Microsoft 365 Defender

What is Microsoft 365 Defender?

Microsoft 365 Defender is an integrated platform including multiple Microsoft security solutions. It includes the following products:

  • Defender for Endpoint—an endpoint detection and response (EDR) platform that enables threat prevention, breach detection, automated investigation and response.

  • Defender for Office 365—protects against threats in collaboration tools, emails, and malicious links.

  • Defender for Identity—identifies and investigates compromised identities and malicious insiders. For identities managed on-premises, the solution integrates with Azure Directory Domain Services. For identities in the cloud, it is provided as an integral part of Azure Active Directory (Azure AD), called Azure AD Identity Protection.

  • Defender for Cloud Apps—provides security for SaaS and cloud applications, providing visibility, data controls, and advanced threat protection.


Diagram Description automatically generated

Source: Microsoft Ignite YouTube Channel

We’ll cover each of these services in more detail, and discuss how the Microsoft 365 Defender suite integrates with Microsoft Sentinel, Microsoft’s security information and event management (SIEM) solution.

Microsoft 365 Defender Services

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is an EDR platform that helps enterprise networks detect, prevent, respond to advanced threats, and perform investigations. Its capabilities are built into Microsoft’s Azure cloud services and the Windows 10 operating system.

Here are key features of Microsoft Defender for Endpoint:

  • Endpoint behavioral sensors—these sensors gather behavioral signals from the Windows 10 operating system. The data is processed and transmitted to a private, isolated, cloud instance of Microsoft Defender for Endpoint.

  • Cloud security analytics—the solution takes data from Microsoft optics throughout the entire Windows ecosystem. It uses device-learning and big-data to translate signals into detections and insights, and offers recommended responses to threats.

  • Threat intelligence—Microsoft hunters and security teams generate threat intelligence using Microsoft insights alongside third-party information. Defender for Endpoint uses this intelligence to identify attacker techniques, procedures, and tools. Once the solution observes these indicators of attack in collected sensor data, it generates alerts.


Learn more in our detailed guide to Microsoft Defender for Endpoint.

Microsoft Defender for Office 365

This is a cloud-based service offering email filtering and investigation features. The service aims to protect organizations against threats to collaboration and email tools, such as phishing, malware attacks, and business email compromise. It also offers hunting and remediation capabilities that can help teams identify, investigate, prioritize, and respond to threats.

Here are several ways to use Defender for Office 365 for message protection:

  • Filtering-only scenarios for on-premises deployments—the solution offers cloud-based email protection for on-premises SMTP email solutions like Microsoft Exchange Server.

  • Protect cloud mailboxes for mailboxes hosted in the cloud—you can use the solution to protect Exchange Online cloud-hosted mailboxes by enabling this option.

  • Control mail routing for hybrid deployments—you can configure the solution to protect a messaging environment consisting of cloud and on-premises mailboxes. You can use Exchange Online Protection for inbound email filtering and control mail routing.


Learn more in our detailed guide to Microsoft Defender for Office 365.

Microsoft Defender for Identity

This cloud-based security solution uses on-premises Azure AD signals to detect and investigate compromised identities, advanced threats, and malicious insiders. You can use this solution to protect hybrid environments.

Microsoft Defender for Identity lets you monitor users and entity behavior using learning-based analytics and store user identities and credentials in Azure AD. Using the insights provided by the solution, you can identify and investigate suspicious activities and respond quickly to threats.

Learn more in our detailed guide toMicrosoft Defender for Identity.

Microsoft Defender for Cloud Apps

This cloud access security broker (CASB) solution supports several deployment modes, including API connectors, reverse proxy, and log collection. It offers extended visibility and control over data flow.

The solution offers centralized management, simple deployment, and automation capabilities. It includes advanced analytics to help you identify and respond to threats across all cloud services. It supports third-party vendors but integrates natively with Microsoft solutions.

Microsoft 365 Defender Architecture

Microsoft 365 Defender automatically collects, correlates, and analyzes threat, alert, and signal data from the Microsoft 365 ecosystem, including email, endpoints, identities, and applications. The solution employs artificial intelligence (AI) and automation to stop attacks and perform remediation.

