Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint

Note

Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

Learn more about the recent renaming of Microsoft security services.

Microsoft Defender for Endpoint is a holistic, cloud delivered endpoint security solution. Its main features are:

  • Risk-based vulnerability management and assessment
  • Attack surface reduction
  • Behavioral based and cloud-powered protection
  • Endpoint detection and response (EDR)
  • Automatic investigation and remediation
  • Managed hunting services

Tip

Originally launched as Windows Defender ATP, this Endpoint Detection and Response (EDR) product was renamed in 2019 as Microsoft Defender ATP.

At Ignite 2020, we launched the Microsoft Defender for Cloud XDR suite and this EDR component was renamed Microsoft Defender for Endpoint.

Availability

Aspect Details
Release state: • Integration with Defender for Endpoint for Windows - General availability (GA)
• Integration with Defender for Endpoint for Linux - General availability (GA)
Pricing: Requires Microsoft Defender for servers
Supported environments: Azure Arc machines running Windows/Linux
Azure VMs running Linux (supported versions)
Azure VMs running Windows Server 2022, 2019, 2016, 2012 R2, 2008 R2 SP1, Windows Virtual Desktop (WVD), Windows 10 Enterprise multi-session (formerly Enterprise for Virtual Desktops (EVD)
Azure VMs running Windows 10 (other than EVD or WVD)
Required roles and permissions: • To enable/disable the integration: Security admin or Owner
• To view Defender for Endpoint alerts in Defender for Cloud: Security reader, Reader, Resource Group Contributor, Resource Group Owner, Security admin, Subscription owner, or Subscription Contributor
Clouds: Commercial clouds
Azure Government
Azure China 21Vianet

Benefits of integrating Microsoft Defender for Endpoint with Defender for Cloud

Microsoft Defender for Endpoint provides:

  • Advanced post-breach detection sensors. Defender for Endpoint's sensors collect a vast array of behavioral signals from your machines.

  • Vulnerability assessment from the Microsoft threat and vulnerability management solution. With Microsoft Defender for Endpoint enabled, Defender for Cloud can show vulnerabilities discovered by the threat and vulnerability management module and also offer this module as a supported vulnerability assessment solution. Learn more in Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management.

    This module also brings the software inventory features described in Access a software inventory and can be automatically enabled for supported machines with the auto deploy settings.

  • Analytics-based, cloud-powered, post-breach detection. Defender for Endpoint quickly adapts to changing threats. It uses advanced analytics and big data. It's amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts and enables you to respond quickly.

  • Threat intelligence. Defender for Endpoint generates alerts when it identifies attacker tools, techniques, and procedures. It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.

By integrating Defender for Endpoint with Defender for Cloud, you'll benefit from the following extra capabilities:

  • Automated onboarding. Defender for Cloud automatically enables the Defender for Endpoint sensor on all supported machines connected to Defender for Cloud.

  • Single pane of glass. The Defender for Cloud portal pages display Defender for Endpoint alerts. To investigate further, use Microsoft Defender for Endpoint's own portal pages where you'll see additional information such as the alert process tree and the incident graph. You can also see a detailed machine timeline that shows every behavior for a historical period of up to six months.

    Microsoft Defender for Endpoint's own Security Center

What are the requirements for the Microsoft Defender for Endpoint tenant?

When you use Defender for Cloud to monitor your machines, a Defender for Endpoint tenant is automatically created.

  • Location: Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. Customer data - in pseudonymized form - may also be stored in the central storage and processing systems in the United States. After you've configured the location, you can't change it. If you have your own license for Microsoft Defender for Endpoint and need to move your data to another location, contact Microsoft support to reset the tenant.
  • Moving subscriptions: If you've moved your Azure subscription between Azure tenants, some manual preparatory steps are required before Defender for Cloud will deploy Defender for Endpoint. For full details, contact Microsoft support.

Enable the Microsoft Defender for Endpoint integration

Prerequisites

Confirm that your machine meets the necessary requirements for Defender for Endpoint:

  1. Ensure the machine is connected to Azure and the internet as required:

  2. Enable Microsoft Defender for servers. See Quickstart: Enable Defender for Cloud's enhanced security features.

    Important

    Defender for Cloud’s integration with Microsoft Defender for Endpoint is enabled by default. So when you enable enhanced security features, you give consent for Microsoft Defender for servers to access the Microsoft Defender for Endpoint data related to vulnerabilities, installed software, and alerts for your endpoints.

