, that sounds interesting. What's the general sort of, you know, feature there?
It's almost like a, it kind of feels like a, or what they're suggesting it is, is like a, an AI assistant for, for, I'm not going to say just for you as an individual because that's kind of what copilot for 365 is. But for your team or for your department, it sounds like you might be able to give it tasks and then it can facilitate meetings in group collaborator, you know, get more out of the chat. So actually getting us to talk about things and also maybe help with some of those assigning tasks and deadlines and things like that, like some project management sort of capability. Sounds really interesting.
That sounds slightly scary, but we should just adopt our new, you know, LLM overlords, I assume, right. That largest AI supercomputer in the cloud needs to be used for something. I suppose so. Let's let's just automate all the things I suppose. Yeah. Did you see anything that quickly caught your eye?
I did really like the reference architectures and landing stone accelerators that they had for sort of AI, sort of intelligent applications. I thought that was good because how you actually integrate them into your organization is really important. Azure AI search has been updated with a bunch of, I did that episode last week that got a load of really good updates as well. Azure AI Studio is now GA, which is I think a really big stepping stone because a lot of organizations want to see that Ga, you know, in service maturity before they really, you know, put these systems into production and things like that. So yeah, just again, tons of for us mainly AI driven, you know, updates.
Yeah, you, no, there's definitely, I think. Our next episode is news, isn't it? So I think the next news one will cover build and everything else we know from May. We might need 2 hours for that one, maybe potentially. Yeah. You're joking right? Okay, what do you think? We need three, probably do need two, but we've got to try and. Yeah, yeah, we'll try and just pick. Well I think our episodes are always meant to be 30 minutes when they, but we never.
Right Alan, on that note, what are we covering this week?
Yeah, so talking about device discovery in your, on your network sort of environment. So you know there's, there's loads of tools out there to detect this, you know, but this is looking at it from a, you know, why, you know, I guess from a first point of view why it's important. But then you know, how can you do it with, with some of the Microsoft capability you might already have today and then bringing it into the defender XTR portal and what benefit there is there for it for your SoC analysts and things like that. So yeah, that's what we're going to try and cover today.
Okay, so should we start with, you know, network visibility and why it's important to have visibility of what's on your network?
Yeah, so I guess a lot of organizers might have something in place but from, maybe it's the smaller organizations or it can still be, you know, the large enterprises. There is an assumption that you know, what's on your network and what's on each subnet, you know, or virtual network, things like that. And you know, you've put controls in place of where you can, you know, connect to those networks and things like that and you know, what's plugged in. But in sometimes you can be surprised about what actually is on your network. And we've seen this with. We kind of see this from the Iot side or the ot side of sort of networking that we know what should be on those networks. Yes, there's different security sort of mechanisms around that side. But you know, what hardware is on there because it's part of your factory, things like that. But you don't know if that when this piece of hardware was replaced, whether it was actually removed from the network or it's just sat there waiting to be disconnected. So it's kind of bringing that sort of, I guess, concept of understanding what's on your network as a potential attack vector there, you know, having a device that could be compromised and then you have access to your network. Bring that to the it side and this would. It kind of covers a lot of areas. This could be, you know, network hardware. You know, your switches, your access points, things like that. You know, maybe again, you might have decommissioned one of your access points or your switches, but actually it's still out there. And you didn't realize because, you know, change. Change has happened. It's been decommissioned. You're not supporting it anymore, but you might. There might still be vulnerabilities on it and, you know, potential, you know, a way of, you know, a bad actor, you know, having access to the network to do additional, you know, reconnaissance and things like that. So I think that's kind of why it's important. It's kind of validating what you believe is on there and then what is actually there. We've had, I think, in engagements where we've done discovery. We found devices that shouldn't be on the network. You know, we found Xbox's PlayStations that are plugged into the corporate network where someone's brought it in and put it into the cafe or the recreational area and it's hooked up to the network. You know, it's another, you know, add, you know, it's another area, you know, another device that could be compromised that you don't have any control of. So, yeah, I mean, you know, just find those devices. But it's also find these rogue. Your rogue devices that potentially trying to, you know, attack, attack your. Your infrastructure. You know, maybe someone has come into the office and plug something in again. There are tooling out there, you know, network detect ndrs, network detect response solutions that are finding, you know, and stopping stuff from being on your network. Especially if you've got a, you know, you're using something like AO 2.1 x to do that sort of verification and things like that. On your, on your networking. But some organizations might not be, might not have that configured or might not be big enough to warrant, you know, the hardware to support that. So yeah, that's kind of, you know, the reasons why it should be. It's important to see that visibility. You know, you're, you're reducing your blind spots to what, you know, is happening in the environment you're using. I mean, to be fair, you know, organizational networks might be getting slightly smaller because a lot of users now work from home and maybe it's just data center or maybe headquarters that maybe has a network. Now we have seen organizations now change their networking at maybe remote sites, hubs, things like that to just be plain Internet because we secure them to work from home. So securing a plain Internet site is the same. You don't have to duplicate or add extra security there.