Core Components

The diagram below visualizes high-level architecture for notable Microsoft 365 Defender integrations and components.

Timeline Description automatically generated

Image Source: Microsoft

Combined and shared signals

Microsoft 365 Defender aggregates signals from all Defender components. The solution shares aggregated signals with the entire Defender ecosystem, which uses this information to provide the following:

  • A unified incident queue.

  • Automated response to stop an attack.

  • Self-healing for compromised resources like user identities, mailboxes, and devices.

  • Cross-threat hunting.

  • Threat analytics.


Protection for email and collaboration tools

Microsoft 365 Defender protects against various threats posed by links (URLs), collaboration tools, and email messages. It collects signals from these activities and shares them with the Microsoft 365 Defender ecosystem. The solution integrates with Exchange Online Protection (EOP) to protect all incoming emails and attachments.

Identity protection for hybrid environments

Microsoft Defender for Identity helps protect hybrid identity environments. The service collects and uses signals from servers running Active AD FS and on-premises Active AD DS. It can help protect against actors attempting to move laterally by using compromised accounts. You can also integrate with Azure AD Identity Protection to evaluate sign-in risks and implement conditional access policies.

Defending data flows

Microsoft Defender for Cloud Apps helps protect data flowing between cloud apps and the environment. Defender for Cloud Apps collects signals from sanctioned and unsanctioned cloud apps to protect the data flowing between the corporate environment and the apps.

How it Works

The illustration below shows an attack attempt mitigated by the Microsoft 365 Defender suite:

Timeline Description automatically generated with low confidence

Image Source: Microsoft

The illustration shows the common steps of phishing schemes. It typically starts with a phishing email that arrives at the inbox of a certain user, typically an employee of the organization. The user is unaware of the malicious content, opens the email attachment, and accidentally installs malicious software (malware) on the device.

Once installed, the malware attempts to perform the actions it was programmed to do, such as stealing sensitive data. However, Defender for Office 365 can mitigate this attack at various phases, using its suite of defenders. Here are the main capabilities Defender for Office 365 uses to protect against phishing schemes:

  • Exchange Online Protection—this feature of Microsoft Defender for Office 365 aims to detect phishing emails. It uses mail flow rules to ensure a phishing email cannot arrive in the inbox, blocking the phishing attack before it can trick users.

  • Safe attachments—this Defender for Office 365 feature tests attachments to determine their safety. If the feature determines the attachment is harmful, it does not allow the user to perform actions on the mail. Alternatively, policies may prevent the mail from arriving at the inbox.

  • Defender for Endpoint—this EDR solution manages devices connected to the network. It can detect network and device vulnerabilities to prevent exploitation.

  • Defender for Identity—this solution can detect sudden account changes and high-risk lateral movement. It also reports on identity issues that can be easily exploited, such as unconstrained Kerberos delegation.

  • Microsoft Defender for Cloud Apps—this solution can detect anomalous behavior and report these events to your security team. It can detect abnormal activities like credential access, impossible travel, and unusual downloads and file shares. It can also identify abnormal mail forwarding activities.

Microsoft 365 Defender integration with Microsoft Sentinel

Microsoft Sentinel is a security information and event manager (SIEM) platform you can integrate with the 365 Defender. Incident integration enables you to stream incidents directly from Microsoft 365 Defender into Microsoft Sentinel while all incidents remain synchronized within both portals.

Here are key benefits of using implementing incident integration:

  • Context—incidents information from Microsoft 365 Defender, including alerts and entities, provide the context needed for triaging and preliminary investigations in Microsoft Sentinel.

  • Visibility—incident integration provides the required visibility to manage Microsoft 365 security incidents in the Microsoft Sentinel portal. It lets you add Microsoft 365 security incidents to the primary incident queue. It helps you see and correlate Microsoft 365 Defender incidents alongside incidents in all other systems across different clouds and on-premise environments.

  • Centralization—incidents in Microsoft Sentinel are bi-directionally synchronized with Microsoft 365 Defender. You can view all of this information in both portals and the Azure portal for incident investigation and response. As a result, you can leverage capabilities offered by all portals.


Learn more in our detailed guide to Azure Sentinel (renamed to Microsoft Sentinel).