This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Contents

DEFENDER FOR CLOUD

Microsoft Defender for Cloud - an introduction | Microsoft Docs

Defender for Cloud is a tool for security posture management and threat protection. It strengthens the security posture of your cloud resources, and with its integrated Microsoft Defender plans, Defender for Cloud protects workloads running in Azure, hybrid, and other cloud platforms.

Secure Score
Security Recommendations
Security Alerts
Posture Management
- Cloud Security Posture
  - visibility
  - hardening guidance
- Cloud workload protection
  - Microsoft Threat Intelligence
- Just-In-Time VM Access
- Vulnerability Assessment (ex: Qualys, integrated in Defender for Servers)
- Asset inventory
- Integration with Microsoft Sentinel SIEM

You can enable it on the following resources:

Microsoft Defender for servers
- Specific to Defender for Servers an Agent is needed:
  - VM extension on Azure
  - MMA (Microsoft Monitoring Agent)
  - AMA (Azure Monitoring Agent) through AzureARC for On-prem machines (currently in Private Preview)
- Also includes Defender for Endpoint (except for Azure China)
Microsoft Defender for Storage
Microsoft Defender for SQL
Microsoft Defender for Containers
Microsoft Defender for App Service
Microsoft Defender for Key Vault
Microsoft Defender for Resource Manager
Microsoft Defender for DNS
Microsoft Defender for open-source relational databases
Microsoft Defender for Azure Cosmos DB (Preview)

DEFENDER FOR ENDPOINT (clients and servers)

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide

Deploying Microsoft Defender for Endpoint is a two-step process.

Onboard devices to the service (https://security.microsoft.com -> Settings – Endpoints – Device Management - Onboarding)

Configure capabilities of the service

Microsoft Defender for Endpoint includes next-generation protection to reinforce the security perimeter of your network. Next-generation protection was designed to catch all types of emerging threats. In addition to Microsoft Defender Antivirus, your next-generation protection services include the following capabilities:

Behaviour-based, heuristic, and real-time antivirus protection, which includes always-on scanning using file and process behaviour monitoring and other heuristics (also known as real-time protection). It also includes detecting and blocking apps that are deemed unsafe but might not be detected as malware.
Cloud-delivered protection, which includes near-instant detection and blocking of new and emerging threats.
Dedicated protection and product updates, which includes updates related to keeping Microsoft Defender Antivirus up to date.

In general, to onboard devices to the service:

Verify that the device fulfils the minimum requirements
Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal
Use the appropriate management tool and deployment method for your devices
Run a detection test to verify that the devices are properly onboarded and reporting to the service

Defender for Endpoint uses the following combination of technology built into Windows 10

Endpoint behavioural "sensors" (win 10, server 2016 and later)
Cloud security analytics
Threat intelligence

PS included in Defender for Servers (except for Azure China)

DEFENDER AV

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide

Microsoft Defender Antivirus is available in Windows 10 and Windows 11, and in versions of Windows Server

Microsoft Defender Antivirus is a major component of your next-generation protection in Microsoft "Defender for Endpoint"

Microsoft Defender Antivirus is built into Windows, and it works with Microsoft Defender for Endpoint to provide protection on your device and in the cloud

DEFENDER FOR INDENTITY

Install PACKAGE ON DCs and ADFS (install the package that you download from the Sensor section on the portal (https://security.microsoft.com -> Settings – Identities – Sensors)
https://*instancename*.atp.azure.com or https://security.microsoft.com (Portal for Microsoft O365 Defender, Defender for Identity and Defender for Endpoint)

Monitor users, entity behaviour, and activities with learning-based analytics
Protect user identities and credentials stored in Active Directory
Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
Provide clear incident information on a simple timeline for fast triage

DEFENDER FOR CLOUD APPS (casb)

https://docs.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps

https://portal.cloudappsecurity.com

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy.

CASBs do this by discovering and providing visibility into Shadow IT and app use, monitoring user activities for anomalous behaviours, controlling access to your resources, providing the ability to classify and prevent sensitive information leak, protecting against malicious actors, and assessing the compliance of cloud services.

