Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Web content filtering with Microsoft Defender ATP now in public preview
Published Jan 27 2020 04:58 PM 78.7K Views
Microsoft

Web content filtering is a new feature in Microsoft Defender ATP that enables security administrators to track and regulate access to websites based on specified content categories. You can configure policies within Microsoft Defender Security Center to block or gather access data on certain categories across your machine groups. This feature provides the following capabilities:

  • Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away
  • Conveniently deploy varied policies to various sets of users using the machine groups defined in the Microsoft Defender ATP role-based access control settings
  • Access web reports in the same central location, with visibility over actual blocks and web usage
  • Support for most major web browsers, with blocks performed by SmartScreen and Network Protection.

For instance, you could set a policy to block ‘adult content sites’ across all of your machine groups, and create a separate policy to block ‘high bandwidth sites’ on just a few machine groups. Any category that is not being blocked will still have access information collected from them that you can view in the reports.

 

clipboard_image_0.png

 

In order to give customers access to various sources of web content categorization data, we are very excited to partner with data providers for this functionality. We’ve chosen Cyren as our first partner, who we’ve worked with closely to build that integration. Cyren sends categorization data directly to our cloud, so no customer data will be leaving Microsoft boundaries. We then use this data to determine which blocks to perform on the end user's machine. In order to use this feature, you must acquire a separate license with Cyren, who offers a 60-day free trial license for Microsoft Defender ATP customers. Learn more about partner licensing.

 

Starting today, web content filtering is available for public preview in the Microsoft Defender Security Center. To begin, go to Settings > Advanced features, and click the Web content filtering toggle to turn the feature on. Then, go to Reports > Web reports and click “Connect to partner” on the lower card to start a Cyren trial. Also, check out our technical documentation.

70 Comments
Brass Contributor

if you want to see this in action, check out my blog post here: https://emptydc.com/2020/01/27/block-it/

 

thanks for reading,

Jan

Brass Contributor

This is indeed a much asked question from my customer base. I'm very pleased to see this solution is coming very soon. The first question that pops-up in my mind is however on licensing (yes, sorry, but I believe the technology works :happyface:). As this solution is brought together with the power of Cyren's Content Categorization data, I'm wondering if the licensing for this will be done separately at Cyren's, or if Microsoft is going to be the broker in this (even through the CSP program).

 

Thanks in advance,

Ronald van Ackooij

Brass Contributor

Cool feature. Would like to test it. I have applied for the trial version and entered not enough devices for my tenant and ran directly into the error message:

 

You are above the device limit for your Cyren license that is used for web content filtering. It supports - devices, but -are currently in use. Go to Cyren partner page and update license
 
Well, I went to the partner page, and submitted the form, but no reply. Also I can't find pricing anywhere. More info on the pricing and billing (CSP possible?) would be appreciated.
Copper Contributor

Very cool. The post mentions the ability to create block rules for categories, but knowing that categories can be added over time, I'd love to have the ability to create an allow policy for a list of categories, knowing I can always add new ones, IF they are needed.

 

Will be watching this one closely!

Brass Contributor

Onboarding worked fine for us. I'm missing a place where I can check the categorization of a given URL and an option to exclude/whitelist special URLs. And yes - some information about pricing would be cool!

Brass Contributor

We are currently implementing a cloud-only Microsoft 365 deployment with the only 3rd party requirement being SaaS web filtering so would be very interested to switch to this Defender based solution so we can offer a complete solution using M365 but like the above comments how do we find out about licensing / subscription / pricing once the trial ends?      

Copper Contributor

Testing out the features, so far looks quite good, would like to see more classifications and control (white listings). Also requested a quote for the ATP web url classification and have not heard back yet.  Understand we are in a unprecedented situation - would like to understand order of magnitude on pricing to see if this is viable - or move to another solution.  Any chance we can get a better understanding of feature sets and pricing when moving to GA ?

 

 

Microsoft

@Scott650 We are actively evaluating if we can include content filtering as part of E5 license and not require any additional pricing and will update once we have a finalized plan. Hoping to provide an update by 3rd week of April. 

Could you please share feedback on what additional categories you would like to see?