So yeah, yeah, I'm guessing that. Is it fair to say that smaller organizations are less likely to have those more premium and expensive NDR solutions?
Yeah, yeah, I think, I think a lot of them need, you know, quite a large investment. Some of them might, may need large investments into appliances, things like that, to run on a network that maybe only has, you know, 5100 users on it. Maybe, maybe, you know, maybe a little bit more. And it doesn't warrant the, the cost of the appliance and things like that to manage that network. Or again, they might not deem there being a risk there as well. I mean that's, you know, because they're so small, you know, it might not be deemed that it doesn't warrant the, you know, the cost to sort of put that solution in there. Again, it might be how much, you know, how often is someone, you know, how many, how many, how often is all the staff in the office as well, things like that, you know, might not be any maximum of like 50 day maybe, who knows? But yeah, it's probably a cost to entry for that sort of stuff.
Do you think that organizations even at large size are actively having an inventory and tracking against it like on a daily basis and reviewing it? I suppose if they got this tooling, that might help automate some of that, I suppose, yeah.
So we've seen, seen in some scenarios where an NDR is required for cyber insurance. We have seen that in a few instances to understand what's on the network and things like that. And I think they were quite large organization at that point. But yeah, I don't know about having infantry. And again, this is kind of where I was going with previously, you know, I don't think there is in some organization, you know, continuous inventory or continuous monitoring of that, you know, of their network environment. There may be audits, things like that to understand what's on there. I mean, you don't get me wrong, you'll be able to detect some of it via DHCP leases and things like that. But just get an IP address of a device and maybe its name doesn't really give you much, much intel, but what it actually is on there. And some of these ndrs give you that capability to understand what it actually is, what type of hardware it is.
Okay, so, yeah, can you just talk us through how we sort of do get discovery of these devices and what technology Microsoft's got in this space?
Yeah, so this has changed over the last year on and off. But in effect what you can do with Microsoft technology, one is, I guess if you're in the OT space, is really to use Defender for IoT because that is in effect, its job, in effect is to discover what the endpoints are in secure understanding, not just the infantry, but understand the communication between all the devices, things like that. And look for unusual behavior or unusual activity in there. So that would recover your, your OT side. I mean, technically you could probably hook it up to your IT side, but it's going to cost you quite a bit to do. And it's not really designed for that, is it, Sam? Really, it's more looking for the OT protocols and things like that.
Yeah, I can remember when we first started getting, sort of started with Defender for IoT, when we spoke to Microsoft, they suggested that the OT side of it, just to keep it on the OT side, and they did have a different solution to that. But I suppose you're probably going to talk about that, that as well.
