Microsoft Defender for Endpoint series – What is Defender for Endpoint? – Part1
It is time for the first part of the ultimate Microsoft Defender for Endpoint (MDE) series. After the announcement and the great response, it is time for the first part. Part 1 contains information related to Defender for Endpoint’s basics. Upcoming parts are more deep-dived into the components. See part 1 as the high-level overview of the components and parts under the Microsoft Defender for Endpoint (MDE) umbrella.
Introduction blog series
This ultimate blog series will contain as much information as possible based on my Defender experience in the past years. Not a copy of Microsoft Docs, but an addition based on practical experience combined with informational details – including the most frequent questions asked by customers focussing on the complete Windows platform. When it’s a success, other platforms like iOS, Android, Linux, and macOS will follow.
NOTE: Blog series is focussing on features in Microsoft Defender for Endpoint P2 all MDE P1 features are available in P2.
Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.
What is Defender for Endpoint?
Microsoft Defender for Endpoint (MDE) is a comprehensive solution for preventing, detecting, and automating the investigation and response to threats against endpoints. Defender for Endpoint is supported for multiple platforms, including Windows, Linux, macOS, and mobile platforms iOS and Android. Microsoft Defender for Endpoint (MDE) is a massive platform of features and not a single product. It is a platform with tons of security features, services, and controls. Hopefully, this complete blog series gives more explanation in high-level overviews and in-depth technical information based on my own best practices.
Microsoft Defender for Endpoint is a key component of the Microsoft 365 Defender architecture and part of the Microsoft 365 Defender platform. It shares data/ signals and architecture with the following products;
- Microsoft Defender for Endpoint (MDE)
- Microsoft Defender for Office365 (MDO
- Microsoft Defender for Cloud Apps (MDA)
- Microsoft Defender for Identity (MDI)
- Azure AD Identity Protection (AADIP)
Defender for Endpoint contains a couple of major components including;
- Asset discovery
- Threat & Vulnerability Management (TVM)
- Attack Surface Reduction (ASR)
- Next-Generation Protection (NGP)
- Endpoint Detection & Response (EDR)
- Automated Self-healing/ Automation investigation and remediation (AIR)
- Microsoft Threat Experts
Microsoft releases in the last couple of months quite some new features which make the Defender product one more centralized portal including the following bullets:
- Endpoint = Defender for Endpoint
- Email & Docs = Defender for Office 365
- Apps & Cloud Apps = Defender for Cloud Apps
- Identities = Defender for Identity and Azure AD Identity Protection
Currently, all of the Defender products listed above are available in one single portal. Which reduces heavily the availability of the different portals. 2-3 years ago all the products were available in separate portals; for example Defender for Identity and Defender for Cloud Apps were completely separate. Microsoft is following the direction to share the architecture and combine all security toolings together in one single Microsoft 365 Defender portal. Natively integrating all products within Microsoft 365 Defender streamlines the process of investigation and mitigating threats for the complete attack surface. The Hunting experience is more integrated with all products compared with some years ago, which makes hunting and specific use-case development easier.
The below image shows it in one single view; Microsoft 365 Defender gives the option for centralized incident/alerts, hunting, actions/submissions, and analytics. Where each product is natively integrated (The implementation of Defender for Identity and Defender for Cloud Apps is not fully integrated with all features).
Microsoft 365 Defender portal:
Microsoft 365 Defender incident view:
Which Defender plans are available?
Currently, there are multiple Defender plans available. Defender for Individuals is the new consumer product. For the comparison between Defender for Business and Defender for Endpoint P2 view the blog post published earlier.
- Defender for Individuals
- Defender for Business
- Defender for Endpoint P1
- Defender for Endpoint P2
The following add-ons are currently available:
- Defender Vulnerability Management add-on
The following standalone products are available
- Microsoft Defender Vulnerability Management
View the following page for the full Defender for Endpoint P1 and P2 comparison.
