Microsoft Defender for Endpoints pilot at ERG (Kazakhstan)

ERG Eurasian Resources Group (ERG) engaged Awara IT to run a controlled test deployment of Microsoft Defender for Endpoints (Plan 2) across representative endpoint estates in Kazakhstan. The objective was to assess EPP/EDR policy effectiveness under operational conditions found in mining and metallurgy operations and to validate integration with the existing ArcSight SIEM.

Awara IT implemented endpoint onboarding, EPP/EDR policy baselines, automated investigation playbooks, and a secure event-forwarding pipeline to ArcSight. The pilot confirmed capability, reduced detection and response times in the test scope, and produced a validated integration pattern ERG can use for phased roll-out across other regions.

Client / Industry / Country

ERG Eurasian Resources Group is a diversified natural resources company operating in mining and metallurgy with substantial operations in Kazakhstan. As a large regional employer and producer, ERG requires enterprise-grade security controls to protect operational technology endpoints and corporate devices across dispersed and sometimes remote sites.

Business challenge

ERG was evaluating next-generation endpoint protection to replace legacy antivirus and to introduce endpoint detection and response (EDR) across a mix of corporate and operational devices. Key pain points included limited endpoint visibility at remote sites, high false-positive rates from existing tools, and long incident investigation cycles that delayed containment in an environment where operational disruptions carry significant safety and financial risk.

A further constraint was the existing security operations investment in ArcSight SIEM: any new endpoint solution had to reliably deliver contextual telemetry and alerts into ArcSight without overwhelming analysts. ERG required a test that would validate detection efficacy, policy tuning, and SIEM integration before authorizing a broader deployment.

Why Dynamics 365 was selected

Selection criteria were driven by technical fit, supportability, and integration with ERG's Microsoft-centric estate. Microsoft Defender for Endpoints (Plan 2) was chosen for its native integration with M365 Security E5 telemetry, centralized policy management, automated investigation and remediation features, and vendor-supported connectors to major SIEMs like ArcSight.

For ERG, which runs other Microsoft workloads, including business systems potentially based on Dynamics 365 in some corporate functions, aligning endpoint security with the Microsoft security stack reduces management overhead and simplifies identity-based controls. Awara IT's combined experience across Microsoft security and Dynamics 365 projects ensured the pilot considered implications for business application availability, data protection, and identity signals linked to Azure AD.

Modules implemented

• Endpoint onboarding and baseline hardening (Windows, macOS representative devices)
• EPP/EDR policy configuration and enforcement (Plan 2 capabilities)
• Threat & Vulnerability Management (TVM) tuning for mining-specific workloads
• Automated Investigation & Remediation (AIR) playbooks for prioritized alerts
• Attack surface reduction rules and application control baselines
• Custom alert rules and hunting queries for operational telemetry

Integrations

• ArcSight SIEM (event forwarding using CEF/SmartConnector patterns)
• Azure Active Directory for device identity and conditional access signals
• M365 Security E5 telemetry aggregation for cross-signal correlation
• Existing ticketing and incident workflows (incident enrichment feed)

Localization & compliance

Deployment planning accounted for Kazakhstan's regulatory framework and ERG's internal compliance policies. Telemetry collection, retention periods, and cross-border log transfers were assessed to ensure alignment with local data handling requirements and ERG's contractual obligations. Where required, event forwarding was configured to limit personally identifiable information and to respect ERG's data classification rules.

All user-facing documentation and operational runbooks were provided in English and Russian, and policy settings were agreed with ERG's security and legal teams before activation to ensure regulatory and operational compliance in the mining context.

Business value

The pilot delivered validated detection and response patterns that ERG can scale with confidence. Immediate benefits included near-complete endpoint visibility in the pilot scope, faster detection and containment of endpoint incidents, and a stable, documented integration pattern with ArcSight that preserves analysts' existing workflows. These outcomes reduce operational risk and support ERG's compliance posture.

Beyond technical results, Awara IT provided ERG with a phased roll-out plan, policy templates, and SOC playbooks to operationalize Defender for Endpoints across additional sites. The pilot reduced uncertainty around cloud-native security controls and created a repeatable template for secure expansion across Kazakhstan and adjacent regions.