TEAM: Huntress Product Architecture
PRODUCT: Microsoft Defender for Business & Microsoft Defender for Endpoint
ENVIRONMENT: Microsoft 365
SUMMARY: This guide covers license requirements, device onboarding, deployment best practices, and verification steps for Microsoft Defender for Business and Microsoft Defender for Endpoint.
🛑 IMPORTANT: ACTION REQUIRED 🛑
This article provides instructions to configure MDE in the Huntress portal, but it is NOT a complete deployment guide.
CRITICAL ACTION:
- You must first fully deploy MDE to all desired endpoints within your Microsoft 365 tenant.
- Please use Microsoft's official guide: Get Started with Your Microsoft Defender for Endpoint Deployment.
- If MDE is not deployed first, the Huntress integration will receive NO data.
License Requirements
One of the following licenses is required to access Microsoft Defender for Business.
- M365 E5
- M365 E5 Security
- Windows 10/11 E5
- Enterprise Mobility + Security E5 (EMS E5)
- Defender for Endpoint Standalone License
- If Standalone, there is Plan 1 and Plan 2.
- Plan 2 has the full EDR features.
- M365 Business Premium E3 and E5
Windows Servers
Microsoft Defender for Endpoint Plan 1 and Plan 2 don’t include server licenses. To onboard servers to MDE, Microsoft requires a server license such as Microsoft Defender for Servers Plan 1 or Plan 2 (Defender for Cloud), or another server-specific option (for example, “Defender for Endpoint for servers”).
Huntress recommended best practices.
Enrolling Devices
- Go to the Microsoft Security portal - security.microsoft.com
- System > Settings > Endpoints > Onboarding
- Select OS
- Connectivity Type
- Streamlined - This is recommended.
- Deployment Method
- Select how you will be deploying it.
- Enabling MDE via MDM is recommended
- If just testing on a few devices, you can use a local script.
- Other Pre-Deployment Best Practices
- Proactively Exclude/Allowlist the required URLs/IPs on firewalls to allow communications between the endpoints and MDE servers.
- If NGFW (Next-Generation Firewall) is used, create an exception to disable packet inspection for all MDE traffic.
- Proactively create device groups to better organize the asset inventory
- Suggested use cases: servers group, workstations group, locations, etc
- You can leverage device groups to limit access to certain Entra users (this can be helpful if the MSP has separate workstation and server support teams)
We recommend initially deploying MDE in passive mode and enabling active mode only after confirming stability and successful telemetry ingestion.
Verifying Deployment
- Go to the Microsoft Security portal - security.microsoft.com
- Assets > Devices
- Will show you all the enrolled devices
- Run a Detection Test
- System > Settings > Endpoints > Onboarding
- Run this test Command
- This will generate a test alert in the Defender portal (in Investigations and Response > Incidents).
Other Recommendations
- Enable Intune Connection
- Settings > Endpoints > General > Advanced Features
- Microsoft Intune Connection
- This connects Intune and MDE
- This is recommended as endpoints will appear in the Intune Admin Center, allowing you to view their data.
- For any necessary exclusions
- Intune > Endpoint Security > Antivirus > Create Policy for Exclusions
Post-Deployment Validation
Validate that data is flowing from endpoints into the MDE portal
- Log into the Microsoft Security Center
- Click Hunting on the left navigation pane
- Click Advanced Hunting.
To confirm process events are coming into MDE:
DeviceProcessEvents
| where DeviceName=="FQDN of host"
| order by Timestamp desc
To confirm network events are coming into MDE:
DeviceNetworkEvents
| where DeviceName=="FQDN of host"
| order by Timestamp desc
Generate an incident to confirm that Huntress is ingesting alerts from MDE
Warning: Simulating suspicious activity to generate alerts may Isolate your machine based on your organization’s settings. Always follow best practices and conduct testing on a virtual machine or dedicated test system. Avoid performing tests on production computers.
To generate an incident within MDE, we can leverage this benign EICAR file.
MDE EICAR test
Microsoft's Device Detection Test.
- Using a Virtual Machine, or a test system of your choice, log in as an administrator and run the following command:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'