  3. If you've moved your subscription between Azure tenants, some manual preparatory steps are also required. For full details, contact Microsoft support.

Enable the integration

  1. From Defender for Cloud's menu, select Environment settings and select the subscription with the Windows machines that you want to receive Defender for Endpoint.

  2. Select Integrations.

  3. Select Allow Microsoft Defender for Endpoint to access my data, and select Save.

    Enable the integration between Microsoft Defender for Cloud and Microsoft's EDR solution, Microsoft Defender for Endpoint

    Microsoft Defender for Cloud will automatically onboard your machines to Microsoft Defender for Endpoint. Onboarding might take up to 24 hours.

Access the Microsoft Defender for Endpoint portal

  1. Ensure the user account has the necessary permissions. Learn more in Assign user access to Microsoft Defender Security Center.

  2. Check whether you have a proxy or firewall that is blocking anonymous traffic. The Defender for Endpoint sensor connects from the system context, so anonymous traffic must be permitted. To ensure unhindered access to the Defender for Endpoint portal, follow the instructions in Enable access to service URLs in the proxy server.

  3. Open the Defender for Endpoint Security Center portal. Learn more about the portal's features and icons, in Defender for Endpoint Security Center portal overview.

Send a test alert

To generate a benign test alert from Defender for Endpoint, select the tab for the relevant operating system of your endpoint:

For endpoints running Windows:

  1. Create a folder 'C:\test-MDATP-test'.

  2. Use Remote Desktop to access your machine.

  3. Open a command-line window.

  4. At the prompt, copy and run the following command. The command prompt window will close automatically.

    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe'); Start-Process 'C:\\test-MDATP-test\\invoice.exe'
    

    A command prompt window with the command to generate a test alert.

    If the command is successful, you'll see a new alert on the workload protection dashboard and the Microsoft Defender for Endpoint portal. This alert might take a few minutes to appear.

  5. To review the alert in Defender for Cloud, go to Security alerts > Suspicious PowerShell CommandLine.

  6. From the investigation window, select the link to go to the Microsoft Defender for Endpoint portal.

    Tip

    The alert is triggered with Informational severity.

FAQ - Microsoft Defender for Cloud integration with Microsoft Defender for Endpoint

What's this "MDE.Windows" / "MDE.Linux" extension running on my machine?

In the past, Microsoft Defender for Endpoint was provisioned by the Log Analytics agent. When we expanded support to include Windows Server 2019 and Linux, we also added an extension to perform the automatic onboarding.

Defender for Cloud automatically deploys the extension to machines running:

  • Windows Server 2019.
  • Windows 10 Virtual Desktop (WVD).
  • Other versions of Windows Server if Defender for Cloud doesn't recognize the OS version (for example, when a custom VM image is used). In this case, Microsoft Defender for Endpoint is still provisioned by the Log Analytics agent.
  • Linux.

Important

If you delete the MDE.Windows extension, it will not remove Microsoft Defender for Endpoint. to 'offboard', see Offboard Windows servers..

What are the licensing requirements for Microsoft Defender for Endpoint?

Defender for Endpoint is included at no extra cost with Microsoft Defender for servers. Alternatively, it can be purchased separately for 50 machines or more.

If I already have a license for Microsoft Defender for Endpoint, can I get a discount for Microsoft Defender for servers?

If you've already got a license for Microsoft Defender for Endpoint for Servers (purchased through an Office E5 explicit "Defender for Endpoint Servers" license), you won't have to pay for that part of your Microsoft Defender for servers license. Learn more about this license.

To request your discount, contact Defender for Cloud's support team. You'll need to provide the relevant workspace ID, region, and number of Microsoft Defender for Endpoint licenses applied for machines in the given workspace.

The discount will be effective starting from the approval date, and won't take place retroactively.

How do I switch from a third-party EDR tool?

Full instructions for switching from a non-Microsoft endpoint solution are available in the Microsoft Defender for Endpoint documentation: Migration overview.

Next steps