Blog | 26 August 2020

Identify, analyse and remediate: What is Microsoft 365 Defender?

Mat Richard profile headshot

Mathew Richards

Head of Mobility and Security

A ‘one-stop-shop’ for security incident management and remediation, here are the ins and outs of Microsoft’s top threat protection technologies.

Ever found yourself frustrated by the plethora of consoles required to manage Microsoft’s security technologies in the Cloud?

Well, I have some good news – Microsoft has listened!

There are many projects currently underway to significantly improve this challenge. If we look at the progress Microsoft has made with the security and compliance portals, we can start to see the fruits of their labour.

Add the Microsoft 365 Defender portal to this and we really start to see things stepping up a gear.

To be clear, Microsoft 365 Defender (previously known as Microsoft Threat Protection but rebranded by Microsoft in October 2020) is not just another portal that consolidates your security view. Whilst that is one of its functions, Microsoft 365 Defender is so much more than just another console.

Microsoft 365 Defender explained

Microsoft 365 Defender consolidates your view of security incidents across several technologies but also adds a whole host of deep correlation and automation capabilities.

This makes the life of a security analyst much more efficient and effective. Microsoft has been building the underlying foundations for Microsoft 365 Defender for quite some time now, bringing all of its security telemetry together in one place.

This foundation enables you to query a data set spanning multiple technologies.

I like to think of Microsoft 365 Defender as a collection of depth or specialist security tools – technologies that have a clearly defined focus within your environment.

Microsoft 365 Defender will help you run queries that can identify any or all of the following:

  • Machines infected with a specific payload.
  • Modified mailboxes.
  • Malicious activity and the identities involved.
  • Vulnerabilities caused by an exposed CVE.

How does Microsoft 365 Defender work?

Microsoft 365 Defender combines the telemetry and insights drawn from the following products:

  • Microsoft Defender for Office 365 (previously known as Office 365 Advanced Threat Protection)
  • Microsoft Defender for Identity (previously known as Azure Advanced Threat Protection)
  • Microsoft Defender for Endpoint (previously known as Microsoft Defender Advanced Threat Protection)
  • Microsoft Cloud App Security (MCAS)
  • Azure Identity Protection (AIdP)

Microsoft 365 Defender brings all these technologies together in one security operations console. Within the console, you can see how Microsoft 365 Defender correlates and provides insights from these technologies and apply relevant automated activities to address them.

Being able to mark an identity as compromised or perform actions against your endpoints allows you to apply a kind of ‘self-healing’ capability to affected entities.

These activities can then drive different behaviours when the user authenticates, be that blocking the user, enforcing MFA or directing the connection through a reverse proxy, for example.

Microsoft 365 Defender will continuously monitor activities across a wide range of entities, correlating signals to surface incidents that highlight suspicious activities.

Aligned closely to the MITRE ATT&CK framework, Microsoft 365 Defender clearly shows you where in the attack chain the activities contributing to the incident have occurred. These activities could highlight persistence, defence evasion or lateral movement.

As you can see below, a security incident raised by Microsoft 365 Defender shows you these tactics across the complete kill chain and provides supporting evidence.

A Microsoft Threat Protection incident report showing affected devices and users.

A Microsoft Threat Protection incident report showing affected devices and users.

With this visibility, you can quickly establish the magnitude of the issue and get a handle on it. You can see all the affected entities such as mailboxes, identities and devices with a view of their investigation priority.

You can also clearly see any investigations that have been triggered automatically through the automated incident response (AIR) engine. AIR can execute automated investigative activities to further understand the details and potentially mitigate the risk.

These can be fully automated or based on an approval workflow.

Microsoft Threat Protection investigation graph showing evidence, affected entities, devices and users during a security incident.

Microsoft Threat Protection investigation graph showing evidence, affected entities, devices and users during a security incident.

The insights provided by Microsoft 365 Defender will then flow into your overarching security incident and event management (SIEM) solution. Your SIEM can then perform further analysis and correlation across all the data consumed.

Microsoft 365 Defender and Azure Sentinel

As you would expect, Microsoft 365 Defender will have native integration with Azure Sentinel (Microsoft’s SIEM and SOAR offering) – easily enabled by a simple tick box!

No need to develop any custom data connectors here, you’ll be glad to hear. Using the insights of these depth/specialist tools within Sentinel provides valuable insights to identify the end-to-end attack chain.

This helps you see what’s affected and where to focus your attention to mitigate the risk. It’s all about visibility.

Diagram of azure sentinel, 365 defender and Azure security center

Without accurate, near-real-time visibility of activities across your entire environment, you are at risk of harbouring bad actors who will be waiting for the perfect moment to strike.

Future-proof security management

Microsoft 365 Defender delivers a far more efficient and effective way of managing threat incidents within your organisation and serves to enable your analysts to be able to quickly identify and remediate the threats discovered.

Driven by the native integration of multiple technologies and backed with sophisticated machine learning models, Microsoft 365 Defender should form an essential part of your overall security strategy.

Microsoft’s goal with Microsoft 365 Defender is to make it the ‘one-stop-shop’ for managing threat protection. Whilst there has been a significant amount of work already completed to make this a reality, there is still more for Microsoft to do.

Today, you can see and interact with the incidents that have been raised and get visibility into all the areas already discussed. On occasion, you will still need to enter the respective technology’s portal to gain a deeper understanding.

This is made easy for you from within Microsoft 365 Defender, but the eventual goal is to deliver everything you need from within the Microsoft 365 Defender portal itself.

Microsoft is engaged in an aggressive roadmap so expect to see many new capabilities being delivered across all the threat protection technologies over the coming months.

Microsoft 365 Defender licensing

Microsoft 365 Defender isn’t something that you need to install, it’s automatically enabled if you have one or more of the technologies that comprise Microsoft 365 Defender. You can access it if you have any of the following licenses or products:

  • Microsoft 365 E5 or A5
  • Microsoft 365 E5 Security or A5 Security
  • Windows 10 Enterprise E5 or A5
  • Enterprise Mobility + Security E5 or A5
  • Office 365 E5 or A5
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Cloud App Security
  • Microsoft Defender for Office 365

So, if you have any of the above, then you’re good to go. The Microsoft 365 Defender portal can be accessed here.


Now that you hopefully have a better understanding of Microsoft 365 Defender and its constituent parts, you can appreciate how Microsoft 365 Defender might benefit your security team. Attacks are becoming far more sophisticated and there is a real need to stay one step ahead.

The investment and commitment that Microsoft has made to security is impressive and, if anything, they’re gathering pace and continue to innovate on the technologies they offer.

So, Microsoft 365 Defender is a worthwhile investment for managing your security as the threat landscape continues to evolve.

Key takeaways

  • Microsoft 365 Defender will become your ‘one-stop-shop’ for managing threat protection.
  • It draws on all of Microsoft’s security technologies and telemetry.
  • Security incidents are clearly surfaced and highlight affected areas.
  • Microsoft 365 Defender allows for quick and effective threat response and mitigation.
  • It’s designed to integrate seamlessly with Azure Sentinel for additional detail and control
tag icon

Join the mailing list

Ready to ‘Become greater’?

When you sign up to our mailing list, you’ll get the best content, expert resources, and exclusive event invites sent directly to your inbox.

Mat Richard profile headshot


Mathew Richards

Mat is Kocho’s Head of Mobility and Security. He leads a team of consultants and architects that live and breathe secure transformation – delivering excellence across Microsoft 365 and Azure.

Butterfly overlay image

We’re here to help you on your journey towards becoming greater. Get in touch to find out how.