Simplified comparison table Defender for Endpoint plans.
|Feature/Capability||Defender for Business|
|Defender for Endpoint Plan 1|
(for enterprise customers)
|Defender for Endpoint Plan 2|
(for enterprise customers)
|Threat & vulnerability management||✅||❌||✅|
|Attack surface reduction capabilities||✅||✅||✅|
|Endpoint detection and response||✅||❌||✅|
|Automated investigation and response||✅||❌||✅|
|Threat hunting and six months of data retention||❌||❌||✅|
|Device timeline events||❌||❌||✅|
|Threat analytics||Optimized for small and medium-sized businesses||❌||✅|
(Windows, macOS, iOS, and Android OS)
|Microsoft Threat Experts||❌||❌||✅|
|Microsoft 365 Lighthouse integration|
(For viewing security incidents across customer tenants)
|Stream events to Sentinel||✅||✅||✅|
|Web Content Filtering||Limited||✅||✅|
Defender for Cloud vs Defender for Endpoint
Now the most asked question; what is the difference between Defender for Cloud and Defender for Endpoint and how is Defender for Cloud interacting with Defender for Endpoint?
Microsoft Defender for Endpoint and Microsoft Defender for Cloud are entirely two different products. Microsoft Defender for Cloud is a solution for cloud security posture management (CSPM) and cloud workload protection (CWP). Microsoft Defender for Endpoint can be integrated with Defender for Cloud.
When paying Defender for Servers Plan 2 or Defender for Servers Plan 1; the license of Defender for Endpoint is available and machines will be automatically onboarded when correctly configured.
When you have Microsoft Defender for Severs Plan 1, it includes Microsoft Defender for Endpoint Plan 2.
By integrating Defender for Endpoint with Defender for Cloud, it gives the following benefits:
- Automated onboarding
- Azure Arc (On-Prem) can be easily deployed using Defender for Cloud
- The Defender for Cloud portal pages display Defender for Endpoint alerts
More information in one of the upcoming parts.
Let’s explain quickly the main components part of Defender for Endpoint in this overview blog part.
NOTE: All features will be explained more in-depth in the next part of the series.
Threat & Vulnerability management
Threat & Vulnerability Management (TVM) is based on my option one of the most important features in Defender for Endpoint and shows continuous real-time TVM discovery. Good to know TVM part of Defender for Endpoint is included in the Defender SENSE/ EDR services, which gives no additional software installation or configuration. Prioritization is based on the actual threat landscape.
Defender Vulnerability Management rapidly and continuously prioritizes vulnerabilities and provides security recommendations to mitigate the risk.
Currently, multiple vulnerability management offerings are available for Defender for Endpoint.
- Defender Vulnerability Management core capabilities
- Defender Vulnerability Management add-on
- Defender Vulnerability Management Standalone
Microsoft Defender Vulnerability Management offerings
As already explained; Microsoft Defender supports multiple offerings for Microsoft Defender Vulnerability Management. Currently, there are the following offerings available:
Defender for Endpoint P2:
- Core TVM capabilities included
Add-on for Defender for Endpoint P2:
- Defender Vulnerability Management add-on
Defender Vulnerability Management Standalone
- Full vulnerability management capabilities
Simplified comparison table Defender for Endpoint Vulnerability Management offerings.
|Feature/Capability||Core Vulnerability management (MDE P2)||Defender Vulnerability Management add-on for MDE P2||Defender Vulnerability Management Standalone|
|Device Discovery||✅||Included in core||✅|
|Device inventory||✅||Included in core||✅|
|Vulnerability assessment||✅||Included in core||✅|
|Risk-based prioritization||✅||Included in core||✅|
|Remediation tracking||✅||Included in core||✅|
|Continuous monitoring||✅||Included in core||✅|
|Software assessment||✅||Included in core||✅|
|Security baselines assessment||❌||✅||✅|
|Block vulnerable applications||❌||✅||✅|
|Digital certificate assessment||❌||✅||✅|
|Network share analysis||❌||✅||✅|
Attack Surface Reduction
Attack Surface Reduction (ASR) is a large set of features in the Defender product focussing on reducing the attack surface of the devices.
