Integrate Microsoft Defender for Endpoint with Azure Defender (MDE Series)
In this Microsoft Defender for Endpoint (MDE) series, we’re going to show, configure, discuss, and simulate how Microsoft Defender for Endpoint can integrate and how it works with other Microsoft security control.
The Microsoft Defender for Endpoint integration can be integrated with Microsoft Cloud App Security (MCAS), Microsoft Defender for Endpoint (MDI), Microsoft Defender for Office 365 (MDO), Azure Sentinel, Azure Defender, and with other security controls.
The previous blog-post focused on integrating Microsoft Defender for Endpoint with Microsoft Cloud App Security. For more information, visit the post: Integrate Microsoft Defender for Endpoint with MCAS (MDE Series)
This blog post focuses on Microsoft Defender for Endpoint (MDE) integration with Azure Defender (Azure Security Center) and some tips from the field.
Concepts and acronyms for Microsoft Defender platforms:
Microsoft Defender for Endpoint (MDE), previously known as Microsoft Defender for ATP (MDATP)
Microsoft Defender for Identity (MDI), previously known as Azure ATP (AATP)
Microsoft Defender for Office 365 (MDO), previously known as Office 365 ATP (OATP)
Microsoft 365 Defender (M365D), previously known as Microsoft Threat Protection (MTP)
Azure Defender is an evolution of the threat-protection technologies in Azure Security Center, protecting Azure and hybrid environments. With this announcement, we are rebranding the offerings previously called advanced threat protection services in Azure Security Center as Azure Defender
For more information about Azure Defender and its threat protection, visit the announcement: Introducing Azure Defender and Azure Security Center updates.
Before integrating Microsoft Defender for Endpoint with Azure Security Center, lets’ describe some of the security control and components for each platform.
Microsoft Defender for Endpoint (MDE)
Microsoft Defender for Endpoint is a holistic, cloud-delivered endpoint security solution. Its main features are:
- Risk-based vulnerability management and assessment
- Attack surface reduction
- Behavioral-based and cloud-powered protection
- Endpoint detection and response (EDR)
- Automatic investigation and remediation
- Managed hunting services
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to assist enterprise networks in preventing, detecting, investigating, and respond to advanced threats.
Microsoft Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks, identify data breaches, automates security incidents, and improves security posture.
That enables your users to access cloud services and on-premises applications with ease and allows modern management, including remote work capabilities for all devices.
We can use many advanced features such as Threat & Vulnerability Management, Attack surface reduction in the security features. Next-generation protection, Endpoint detection and response, and Automated investigation and remediation.
Microsoft Defender for Endpoint protects many platforms and devices, such as Windows Server, Windows Client, macOS, Linux, iOS, and Android.
The advantages of comprehensive protection are providing end-to-end identification and investigation for all KillChain processes from email to device in one place.
One of the great features that we can achieve is integrating Microsoft Defender for Endpoint with other security controls and components and providing end-to-end security. That means an enterprise can secure communication and data travel between applications and employees.
This diagram shows the Microsoft Defender for Endpoint service architecture.
For more information about Microsoft Defender Advanced Threat Protection – Windows security
Azure Security Center provides complete visibility and control for the multi-cloud workloads scenario and the hybrid scenario, including Azure, AWS, and GCP. The visibility and control, including compute, storage, identities, application, PaaS, and more.
The main pillars of Azure Security Center cover the two broad pillars of cloud security: CSPM and CWPP.
Cloud security posture management (CSPM) – Security Center is available for free to all Azure users.
The free experience includes CSPM features such as secure score, detection of security misconfigurations in your Azure machines, asset inventory, and more. Use these CSPM features to strengthen your hybrid cloud posture and track compliance with built-in policies.
Cloud Workload Protection Platforms (CWPP) – Security Center’s integrated cloud workload protection platform (CWPP), Azure Defender, brings advanced, intelligent protection of your Azure and hybrid resources and workloads.
Enabling Azure Defender brings a range of additional security features as described on this page.
In addition to the built-in policies, you can add custom policies and initiatives when you’ve enabled any Azure Defender plan. You can add regulatory standards – such as NIST and Azure CIS – as well as the Azure Security Benchmark for a truly customized view of your compliance.
Azure Defender is an evolution of the threat-protection technologies in Azure Security Center, protecting Azure and hybrid clouds protection.
Based on this data feed, Security Center uses machine learning models to identify and flag malicious traffic activities. Security Center also uses the Microsoft Threat Intelligence database to enrich IP addresses.
Microsoft Defender for Endpoint & Azure Defender
The integration between Microsoft Defender for Endpoint and Azure Defender provides beneficial features that allow you to protect broader environments such as Azure, AWS, hybrid, and other third-party clouds.
Microsoft Defender for Endpoint with Azure Defender provides:
Advanced post-breach detection sensors – Defender for Endpoint’s sensors for Windows machines collect a vast array of behavioral signals.
Threat intelligence – Defender for Endpoint, generates alerts when it identifies attacker tools, techniques, and procedures. It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.
Analytics-based, cloud-powered, post-breach detection– Defender for Endpoint quickly adapts to changing threats.
It uses advanced analytics and big data. It’s amplified by the Intelligent Security Graph’s power with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts and enables you to respond quickly.
Automated onboarding – Security Center automatically enables the Microsoft Defender for Endpoint sensor for all Windows servers monitored by Security Center. Except for those running Windows Server 2019, which must be onboarded via a local script, GPO, or SCCM.
One console – The Azure Defender console displays Microsoft Defender for Endpoint alerts.
Moreover, to investigate, use Microsoft Defender for Endpoint portal where you’ll see additional information such as the alert story with useful information and the incident graph. You can also see a detailed machine timeline that shows every behavior for a historical period of up to six months.
How to integrate MDE with Azure Defender
The MDE and Azure Defender integration is simple, straightforward. It can be done quickly, and once the integration is set on both MDE and Azure Defender side, you can start to work with the dashboard and run a simulation.
- Microsoft Defender for Endpoint license
- Windows 10 Supported Operating System
- Overview of Azure Defender and the available plans
To integration MDE with Azure Defender, do the following actions:
Azure Defender Side
On Azure Defender blade (on Azure Security Center), choose the relevant subscription from pricing & settings.
Make sure Azure Defender is on (standard license), and if not, set Azure Defender on and save.
TIP: the Threat protection for Azure VMs and non-Azure servers (including server EDR) is the important settings for the integration
Once Azure Defender is on, go to Threat detection and make the integration for Microsoft Defender is checked.
Besides, you can make sure that Auto provision is enabled for existing and new servers.
Once the integration is done from the Azure Defender side, you can go to the Microsoft Defender for Endpoint console and check on the device list of the Azure VMs.
Microsoft Defender for Endpoint and Azure Defender are completely different security controls. Still, integrating both of them provides a single pane of management to monitor your devices and investigate.