Yeah. Yeah. So that's probably the OT side. So now for the, for the, for the it side really we can use now is device discovery in Defender Friendpoint. So what this is, and this is what's changed recently is that in effect, any defender for endpoint agent that's on a Windows 1011 or 2019 and 2022 Windows server, that is, those last two has the ability to do a couple of discovery methods. And this is basic and standard. Basic in effect is just gathering information. So when devices on the network broadcast or try to communicate with a Windows endpoint that's got defender for endpoint on it, that initial communication is collected or that broadcast is collected, that is then sent up to defender XDR and then that is processed to understand what type of device it is. So maybe that device was a chromecast that is broadcasting that, you know, it's able to do, you know, casting same thing for maybe an Apple TV for airplane and things like that. So yeah, in that basic mode, it's in effect collecting the network data and traffic and trying to understand what type of, you know, devices they are. When it's doing that basic, it's kind of looking at a couple of, well there's, there's a, there's a list of sort of protocols that it's not sort of listening to but just to kind of do a couple of them. You know, you've got ARP requests, DCP requests, MDNs, MS SQL, just generally TCP stuff and UDP. So yeah, just listen to that traffic trying to understand what the data is and what's in those headers and things like that. That the device is provided or sent to the Windows endpoints. So that starts getting you that sort of initial list of endpoints. So now you have standard discovery. Now standard discovery basically does the same thing, but, but it also then can then actively probe those endpoints. So what that does then is instead of just receiving the ARP request and things like that, it will then go and look to see if it can ping the endpoint to see if it's still there by the hostname it's been provided or by its ip address, it will then look to scan or check some of the ports out. And this could be SNMP, SSH, Telnet, UPNP, SMBs to kind of understand what, you know, what that device is, is what services it might be providing. And some of the things like I think it does, you know, it can try and do winrm against it or look at VNC and basically it will go and ask that device in effect see if it can get some more information out of it. So we'll try and get, you know, do you know, find out if it's windows to end point or if it's, you know, like I said, the chromecast or your Samsung or LG TV. Collect that information and then give you more rich, rich context. And where the device provides it gives it up, depends on how you want to see that. It might give you the operating system it's running and the version is on. So when it gets that information that can then be provided up to, up to defender XDR and you can see in effect your asset list there. Same thing for network devices. You know, it will detect, you know, network devices that you're going through, you know, things like that. So one thing I guess some people might be thinking about is well if these devices always probing, surely that's going to cause more network traffic. Or if I've got an NDR in place, you know, it's going to cause, you know, false positive alerts of my devices in effect, you know, doing reconnaissance on its, you know, on the network kind of thing. What Microsoft have done is that they're not continuously probing all of the endpoints. I think they do it every two weeks and it's also spread out against all of the agents on that network. So if you've got 2030 Windows or Windows servers on a network then it will share that probing across them over two week period. So it's very one, not network intensive, but two, it's not hopefully triggering too much of an NDR to say this device is now probing everything on the network. So that's how Microsoft Discovery previously for the networks where there isn't a defender for endpoint agent, so say you've got a VNET or a subnet that's got your CCTV system on it or your VoIP phones is another good example. And you don't have a defender for endpoint agent at the moment. You're not able to reach out into those environments and scan them. Previously Microsoft had an enterprise IoT sensor which in effect was a cut down version of the OT sensor which is why I talked about it previously. And in effect what that would do is you could port mirror your switches to that server for those subnets. So then you could just in effect do basic discovery equivalent, um, for those subnets. Um, so you know, if you've got a switch or you know, core switches or things like that where everything's going through, you could have it all go to a single box or multiple boxes in multiple locations in effect. So yeah, we're waiting to see what, what Microsoft do around, you know, covering those other areas. Now. They still, they're still supporting the, the enterprise Iot sensor, but we can't create new ones today. And I think this might just be round. They changed the licensing for Defender for the sort of device discovery parts, especially the enterprise it part. So I think they're just trying to work out how they can bring that sensor back into that, that new licensing. But yeah, that's how today we can do that discovery and in effect your asset list and things like that goes into Defender, Defender X into the defender XDR portal as assets.
And I suppose yeah, without that sensor. And we are waiting to see what happens on that side of things, I suppose. That's if you, if you think about sort of crown jewels and protecting those endpoints that do have MD on them, that's really where you might want to start. You might not get full visibility. That is where you might need some sort of other NDR technology potentially, I don't know, just a gap fill. Hopefully that's not the case forever. But it is probably fair to say that you're sort of looking after those more critical assets, aren't you, about, you know, what they can see and what can see them, if that makes sense.
