Protect your endpoints with Security Center's integrated EDR solution: Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is a holistic, cloud delivered endpoint security solution. Its main features are:

  • Risk-based vulnerability management and assessment
  • Attack surface reduction
  • Behavioral based and cloud-powered protection
  • Endpoint detection and response (EDR)
  • Automatic investigation and remediation
  • Managed hunting services

Tip

Originally launched as Windows Defender ATP, this Endpoint Detection and Response (EDR) product was renamed in 2019 as Microsoft Defender ATP.

At Ignite 2020, we launched the Microsoft Defender XDR suite and this EDR component was renamed Microsoft Defender for Endpoint.

Availability

Aspect Details
Release state: Generally available (GA)
Pricing: Requires Azure Defender for servers
Supported platforms: Yes Azure machines running Windows
Yes Azure Arc machines running Windows
Supported versions of Windows: Defender for Endpoint is built into Windows 10 1703 (and newer) and Windows Server 2019.
Security Center supports detection on Windows Server 2016, 2012 R2, and 2008 R2 SP1.
Server endpoint monitoring using this integration has been disabled for Office 365 GCC customers.
Required roles and permissions: To enable/disable the integration: Security admin or Owner
To view MDATP alerts in Security Center: Security reader, Reader, Resource Group Contributor, Resource Group Owner, Security admin, Subscription owner, or Subscription Contributor
Clouds: Yes Commercial clouds.
No GCC customers running workloads in global Azure clouds
Yes US Gov
No China Gov, Other Gov

Microsoft Defender for Endpoint features in Security Center

Microsoft Defender for Endpoint provides:

  • Advanced post-breach detection sensors. Defender for Endpoint's sensors for Windows machines collect a vast array of behavioral signals.

  • Analytics-based, cloud-powered, post-breach detection. Defender for Endpoint quickly adapts to changing threats. It uses advanced analytics and big data. It's amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts and enables you to respond quickly.

  • Threat intelligence. Defender for Endpoint generates alerts when it identifies attacker tools, techniques, and procedures. It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.

By integrating Defender for Endpoint with Security Center, you'll benefit from the following additional capabilities:

  • Automated onboarding. Security Center automatically enables the Microsoft Defender for Endpoint sensor for all Windows servers monitored by Security Center (unless they're running Windows Server 2019).

  • Single pane of glass. The Security Center console displays Microsoft Defender for Endpoint alerts. To investigate further, use Microsoft Defender for Endpoint's own portal pages where you'll see additional information such as the alert process tree and the incident graph. You can also see a detailed machine timeline that shows every behavior for a historical period of up to six months.

    Microsoft Defender for Endpoint's own Security Center

Microsoft Defender for Endpoint tenant location

When you use Azure Security Center to monitor your servers, a Microsoft Defender for Endpoint tenant is automatically created. Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. Customer data - in pseudonymized form - may also be stored in the central storage and processing systems in the United States.

After you've configured the location, you can't change it. If you need to move your data to another location, contact Microsoft Support to reset the tenant.

Enabling the Microsoft Defender for Endpoint integration

  1. Enable Azure Defender for servers. See Pricing of Azure Security Center.

    Note

    To protect your Azure Arc enabled machines, use the instructions in Quickstart: Connect hybrid machine with Azure Arc enabled servers.

  2. If you've already licensed and deployed Microsoft Defender for Endpoints on your servers, remove it using the procedure described in Offboard Windows servers.

  3. From Security Center's menu, select Pricing & settings.

  4. Select the subscription you want to change.

  5. Select Threat detection.

  6. Select Allow Microsoft Defender for Endpoint to access my data, and select Save.

    Enable the integration between Azure Security Center and Microsoft's EDR solution, Microsoft Defender for Endpoint

    Azure Security Center will automatically onboard your servers to Microsoft Defender for Endpoint. Onboarding might take up to 24 hours.

Access the Microsoft Defender for Endpoint portal

  1. Ensure the user account has the necessary permissions. Learn more.

  2. Check whether you have a proxy or firewall that is blocking anonymous traffic. The Defender for Endpoint sensor connects from the system context, so anonymous traffic must be permitted. To ensure unhindered access to the Defender for Endpoint portal, follow the instructions in Enable access to service URLs in the proxy server.

  3. Open the Microsoft Defender Security Center portal. Learn more about the portal's features and icons, in Microsoft Defender Security Center portal overview.

Send a test alert

To generate a benign Microsoft Defender for Endpoint test alert:

  1. Create a folder 'C:\test-MDATP-test'.

  2. Use Remote Desktop to access either a Windows Server 2012 R2 VM or a Windows Server 2016 VM.

  3. Open a command-line window.

  4. At the prompt, copy and run the following command. The Command Prompt window will close automatically.

    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe'); Start-Process 'C:\\test-MDATP-test\\invoice.exe'
    

    A command prompt window with the command to generate a test alert.

  5. If the command is successful, you'll see a new alert on the Azure Security Center dashboard and the Microsoft Defender for Endpoint portal. This alert might take a few minutes to appear.

  6. To review the alert in Security Center, go to Security alerts > Suspicious PowerShell CommandLine.

  7. From the investigation window, select the link to go to the Microsoft Defender for Endpoint portal.

FAQ for Security Center's integrated Microsoft Defender for Endpoint

What are the licensing requirements for Microsoft Defender for Endpoint?

Defender for Endpoint is included at no additional cost with Azure Defender for servers. Alternatively, it can be purchased separately for 50 machines or more.

How do I switch from a third-party EDR tool?

Full instructions for switching from a non-Microsoft endpoint solution are available in the Microsoft Defender for Endpoint documentation: Migration overview.

Next steps