01
The Microsoft Defender Ecosystem
Microsoft Defender is not a single product โ it's a family of integrated security products that cover endpoints, email, identity, cloud apps, and cloud infrastructure. Together they form Microsoft Defender XDR: Extended Detection and Response โ a unified security platform.
| Product | Protects | Included In |
|---|
| Defender for Endpoint | Laptops, desktops, servers | Business Premium, E3+MDE addon |
| Defender for Office 365 | Email, Teams, SharePoint links | Business Premium, E3+MDO addon |
| Defender for Identity | Active Directory and Entra ID | Business Premium, E5 |
| Defender for Cloud Apps | SaaS applications | Business Premium, E5 |
| Defender for Cloud | Azure workloads | Separate Azure subscription |
Microsoft 365 Business Premium includes Defender for Endpoint, Office 365 Plan 1, and Defender for Cloud Apps. For most SMBs this is the highest-value licence bundle available.
Core capabilities
โEndpoint Detection and Response (EDR) โ behavioural detection of attack techniques, not just malware signatures
โAutomated Investigation and Remediation (AIR) โ automatically investigates and contains threats without manual intervention
โAttack Surface Reduction (ASR) rules โ block specific attacker techniques at the OS level
โThreat and Vulnerability Management โ continuous inventory of vulnerabilities on enrolled devices
โDevice isolation โ remotely isolate a compromised device from the network with a single click
Deployment
โOnboard via Microsoft Intune โ policy-based deployment, no agent installation required
โApplicable to Windows, macOS, iOS, and Android
โTamper protection โ prevents attackers from disabling Defender after compromise
โAlert visibility in Microsoft 365 Defender portal (security.microsoft.com)
03
Defender for Office 365
Plan 1 (Business Premium)
โSafe Links โ real-time URL detonation at click-time, including links in Teams and Office documents
โSafe Attachments โ detonate attachments in a cloud sandbox before delivery
โAnti-phishing with impersonation protection โ protect specific users (CEO, CFO) from spoof attempts
โSpoof intelligence โ identify and block email spoofing
Plan 2 (E5 or addon)
โAttack Simulator โ send simulated phishing emails to staff, measure click rates
โThreat Explorer โ investigate and hunt for threats across all email in your tenancy
โAutomated investigation and response โ automatically investigate and contain email-based threats
โPriority account protection โ enhanced protection for VIP users
Safe Links time-of-click protection catches attacks that traditional secure email gateways miss: links that are clean at delivery but weaponised before the user clicks.
Defender for Identity protects Active Directory and Entra ID from identity-based attacks โ credential theft, lateral movement, privilege escalation, and persistence techniques.
What it detects
โPass-the-Hash and Pass-the-Ticket credential theft
โKerberoasting โ offline cracking of service account credentials
โDCSync attacks โ simulating domain controller replication to dump password hashes
โSuspicious lateral movement โ using credentials on machines the user normally doesn't access
โReconnaissance activities โ enumeration of domain users, groups, and admin accounts
โNew suspicious admin account creation
Deployment
โInstall sensor on all domain controllers (on-premise AD)
โEntra ID integration โ cloud identity signals automatically included
โAlerts surface in Microsoft 365 Defender portal as part of unified incident view
05
Defender for Cloud Apps
Defender for Cloud Apps provides visibility into which SaaS applications are in use across your organisation โ including apps you haven't approved โ and controls over how corporate data is used in those apps.
Key capabilities
โShadow IT discovery โ identify all cloud apps in use from browser or network logs
โApp governance โ assess risk rating of each app, block or restrict high-risk apps
โSession policies โ control what users can do in cloud apps (download, print, copy) from unmanaged devices
โFile scanning โ scan files in SharePoint, OneDrive, Box, Google Drive for sensitive data
โAnomaly detection โ alert on impossible travel, mass download, suspicious admin activity
Most businesses are using 50โ150 SaaS applications they haven't formally approved. Defender for Cloud Apps identifies them and assesses risk โ you may find employees using file sharing services that violate your data handling policy.
06
Microsoft 365 Defender Portal: Unified Investigations
The Microsoft 365 Defender portal (security.microsoft.com) correlates alerts across all Defender products into unified incidents โ so a phishing email, the credential it stole, the lateral movement that followed, and the endpoint it landed on all appear as a single incident.
โIncident queue โ prioritised view of all active incidents across all Defender products
โAutomated investigation graph โ visual representation of the attack chain with automated remediation actions
โAdvanced Hunting โ query across all security data using KQL for threat hunting
โThreat analytics โ Microsoft intelligence reports on active attack campaigns relevant to your configuration
โSecure Score โ aggregate posture metric across identity, devices, data, apps, and infrastructure
De4sec monitors the Microsoft 365 Defender portal as part of our managed security service โ reviewing incidents, triaging alerts, and responding to threats on behalf of clients.