Yeah, exactly. And those specific subnets will have, you know, firewall rules that only allow specific communications and things like that. You know, those subnets where, you know, VoIP phones are and CCTV cameras and things like that. You know, there is very specific networks. You know, it's not going to be like the, the lan where your endpoints are because they've got to talk to various Internet services and all the ports you need for defender, friend point and everything. So there are more things that potentially open and as you said, potentially avoid phone then trying to attack other Windows endpoints, things like that. If it was capable of, it's got to have those ports open to outside of it where you're right. If you've got IoT devices or other devices on the network on the same subnet as your defender endpoint, then they can try to start navigating to the data center in effect from that network. Not to say, like you said, Sam, not to say they couldn't do it from the other subnets. But I think it's definitely more difficult for someone to get there or to get out of that subnet.
Yeah, exactly. You know, if you've got more of a static subnet that unless it only had like your CCTV system on it, you might be more aware of things joining that network potentially, you know, and like you say, have good segregation rules in place. So I assume where do the devices get represented? I assume it's in the XDR portal. So what's the benefits of having everything in one place?
Yeah. Okay, so the devices, you see your devices, your windows endpoints, your Macs and things that are onboarding to defend friend point in the assets part of the Defender XDR portal. And you may have seen it or may not have seen it, but you've got tabs along the top in effects show network devices, IoT devices and categorized. So this is, this is where your device assets sort of live. So you start get to a list of them and with your device in mobile. If it discovers any endpoints that maybe you do own and that you do, you identify as being a device that you do support and things like that. It will tell you whether the device is able to be onboarded into defender endpoint. So maybe there's a device out there that you're using for that's maybe not on the network but on the domain that maybe will use for guests to project in the conference room or something as a very bespoke sort of reason because you probably use some sort of teams room system now today. But say there is something like that, it will identify devices like that that, you know, maybe the fender point has been deployed, check, it's been missed. So that's one benefit of identifying assets that could be onboarded into fender endpoint. Kind of. The second part is that when you detecting your network side of things, your network devices, again, sometimes they give up some information about their software, which means then that you can get vulnerability information about it is that version of the OS got critical vulnerabilities on it, in it, things like that. Network appliances or network devices are slightly different in that they tend to not give you much information for sort of obvious reasons. You can do authenticated scans against them using SNMP, so you can actually get that extra information from them to then understand, to get that full information. And then Microsoft defender vulnerability management will then be able to, you know, I provide you with, you know, recommendations to, to update them. And like I said before, you know, Iot devices, your printers, your cameras, your chromecast, your tvs, all that sort of stuff that goes into that category and you can put tags against them. So you can, you know, say, yes, I know about this device, you know, because it's the, it's the tv in the, in the conference room. But again, one thing you can get is if it gives you enough information, the sort of part of defender for endpoint, which is sort of enterprise Iot part, you can get vulnerability information about IoT devices and recommendations. So there's some extra sort of vulnerability information and threat intelligence there that can be brought into defender for endpoint just for IoT devices there. And then uncategorized in there is just really devices that have been found and are still being processed, in effect, to understand if they're a piece of Windows machine or Windows Mac or desktop or laptop that can be used, if it's a network device or if it's an IoT device, it's just still not enough information to add it to those other categories, in effect. So, so at one point, you know, you've got all of those, that information in, in. No, in a portal for you to see. One benefit to this is that say there's an incident or. Yeah, let's say there's an incident within the Defender XDR portal defender endpoints picked up something trying to ssh. It's, you know, one of the machines, one of the servers, the Linux servers, it's been deemed unshrink those times. There's no passwords. If you didn't have this information, you know, about IoT devices, you just get an IP address saying IP address 172-23-4633 is doing SSH against me. So now as a, as an analyst you've now got to go and ping that machine, go and work out what it is, get it's, you know, get its name if you haven't got it, you know, you've got to do a load of research into finding out what type of device is it. You know, is it a Linux machine that's trying to do SsH? Is it someone's, you know, device? You just don't know. But now, because you've got this asset information against IP addresses that instant now says hey this is a printer. So now you kind of saying well why is a printer now trying to do ssh when it shouldn't be? I do that capability in effect. So now you've got reason to believe that that device has now been compromised. So now when you need to, you can go and put a firewall rule in on your network to block it if you can, or someone on the site now has to go and disconnect it or switch it off because now you know it's a printer and not something random in the office. So that's one great sort of benefit there. The other one which sort of ties into that is that in defender for endpoint if a device, MDE device is compromise, you can isolate that device to stop it communicating out with this. What you can do is now you've got those assets in there, you can actually set it to contain that device. Now what that means is yes, that device can still communicate on the network and go out to the Internet if it's got the network set up to allow it straight out to the Internet. But every MD device now is then sent a firewall rule that you don't see it's all built into MDE to stop communication with that device if it tries to communicate with it. So in effect you contain it from your other MD endpoints. And that happens, I think sam we worked out it's like 30 seconds to a minute when it, last time we tested it. When a device is connected to MDE it's like near, near real time communication.
