Breadcrumbs

MDE Administration

Managing Indicators

Adding Indicators

Indicators can be added to the MDE Domain Indicator List through any of the following five methods. Indicators will subsequently be blocked by MDE:

Blocking must be enabled for it to function. See Step - 3 Blocking Mode (OPTIONAL) for information on how to configure blocking.

  1. EnforceDNS Decision Engine: The Decision Engine dynamically assigns a block verdict to a query, which is then reflected in the MDE Domain Indicator List.

  2. Categories: Blocked categories configured in EnforceDNS are mirrored as blocks in MDE.

  3. Rules: Custom rules created by your organization will be applied in MDE as blocks.

  4. Lists: Indicators from EnforceDNS lists outside of the MDE List are automatically passed along to the MDE Domain Indicator List.

  5. Manual Entry: Users have the option to manually add indicators directly to the MDE Domain Indicator List in EnforceDNS.

Removing Indicators

Indicators added to the EnforceDNS MDE Block list can be removed in three ways:

  1. Manually via MDE: You can remove indicators from the MDE Domain Indicator List manually in MDE.

    1. This will update the EnforceDNS MDE list.

  2. Manually via EnforceDNS: Login to EnforceDNS>List Management>MDE. List Management is available under

    List Management Icon.png

    1. Select the indicator(s) you wish to delete.

    2. Click on the Trash Can icon towards the top of the page.

    3. The indicator(s) are removed from the MDE Domain Indicator List.

When removing an indicator, whether through EnforceDNS or MDE, it’s crucial to also remove it from any lists or rules it belongs to. If you don’t, EnforceDNS will re-add the indicator to the MDE Domain Indicator List, causing it to be blocked again. 

If the indicator was blocked by the Decision Engine or a Category block, you must add it to an allow list. Failing to do so will result in the indicator continuing to be blocked.

  1. Automatically: To help manage the size of your MDE Domain Indicator List, EnforceDNS automatically removes indicators from the MDE List that were added by the Decision Engine if they haven’t been detected in traffic for 180 days. This is by default and non-configurable.

    1. If you wish to continue to block these queries after the 180 days, you must add the relevant indicators to a static (non-MDE) Block list prior to the 180 expiration.

    2. This effects ONLY the indicators added by the Decision Engine. If added via category, rules, other list or manually, the queries will not expire.

EnforceDNS automatically removes indicators from the MDE List that were added by the Decision Engine if they haven’t been detected in traffic for 180 days. For more details, please refer to the information above.

FAQs

Q: How does EnforceDNS handle domains that are on allow lists or already blocked in MDE?

  • If a domain is already on the MDE block list, you must add it to an allow list in EnforceDNS and then manually remove it from the MDE list.

  • If a domain is on an allow list before HYAS sees it, HYAS will not add it to the MDE block list, because HYAS only sends blocks, not allows, to MDE.