 

@Chris Johnston - Hoping to finalize the details on licensing (or no-licensing) soon. Thank you for your patience. 

 

@Christopher Brumm - Good feedback, will publish the guidance on this soon. In the interim, you can find out categorization of a url visiting this page:https://www.cyren.com/security-center/url-category-check.

Also, please leverage custom indicators to selectively allow/block a given URL. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-in...

 

 

 

 

Brass Contributor

@KrupaT Thanks for your answer. Will the custom indicator override the block by categorization from cyren?

Microsoft

@Christopher Brumm Yes, custom indicators have the highest precedence and will override any policy configured through web content filtering. 

Brass Contributor

@KrupaT Last time i looked at the categories they where missing anonymizers / proxies.  I also don't think it had the German youth category either.   Most of the rest looked sufficient but when you could just use archive.org or a random free proxy site to bypass the filter it defeats the point a little from the HR side.  From a security side between this and smartscreen it is a good setup.   

 

If possible what would be really cool is to limit devices to one or multiple categories and allow nothing else.

 

The other issue I came across is you can accidentally block it with firewall rules, ATP should always win over all other system settings otherwise bad actors can abuse this.   

 

The only thing that could beat that would be if you could also use it as a proxy for a corporate network, but that is wishful thinking :)

 

When it's working fully this is really amazing, if anything happens on the price front it would make my year.

 

 

 

 

Microsoft

@mbhmirc Thanks for the feedback, will work to create a top-level proxy category. We are also working to make it easier to share feedback on FPs - like the proxies that you mentioned. As a short term mitigation while feeds are updated, you can leverage custom indicators to specifically block the discovered proxies. 

Ack on your feedback, will work with my team on how we can enabled scnearios where only selected categories are allowed and everything else is blocked. 

 

Ack your feedback on firewall rules - will take it to the broader team. 

In regards to the pricing, we are working to incorporate feedback and hoping to share some updates shortly (next 2 weeks). 

Copper Contributor

@KrupaT Looking through the prerequisites, I do not see macOS on the list. Are there any plans for support on macOS?

 

Thanks,

Bo

Microsoft

@borising  This is on top of our backlog, however unable to share a timeline yet and will keep the thread updated. 

Copper Contributor

@KrupaT That sounds great, do reach out to me if you need some testers.

Copper Contributor

@KrupaTWe are moving off of Trend and onto Defender ATP. We paid one price for Trend and it covered this. However the benefit of having everything in one place was to great! Really love ATP so far and was surprised to find that web content filtering was a feature we would have to pay additional for. Really appreciate that Microsoft is considering throwing this in to the E5 license. It would greatly solidify our staying on.

Copper Contributor

Hi Group, from last 2 week we are trying to implement the web filter content on Microsoft ATP defender, it look like easy but for our tenant look like support is confusing, we are not allowing all feature of M365-E5 to the user and running RDS 2016 environment on azure. any suggestion?

Brass Contributor

@KrupaT great thank you :)

 

@aminhirji595 Do you have the license from the partner page already?  The main bits is to allow port 80/443 on the firewall directly for all the defender and atp related process's and then the rest in ATP is just creating the policy and assigning it. 

 

Copper Contributor

@mbhmirc I have been told by cyren to register yourself here  https://marketing.plutoserv.com/mdatp/step1/ which I have done it. do  I need to ask them for their cyren portal login? and all our machine is on Azure and so on network section shall I add the 80/443 ports?

Copper Contributor

@KrupaT do you know why phishing, malware, grayware and other suspicious URL categories are not included? We were hoping this could be used to prevent these known bad URLs but when I contact vendor their response was

 

Cyren currently does not filter for Malware and Phishing.”

 

Also any update on whether this will be included in E5 license?

Copper Contributor

@MKHJJI think you have to turn on Network Protection for this in your Endpoint Protection policy under Microsoft Defender Exploit Guard> Network Filter.

Copper Contributor

Hi Everyone,

Is this web filtering functionality still in preview? If so, when is expected to be fully rolled out to the public?