Attack Surface Reduction rules are a good example where for example obfuscated suspicious script can be blocked or persistence through WMI event subscription. ASR is really powerful in reducing the available attack paths for attackers.
- HW-based isolation
- Exploit protection
- Network protection
- Controlled folder access
- Device control
- Web protection
- Ransomware protection
- Attack Surface Reduction rules
- Application control
Next-Generation Protection (NGP) is the Defender Antivirus part of Defender for Endpoint. It is not only focussing on traditional signature-based protection. Next-Generation protection is focussing heavily on cloud-based protection/ machine learning in-depth threat research and big-data analysis. Cloud-delivered protection, behavior monitoring (Execution behavior), and collaboration with EDR are heavily available.
Image source: Microsoft
Next-Generation Protection starts years ago in the Microsoft landscape. It started all with Security Essentials and System Center Endpoint Protection (SCEP). Recently Microsoft released the new unified agent for Server 2012R2 and Server 2016 systems. Now all recent platforms include the Next-generation protection feature. The following features are part of the next-generation protection services:
- Real-time antivirus protection
- Cloud-delivered protection
Cloud Protections works directly with new (cloud)-based technologies that work together with data in the Microsoft Intelligent Security Graph and artificial intelligence-driven machine learning models. Part of Cloud protection is Cloud metadata, sample data, sandbox data, and big data based on signals across Microsoft.
Endpoint Detection & Response
Next-Generation protection/ Defender Antivirus is mostly based on Pre-Execution blocking. When Defender Antivirus allowed the file to run and it turned out to be malicious, the EDR sensor alerted any suspicious activities based on the SENSE services. EDR gives Post-Execution insights and shows visibility into the full scope of the attack flow. Defender EDR evaluates endpoint-system-level behaviors and applies data analytics to detect suspicious behaviors. Defender for Endpoint continuously collects behavior cyber telemetry. Data can be used for up to 6 months for advanced threat hunting and data correlation based on identity and other product data. The language part of the hunting schema is KQL/Kusto Query Language
Endpoint Detection & Response contains a large number of features in Defender for Endpoint. For example; Investigation experience, response actions, detections, indicators, Advance Hunting, and many more features.
Automated Investigation and response
Automated investigation and response (AIR) is part of Defender for Endpoint. Automated investigation and response uses inspection algorithms to examine alerts, determine whether the threat requires action, and perform necessary remediation actions on affected machines from the alert context.
The automated investigations run locally on the device and perform multiple actions based on file, network, process, and other information. Based on the findings automated investigations can automatically remediate malicious items and threats and automatically close the alert/incident.
Multiple levels of automation are available which makes it flexible and ask for approvals when needed. Ideally, automated Investigations run completely automatically based on the full automated device level without any user input. The full automated device level runs 24/7 which increases the security posture massively.
Microsoft Threat experts
Microsoft provides multiple managed services based on Microsoft Defender. Microsoft Threat Experts enabled the following features:
- Microsoft Threat Experts – Targeted attack notification provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyber espionage.
- Microsoft Threat Experts – Experts on Demand enables the option to connect with Microsoft security experts directly from the Microsoft 365 Defender console. Experts provide more in-depth investigation for alerts which gives additional clarification on alerts.
More detailed information later in this blog series. Discuss the eligibility requirements with your Microsoft Technical Service provider and account team. Microsoft Threat Experts – Experts on Demand is an additional service.
Additional information; Microsoft announced recently new managed services:
- Microsoft Defender Experts for Hunting
- Microsoft Defender Experts for XDR
- Microsoft Security Services for Enterprises
Unmanaged devices are most of the time a weak point in the corporate network/ environment and are optional targets. With the current situation more and more BYOD devices are connected to the enterprise network environment. With the new Defender for Endpoint Discovery functionality, it is possible to scan and protect the corporate network for unmanaged devices. In each environment, there are multiple devices like IoT devices, printers, network devices, unmanaged devices, scanners, and many more. Asset discovery is part of Threat and Vulnerability management.
