TEAM: Huntress Product Architecture
PRODUCT: Microsoft Defender for Business & Microsoft Defender for Endpoint
ENVIRONMENT: Microsoft 365
SUMMARY: This guide covers license requirements, device onboarding, deployment best practices, and verification steps for Microsoft Defender for Business and Microsoft Defender for Endpoint.
License Requirements
One of the following licenses is required to access Microsoft Defender for Business.
- M365 E5
- M365 E5 Security
- Windows 10/11 E5
- Enterprise Mobility + Security E5 (EMS E5)
- Defender for Endpoint Standalone License
- If Standalone, there is Plan 1 and Plan 2.
- Plan 2 has the full EDR features.
- M365 Business Premium E3 and E5
Microsoft's Guide Get Started with your Microsoft Defender for Endpoint deployment should be used as the source of truth.
Huntress recommended best practices.
Enrolling Devices
- Go to the Microsoft Security portal - security.microsoft.com
- System > Settings > Endpoints > Onboarding
- Select OS
- Connectivity Type
- Streamlined - This is recommended.
- Deployment Method
- Select how you will be deploying it.
- Enabling MDE via MDM is recommended
- If just testing on a few devices, you can use a local script.
- Other Pre-Deployment Best Practices
- Proactively Exlude/Allowlist the required URLs/IPs on firewalls to allow communications between the endpoints and MDE servers.
- If NGFW (Next-Generation Firewall) is used, create an exception to disable packet inspection for all MDE traffic.
- Proactively create device groups to better organize the asset inventory
- Suggested use cases: servers group, workstations group, locations, etc
- You can leverage device groups to limit access to certain Entra users (this can be helpful if the MSP has separate workstation and server support teams)
We recommend initially deploying MDE in passive mode and enabling active mode only after confirming stability and successful telemetry ingestion.
Verifying Deployment
- Go to the Microsoft Security portal - security.microsoft.com
- Assets > Devices
- Will show you all the enrolled devices
- Run a Detection Test
- System > Settings > Endpoints > Onboarding
- Run this test Command
- This will generate a test alert in the following location - Investigations and Response > Incidents.
Other Recommendations
- Enable Intune Connection
- Settings > Endpoints > General > Advanced Features
- Microsoft Intune Connection
- This connects Intune and MDE
-
This is recommended as endpoints will appear in the Intune Admin Center, allowing you to view their data.
- For any necessary exclusions
- Intune > Endpoint Security > Antivirus > Create Policy for Exclusions
Post-Deployment Validation
Validate that data is flowing from endpoints into the MDE portal
- Log into the Microsoft Security Center
- Click Hunting on the left navigation pane
- Click Advanced Hunting.
To confirm process events are coming into MDE:
DeviceProcessEvents
| where DeviceName=="FQDN of host"
| order by Timestamp desc
To confirm network events are coming into MDE:
DeviceNetworkEvents
| where DeviceName=="FQDN of host"
| order by Timestamp desc
Generate an incident to confirm that Huntress is ingesting alerts from MDE
Warning: Simulating suspicious activity to generate alerts may Isolate your endpoint based on your organization’s settings. Always follow best practices and conduct testing on a virtual machine or dedicated test system. Avoid performing tests on production endpoints.
To generate an incident within MDE, we can leverage this benign EICAR file.
MDE EICAR test
Microsoft's Device Detection Test.
- Using a Virtual Machine, or a test system of your choice, log in as an administrator and run the following command:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'