Skip to main content
Skip table of contents

Microsoft Defender for Endpoint Deployment

Overview

Deployment of HYAS Protect via Microsoft Defender for Endpoint (MDE) is made simple through our self-service option within the HYAS Protect UI. Follow along as we walk you through it, step by step.

Prerequisites

Integration Architecture

  1. Data Collection by MDE:

    1. Once the integration is installed, MDE begins collecting data from various sources on your machines. This includes critical information from Device Network Events and Device Events within the Microsoft Security Center.

  2. Data Streaming to HYAS Protect:

    1. The collected data is streamed via an API to an Event Hub. HYAS Protect then retrieves this data for analysis. Specifically, it examines DNS queries to provide security verdicts.

  3. Verdict Enforcement:

    1. The exciting aspect of this integration is that HYAS Protect’s verdicts—whether based on Categories, Rulesets, Lists, or the Decision Engine—are passed along to MDE for enforcement (assuming blocking is enabled). This ensures that all unsafe domains identified by HYAS Protect are blocked effectively.

  4. Enabling Blocking (Optional):

    1. The final step involves enabling the Blocking feature. While optional, this feature empowers MDE to act as the enforcement mechanism, blocking traffic to all domains deemed unsafe by HYAS Protect.

Deployment

Step 1 - Provision an Azure Event-Hub

  1. First, select the Region you’d like the Event-Hub to be hosted in.

    1. We provide options in both the US and Europe.

  2. Now, select a Partition Count. The default setting is 4 as this will be sufficient for most organizations. If you anticipate a large volume of DNS requests, you may increase this number to provide better performance.

  3. Finally, enter the MDE Admin’s email and select ‘Provision’.

  1. Once clicking on ‘Provision’, you receive one of two notifications letting you know if deployment was successful or not.

    2. If you provisioning failed and errors persist, please contact HYAS Customer Support

Step 2 - Update Microsoft Security Center

Now that you’ve created an Event-Hub, you must update your Microsoft Security Center to push data to that hub. This will be accomplished through the following steps:

  1. Log into Security Center and navigate to ‘Settings’, ‘Microsoft Defender XDR’ and then ‘Streaming API’

  2. Click ‘Add’

  3. Name your Streaming API

  4. Enable ‘Forward events to Event Hub’

  5. Enter the ‘Event-Hub Resource ID’ and ‘Event-Hub name’

    1. Event-Hub Resource ID’ and ‘Event-Hub name’ can be found under ‘STEP 2’ of the MDE self-service page in HYAS Protect as ‘Resource ID’ and ‘Event-Hub Name' respectively.

  1. Under ‘Event Types’, expand the 'Devices' section and select: ‘DeviceNetworkEvents’ and ‘DeviceEvents’

  1. Click ‘Submit’, Defender for Endpoint will now save these incoming events in the Event-Hub.

Step 3 - Blocking Mode (OPTIONAL)

By default, the initial configuration of the MDE integration is set to Inspection Mode. This means that MDE will NOT enforce the blocks recommended by HYAS Protect. It is important that you confirm with your HYAS SE or CX team member before enabling Blocking aka Protection Mode. We HIGHLY recommend remaining in Inspection/Non-blocking mode until after you’d had a chance to review the blocks that would have been made via the UI. This will greatly reduce the possibility of false positives (although rare), negatively effecting your organization.

If you wish to continue enabling Blocking Mode, you must first configure such in your Azure Portal

  1. Navigate to the Azure Portal and search for ‘Microsoft Entra ID’ in the search bar at the top of the page.

  1. Once in the ‘Microsoft Entra ID’ section, expand the ‘Manage' menu and select 'App registrations

  1. Click the ‘New registration’ button at the top of the page.

  1. Name the application.

  2. Select ‘Accounts in this organizational directory only (Your Tenant)’.

  3. Click ‘Register’.

  1. Now that you’re in the Application you just created, expand the ‘Manage’ menu and select ‘Certificates & secrets’.

  1. Click the ‘New client secret’ button.

  1. Specify the description and expiration (Recommendation set to 1 year).

  1. Click ‘Add’.

  2. Copy the ‘Secret value’ to the side, this value will be entered into the HYAS Protect UI in a moment.

  3. Select ‘API permissions’ from the left navigation pane.

  1. Click ‘Add a permission’

  2. Choose ‘Microsoft Graph and Delegated Permissions’:​

    1. In the Request API permissions pane, select ‘Microsoft Graph’.

    2. Choose ‘Delegated permissions’.​

  3. Select Required Permissions:​

    • In the search box, type User.Read and select it from the list.​

    • Similarly, search for User.ReadWrite and select it.​

    • Click 'Add permissions' to apply these permissions to your application.