Yeah, it is absolutely rapid, basically instant. It's about 15, 20 seconds slower than device isolation which is like 3 seconds or something, isn't it, when we last seen it? Yeah, exactly.
But still insane from doing it. So yeah, so now you've got a device that your printer can now not communicate with any defender for endpoint device. So even if someone wants to print to it, communication is blocked from it. You can uncontain it as well. Once it's been resolved. As part of that though defender for endpoint because it's in effect scan the network and things like that, it will try to follow its ip address. So if, you know, if a bad actor is, has got a device on the network maybe it's been planted as a, I guess a severe case of trying to get access to the network. They're trying different Mac addresses to try and get a different IP address or just doing static ips maybe. So they're not seen as much, you know, defender for endpoint will try and track that device as best it can and change the firewall rules that been deployed to the endpoints to keep you know, that device from being, you know, allowed to communicate with them. So. But yeah I think that's, that's crazy powerful that contain.
Yeah, agreed. Yeah. And it's, it's, it's a disruptive response action isn't it as well, which is it's not just visibility, it's actually taking action and remit, you know, disrupting attacks.
Yeah. You just got to be cautious comment if you can or can't do this. But you'll be cautious not to do your, your router on that subnet because obviously then you can't communicate with it to get out to the Internet to resolve the endpoints. That's more of a seC administration task to make sure that you do check what the endpoint is and what disruption it might cause with it. That's great. So yeah, how do you get started on.
Yeah, okay, so you need the first for some of it and I guess we'll kind of talk about, we won't talk about license just now, but in effect if you got the licensing for some of that capability then, then by default some of it is turned on now. So within Defender XDR portal you have to have Defender for endpoint on the endpoints and in effect there is a section in the settings for device discovery. And that's where you can specify what type of scanning you want to do. Basic and the standard standard is now turned on by default. With new tenants, you can specify which devices scan and which don't. So you can set all devices and then you can exclude others if you want to. You can specify what networks you might want to scan. So it will detect some networks based on the, you know, the DNS of that network. So if you've got a domain it will say contoso local or things like that. And maybe there's some other ones in there that you're unsure about, you can stop them from being scanned. And again, like I said, there is authenticated scan for your network hardware. That's all in the same sense. So just configuring some on your switches and routers and your other network appliances, you know, SNMP connection and then providing that into the scanning solution. I mean for the authenticate scan you do deploy a scanner to an MD device to do that scan specifically, but that is not sort of a specific scanning of a device at that point. And then depending on your licensing then you can, there's also a bit where you can enable the enterprise IoT part which gives you that extra threats, threat intelligence and vulnerabilities for IoT devices in effect. And recommendations. So you do get some recommendations. I didn't really talk about those, but actually, you know, alerts are going into defender XDR like, you know, the rest of the sort of defender suite. But then it does give you some record security recommendations like Telnet manage, Telnet's been enabled on that device or you know, disable Telnet insecure protocols like SNMP V one, V two have been enabled and you're not using V three, VNC is enabled on that device, maybe it shouldn't be. So you do get some of those recommendations as well. But yeah, there's pretty simple to set up as long as you got, I think it's, you know, two MD agents on the same network, they will, you know, deem themselves being on a corporate network and then scan, scan that network. Cool.