 

 

Thanks,
Ollie 

Copper Contributor

@OllieCramerit is still in preview. I believe its expected to be rolled out end of July at which point the service will be included in your E5 Enterprise subscription. I was told that there was no decision on including Cyren for individual MDATP SKUs.

Copper Contributor

Oh and when you are setting up your 60 day trial with Cyren through your Defender ATP admin Dashboard, when the Cyren online form asks "how many users" think "How many machines" not users. If you have 800 E5 users, and they all log into 2 computers regularly maybe their desktop and laptop. If you say you have 800 users 800 computers will have web content filtering...you now have 800 laptops that do not.

Microsoft

@MKHJJ MDATP provides web threat as a platform level feature, which covers protection against Malware, Phishing. This is already in GA https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/web-threa...

 

Being part of E5 is the path forward, however it's taking more time than expected. You can definitely start using the trial, and soon we will be removing the 60 day limit as well. 

 

@OllieCramer Yes, it's still in public preview (Thank you @Joseph Owen ). We are making significant changes compare to our initial marketplace approach. As a result, it's going to be in public preview for a little longer than our initial timelines. 

 

Copper Contributor

@KrupaT  Pretty exciting! One thing I noticed and I haven't taken a deeper dive on it yet but it wasn't clearly available...a way to whitelist specific sites that my company may need to use but is being blocked by the content filter.

 

In order for the content filter to work in a browser other Edge (for me it was Chrome), I had to enable Network Protection in my Endpoint Protection policy. Once I did that it worked for Chrome. 

 

Appreciate your time and posts.

 

Joseph

 

 

Microsoft

@Joseph Owen  to whitelist, you can leverage custom indicators which are given the highest order of preference i.e. if a site is allowed via custom indicator (let's say instagram) , even if the site is blocked via category (social networking) through web content filtering .. your custom indicator policy will be honored. 

here's more on custom indicators: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-in...

Copper Contributor

@KrupaT  Perfect! Thank you!

Brass Contributor

I have rolled MDATP out with the Cyren 60 day trial. Everything was working fine, however now in the Reports>Web Filtering I get No Data for everything on the dashboard. I thought it would be the same for all our global admins however everyone else can access and see data. I have tried on various machines: enrolled and personal, and still get no data. The only thing I can think of is that my broadband or ISP is not allowing something integral through. I say ISP as my mobile phone is on the same ISP and tethering also shows no data.

I made my non global admin account a global admin and also created a new global admin account - no data!

Logging on as me on a colleagues machine on their broadband shows data. I am going to the office in the next hour or so, so will be able to see if it is ISP issue, if it is, what could be blocking it? Do I need certain internet ports open to see data?

This has stumped me.

 

EDIT: I am at the office and the data is now populating. Anyone any ideas if a port is blocking it, or something I may be missing on the network side?

 

EDIT2: It was DNS! 8.8.8.8 must be playing up.

Microsoft

Thanks @neilcarden for the update, this is definitely an interesting scenario.

Curious, if only content filtering reports didn't show up or did it impact all your reports in MDATP?

Brass Contributor

@KrupaT Weirdly it is just Web Filtering reports, everything else is absolutely fine. In fact I've just tested it again now and changed my DNS to 8.8.8.8 give it a flushdns and like magic the data disappears. Change it back to my ISP's DNS and it populates again.

Give it a try and see what happens?

Neil

Copper Contributor

I ran this as a trial and it worked well.  When I tried to purchase it via Cyren I was told it is not yet available for production.  Do you have a date when this can be purchased via Microsoft/Cyren?

Stephen

Brass Contributor

@Stephen_Hynes1976 Hi I got in touch with Cyren and they quoted me a price per user per month. However, we were in the process of consolidating all of our licensing through one provider and when they got in touch they were told the same thing as you. I passed on the contact details I had to our licensing supplier and am still waiting on a response. Its annoying as I have setup web filtering now and don't want it to stop after 60 days.

 

This was in the email "The product will not be available for general availability until the end of April." so whether this has been put back I don't know.