  1. Head back to the Overview page to copy the ‘Application (client) ID’ and ‘Directory (tenant) ID’.

  1. Navigate to the HYAS Protect UI, toggle ON “Blocking Enabled” from the MDE self-service page.

  1. Next enter in the ‘Secret Value’, ‘Application (client) ID’ and ‘Directory (tenant) ID’ and click on ‘Verify Access’.

  2. Once the verification is completed, you’ll receive a notification at the top of your screen indicating whether the verification was successful or encountered an error.

  3. If successful, click on ‘Save’.

    1. Give the system 5-10 minutes and blocking based on HYAS Protect’s recommendation will be enabled.

Enable the Integration

  1. Finally, to enable the integration once everything has been configured properly, toggle the MDE integration to ‘Enabled’

  2. Make sure that ‘Allow HYAS to host the Azure Event-Hub (RECOMMENDED Default)’ box is checked.

    1. This will initiate the provisioning of a HYAS-managed Event-Hub, enabling troubleshooting and other support activities in case any issues arise.

    2. In the event you wish to host your own Event-Hub, uncheck this box and enter the information as listed above.

Managing Indicators

Adding Indicators

Indicators can be added to the MDE Domain Indicator List—and subsequently blocked by MDE—through any of the following five methods:

Blocking must be enabled for it to function. See above under ‘Step - 3 Blocking Mode (OPTIONAL)’ it order to configure blocking.

  1. HYAS Protect Decision Engine: The Decision Engine dynamically assigns a block verdict to a query, which is then reflected in the MDE Domain Indicator List.

  2. Categories: Blocked categories configured in HYAS Protect are mirrored as blocks in MDE.

  3. Rulesets: Custom rulesets created by your organization will be applied in MDE as blocks.

  4. Lists: Indicators from HYAS lists outside of the MDE List are automatically passed along to the MDE Domain Indicator List.

  5. Manual Entry: Users have the option to manually add indicators directly to the MDE Domain Indicator List in HYAS Protect.

Removing Indicators

Indicators added to the HYAS Protect MDE Block list can be removed in three ways:

  1. Manually via MDE: If you wish to remove indicators from the MDE Domain Indicator list, you may do so by navigating to your MDE Domain Indicator List and deleting accordingly.

    1. This will update the HYAS Protect MDE list.

  2. Manually via HYAS Protect: Login to HYAS Protect>Protect List Management>MDE

    1. Select the indicator(s) you wish to delete.

    2. Click on the Trash Can icon towards the top of the page.

    3. This will update the MDE Domain Indicator list accordingly.

When removing an indicator, whether through HYAS or MDE, it’s crucial to also remove it from any lists or rulesets it belongs to. If you don’t, HYAS will re-add the indicator to the MDE Domain Indicator List, causing it to be blocked again. 

Similarly, if the indicator was blocked by the Decision Engine or a Category block, you must add it to an allow list. Failing to do so will result in the indicator continuing to be blocked.

  1. Automatically: To help manage the size of your MDE Domain Indicator List, HYAS Protect automatically removes indicators from the MDE List that were added by the Decision Engine if they haven’t been detected in traffic for 180 days. This is by default and non-configurable.

    1. If you wish to continue to block these queries after the 180 days, you must add said indicators to a static (non MDE) block list prior to the 180 expiration.

    2. This effects ONLY the indicators added by the Decision Engine. If added via category, rulesets, other list or manually, the queries will not expire.

HYAS Protect automatically removes indicators from the MDE List that were added by the Decision Engine if they haven’t been detected in traffic for 180 days. For more details, please refer to the information above.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close