And I suppose the million dollar questions is how is it licensed?
Okay, so this, like I said, this changed. So if you've got Microsoft 365 e five or Microsoft 365 e five security, then you've got the enterprise Iot included. Well you've got a subset of devices there for the IoT side, but device discovery is included in MD plan two in effect. Generally if you want the extra enterprise IoT threat intelligence and vulnerability sort of information. If you've got either of those skus I just mentioned, then you get five IoT devices for every MDE. Three, sorry, e five or e five security skU. So if, you know, if you've got 100 m 365 e five, then you've got 500 IoT devices that you can get that vulnerability information for. If you go over that number, then it is eighty five cents per device per month for that intelligence there. But you, some organization quite large. So you know, if you've, you can get quite a few IoT devices to be covered. So yeah, most of the functionality is within the MD plan too. It's just the enterprise Iot stuff. Like I said, is additional cost always included in some of those other licenses. So that's pretty much it. It's kind of included there. We're seeing a lot of, yeah, a lot more information coming in. Microsoft recently got some of the zeek sort of capabilities sort of coming into defender endpoint. So that's going to help with some of that sort of building out of, you know, an NDR solution at least built into this sort of, you know, in this, into the defender sort of environment. I think that's the start of it, at least.
Nice. Yeah, well, it seems really well integrated. And, you know, as long as you've, you know, I don't know. Do you really see that people are really gonna, you know, hit that limit and have to buy more licensing? It's quite a generous ratio, isn't it?
Yes. Yeah, I don't think, I don't think from what I've seen of the environments that that limit will be hit. But you don't know if an organization has a lot of, you know, a lot of ot in an environment. Maybe it's, I mean, you got, you're saying that there's more than five devices per. Five IoT devices per user at this point. I mean, it's quite, know what they could have to have, you know, I. Can imagine that might be the case in very small companies. Yeah.
You know, where they maybe have very flat networks. Well, okay. That's the flatness of the network. Doesn't really matter if that sensor comes back, I suppose. Right. But they still have some of the operational requirements and IoT requirements that large organizations have. Right.
Yeah, yeah. It's probably smaller is where there's probably gonna be a bit more of a concern. But I think, you know, depending on what licensing you might have, I think that's also why they've, they've got the per device cost as well. There yeah, exactly. Yeah.
For, you know, covering those extras, they might have, might only be three or four. You need might in it. And that's, you don't know, again, it's one of those things. You don't know how many devices you got until you get it scanning. So. Yeah. Nice. Anything else that you want to cover, alan?
No, I don't think there is. Again, this is just like a small part of defender for endpoint, which is kind of morphed into defender XDR now. And, you know, I think we've talked about some of these products very high level and it's just like a small section. But yeah, it's really easy to sort of get started. Again, those devices go into the device inventory list in the tables in KQL. So you can build, potentially can build queries to detect, you know, new devices or, you know, get a, get a summary of what type, you know, what's the type of device I've got from an Iot perspective. So you can do some quick, easy reporting on there as well.
Okay, cool. Thanks, alan. That was great. Any previous episodes you want to call out. And not off the top of my head because it's probably a defender for endpoint one. Well, in fact, there's a vulnerability management one. So season five, episode seven, that probably ties into some of it. In season five, episode four actually is defender for Endpoint. So that's just the general capabilities in those with this just being specifically on.
Device discovery and what we're going to cover next time, what's in the next episode.
So next episode, as we mentioned at the start, is going to be our news episode. So it's probably going to be probably a fair bit of build because a lot of things have come out on that and. Yeah. Anything else that's come out of the other sort of solution because there's also, I think, RSA a couple of weeks ago as well. So there's probably a few security ones as well that we need to talk about. Okay. So did you enjoy this episode? If so, please do consider leaving us a review on Apple Spotify. This really helps us reach out to more people like you. If you have any sick feedback or suggestions, we have a link in our show notes to get in contact. Yeah.
And if you've made it this far, thanks ever so much for listening, and we'll catch you on the next one. Yeah, thanks all. Bye.