Device discovery uses onboarded endpoints to actively probe, or scan your network to discover unmanaged devices. Asset discovery is supported for the following “unmanaged” devices:
- Enterprise endpoints (Windows, Linux,macOS, iOS, and Android) that are not yet onboarded to Microsoft Defender for Endpoint
- Network devices (routers and switches)
- IoT devices
An interesting part of Asset discovery is to find unmanaged client devices which are not onboarded in Defender for Endpoint. Defender for Endpoint device inventory shows all devices which are not onboarded or not supported.
Microsoft Defender for Endpoint is a complete platform part of the Microsoft Defender platform and supports multiple integrations.
Important to know each customer’s Defender for Endpoint instance is completely separate and only used for the customer. Currently, data storage is possible with a maximum of six months (Defender for Endpoint P2) and supports storage in the following locations:
More in-depth explanations about the integrations will be explained in the next section. Below are some of the available integrations:
- Microsoft Sentinel
- Defender for Cloud
- Microsoft Information Protection (Endpoint DLP)
- PowerBI/ SIEM connector
- Microsoft Endpoint Manager
- Microsoft Defender integrations
As written above; Defender for Endpoint contains a large set of features. The following key points are increasing the security posture massively. Of course; all points will be explained in the next parts in more detail. Below gives an idea of what is coming in the next sections and a reference point for a complete MDE configuration.
- Use centralized management (MEM) or Unified MDE management), alternatively when MEM is not possible GPO, MECM, or PowerShell. Centralized management makes exclusions management easier.
- Configure Cloud Protection/ Next-Generation Protection
- Optimize Next-Generation protection/ Defender AV (local admin merge, Cloud Block Level, Extended Timeout, Signature interval)
- Use Automated Investigation and remediation for automated response and automatically clean systems and remove malicious files
- Enable Always remediate PUA for blocking Potentially unwanted applications which are detected as PUA
- Enable EDR in block mode when third-party AV is configured
- Enable Tamper Protection tenant-wide for enabling tamper protection globally and protect tampering with Defender.
- Enable Targeted Attack Notification for more in-depth notifications
- Onboard additional Attack Surface Reduction features in audit and ideally block
- Configure Compliance policies when using MEM for blocking non-compliant devices ( risk-level)
- Integrate with Defender for Cloud Apps for deeper visibility in cloud apps and shadow IT based on MDE-detected traffic
- Enable custom network indicators for blocking IOCs from various sources
- Report Defender status using Advanced Hunting, TVM, and/or PowerBI
- Define Device Groups for information insights ( location, country/ type e.d) and selective scoping of exclusions
- Hunt and research the data using Advanced Hunting and Threat and Vulnerability Management
- Follow-up/ follow-up and follow-up based on TVM, Alerts, and data.
Microsoft Defender for Endpoint (MDE) is a big topic with various products/ services and features. There is a large list of community work and official Microsoft information sources.
- Microsoft Security Twitter
- Microsoft Defender for Endpoint Tech community (Activity)
- Microsoft Defender for Endpoint Tech community (Blogs)
- Microsoft Defender for Endpoint Ninja training
- Microsoft Defender for Endpoint Virtual Ninja Training
- Microsoft Learn path – Microsoft Defender for Endpoint
Probably forgot to add a lot, ping me when there are more good community resources. Below are some good sources for MDE and MDE-inspired KQL.
- Ru Campbell / Campbell.scot
- Fabian Bader / Cloudbrothers.info
- Derk van der Woude / Medium
- Sami Lamppu / Samilamppu.com
- Olaf Hartong
- Jan Geisbauer
- Thijs Lecomte
- Stefan Schörling
- Matt Zorich
- Kevin Beaumont
- Thomas Naunheim
- Pawel Partyka
- Gianni/ Kustoking
- Alex Verboon
Part 1 of the Microsoft Defender for Endpoint series is completed – focussed on the general explanation and function explanation in Microsoft Defender for Endpoint. Stay tuned for the next parts; where more in-depth knowledge and experience will be shared around Defender for Endpoint focussing on configuration, design decisions, validating, evaluating, troubleshooting, and more.
Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.