As an organization, you need to protect your users and confidential data from the different methods employed by malicious actors. In general, CASBs should help you do this by providing a wide array of capabilities that protect your environment across the following pillars:

Visibility: detect all cloud services; assign each a risk ranking; identify all users and third-party apps able to log in
Data security: identify and control sensitive information (DLP); respond to sensitivity labels on content
Threat protection: offer adaptive access control (AAC); provide user and entity behaviour analysis (UEBA); mitigate malware
Compliance: supply reports and dashboards to demonstrate cloud governance; assist efforts to conform to data residency and regulatory compliance requirements

Discover and control the use of Shadow IT
Protect your sensitive information anywhere in the cloud
Protect against cyberthreats and anomalies
Assess the compliance of your cloud apps

MICROSOFT SENTINEL

What is Microsoft Sentinel? | Microsoft Docs

Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.

To on-board Microsoft Sentinel, you first need to connect to your security sources.

Microsoft Sentinel comes with several connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity (formerly Azure ATP), and Microsoft Defender for Cloud Apps, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions. You can also use common event format, Syslog or REST-API to connect your data sources with Microsoft Sentinel as well.

For more information, see Find your data connector.

MICROSOFT INTUNE (why not defender for devices??)

What is Microsoft Intune | Microsoft Docs

Even if not part of the defender ecosystem I wanted to insert Intune because it can be used to do onboarding of some agents I have described on devices, example MDE, AV, firewall etc.

Access through https://endpoint.microsoft.com

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM)

You control how your organization’s devices are used, including mobile phones, tablets, and laptops.

With Intune, you can:

Choose to be 100% cloud with Intune or be co-managed with Configuration Manager and Intune.
Set rules and configure settings on personal and organization-owned devices to access data and networks.
Deploy and authenticate apps on devices -- on-premises and mobile.
Protect your company information by controlling the way users' access and share information.
Be sure devices and apps are compliant with your security requirements.

DEFENDER FOR IOS

Microsoft Defender for Endpoint on iOS | Microsoft Docs

Licensing: Minimum requirements for Microsoft Defender for Endpoint | Microsoft Docs

Microsoft Defender for Endpoint on iOS offers protection against phishing and unsafe network connections from websites, emails, and apps. All alerts will be available through a single pane of glass in the Microsoft 365 Defender portal. The portal gives security teams a centralized view of threats on iOS devices along with other platforms.

For End Users

Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See Microsoft Defender for Endpoint licensing requirements.
For enrolled devices:
- Device(s) are enrolled via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
- Intune Company Portal app can be downloaded from the Apple App Store.

Note Apple does not allow redirecting users to download other apps from the app store so this step needs to be done by the user before onboarding to Microsoft Defender for Endpoint app.)

Device(s) are registered with Azure Active Directory. This requires the end user to be signed in through Microsoft Authenticator app.

For unenrolled devices: Device(s) are registered with Azure Active Directory. This requires the end user to be signed in through Microsoft Authenticator app.
For more information on how to assign licenses, see Assign licenses to users.

System Requirements

iOS device running iOS 12.0 and above. iPads are also supported. Note that starting 31-March-2022, the minimum supported iOS version by Microsoft Defender for Endpoint will be iOS 13.0.
The device is either enrolled with the Intune Company Portal app or is registered with Azure Active Directory through Microsoft Authenticator with the same account.

DEFENDER FOR ANDROID

Microsoft Defender for Endpoint on Android | Microsoft Docs

Licensing: Minimum requirements for Microsoft Defender for Endpoint | Microsoft Docs

For end users:

Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See Microsoft Defender for Endpoint licensing requirements
Intune Company Portal app can be downloaded from Google Play and is available on the Android device.
Additionally, device(s) can be enrolled via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
For more information on how to assign licenses, see Assign licenses to users.

For end users:

Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See Microsoft Defender for Endpoint licensing requirements
Intune Company Portal app can be downloaded from Google Play and is available on the Android device.
Additionally, device(s) can be enrolled via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
For more information on how to assign licenses, see Assign licenses to users.