We just published an episode on Intune.Training giving this a test drive. Check it out - it's free and it's an honest review! 

https://www.youtube.com/watch?v=a2ixEGD-jus

MVP

Any plans to add support for this to macOS or downlevel Windows (8.1 or 7)?  Or have I got my information wrong and it's already supported?  (If that's the case - is there documentation as in my testing it's not working)

Microsoft

@neilcarden@Stephen_Hynes1976  the business model is being updated and there will no additional charge for WCF. We are actively working and will update the thread once we push these changes. 

 

@Ru For macOS we are actively working, and in regards to Windows it's only on Win 10. 

Brass Contributor

@KrupaT Yes Cyren also confirmed this. Will it still need the Cyren integration or will it become standard by default?

Do you have any timescales as ours has now passed trial date and is non functional...

Neil

MVP

@KrupaTBoth of these are great to hear.  Thanks!

Brass Contributor

Yes I am also happy to hear this, but also our trial has ended and this is now not functional.  Can we get an ETA on when this function will work again, or can we look at extending the trial to another 60 days so we can continue using this?  When I contact Cyren they say contact Microsoft and Microsoft say contact Cyren.  Thanks for letting us know but if we could have a usable solution today even if it is just an extended trial that would help greatly.

 

Microsoft

@Robert_Hurd Tentative timeline is July when you will see the new business model w/o any 60 day trial limitations or the need for partner integration. Please note that we will continue to be in public preview mode. 

Brass Contributor

@KrupaT Is there an easy way Microsoft can extend the existing 60 day trials?

 

Brass Contributor

@Robert_Hurd When I spoke to Cyren they said it would just carry on beyond the 60 days but that doesn’t seem to be the case. 
@KrupaT how will we get an update when it’s live? Will we just see it in MDATP console? Do we have to remove the Cyren integration?

Microsoft

@Robert_Hurd : Sent a pm requesting more details.

@neilcarden We will be publishing a blog + instructions to remove any residual partner connection that's no longer needed. 

Copper Contributor

Hello, Really looking forward to this being GA'd in July


As part of the new web content filtering, MS have chosen to partner with Cyren
- Will Cyren be added to the Cloud App Security "Support firewalls and proxies" list to allow deep dive into discovered apps?

 

https://docs.microsoft.com/en-us/cloud-app-security/discovered-apps#deep-dive-into-discovered-apps

Brass Contributor

@KrupaT - Very happy to see this is going to be GA soon! I am wondering a couple things...

 

1. Will a category be added for File Sharing & Storage? Ex. DropBox, Box, Google Drive, Wetransfer, etc. These all currently show up under the "Computers & Technology" category which is not useful for blocking access to those types of sites.

 

2. It seems there is no way to prevent auditing for categories once a device is added. It would be very useful to have the ability to break down which categories are blocked vs audited and then any category not otherwise specified would not be included in the reporting. I have no interest in the reporting of various categories but as far as I can tell there is currently no way to disable this without removing a device entirely. It seems to be all or nothing.

MVP

@KrupaT 

Hey, I have just set up a new MDATP tenant and notice that when I go to Settings > Rules > Web Content Filtering, I no longer need to sign up for Cyren.  I can just go ahead and create rules.  Is the requirement for a license/sign up now rolled out universally?   Also don't see Cyren Web Filter as an Enterprise App in AAD, unlike earlier tenants that needed it granted permission.

 

Thanks!

Copper Contributor

Hi - Please could Microsoft confirm the following for Web Filtering in Defender ATP

1. Is this now available with a Microsoft 365 E5/Defender ATP licence? No additional costs/licence required

2. What date is this going to be available?


Kind Regards

Stephen

Microsoft

@Stephen_Hynes1976 , @Ru - Yes, it's official - a partner license is no longer needed. Web content filtering will be offered as part of MDATP, here's the official update

 

@Roger1175 Great feedback, will add it to the backlog. 

Copper Contributor

This is good news indeed. Do we have any plans around bluecoat as a partner for categorization?

Brass Contributor

And even better, it is now announced as part of MS Defender ATP, without additional partner licenses.

https://techcommunity.microsoft.com/t5/microsoft-defender-atp/an-update-on-web-content-filtering/ba-...

Co-Authors
Version history
Last update:
‎May 12 2022 04:12 PM
Updated by: