Section 3 – Mitigate endpoint threats by using Microsoft Defender for Endpoint

Welcome to the third section of my SC-200 study guide. First the ones that I didn’t have time to include in the last section but will cover them in different order as in my opinion it makes more sense:

  • Configure Microsoft Defender for Cloud Apps to generate alerts and reports to detect threats
  • Identify, investigate, and remediate security risks by using Microsoft Defender for Cloud Apps

And then I will go through the following content:

  • Manage data retention, alert notification, and advanced features
  • Recommend security baselines for devices
  • Respond to incidents and alerts
  • Manage automated investigations and remediations
  • Assess and recommend endpoint configurations to reduce and remediate vulnerabilities by using the Microsoft’s threat and vulnerability management solution
  • Manage endpoint threat indicators

Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides advanced security capabilities to protect cloud-based applications and services. It offers a range of deployment options, including log collection, API connectors, and reverse proxy, to provide comprehensive visibility and control over data movement and security threats.

With its advanced analytics and machine learning capabilities, Microsoft Defender for Cloud Apps can detect and respond to security threats in real-time, helping organizations to prevent data breaches, cyber attacks, and other security incidents.

Click the picture for licensing details of different solutions. It will download and PDF file.

How does Defender for Cloud apps compare?

There is similar capabilities in different products, Microsoft has made some comparisons for you to see the differences.

Defender for Cloud Apps vs Office 365 Cloud App Security

Microsoft Defender for Cloud Apps vs Cloud App Discovery

New home for the portal

First things first, have you seen that Defender for Cloud Apps has been integrated as part of Defender for Office 365? The feature is still in preview and could change before it goes GA but excellent step on consolidating different parts.

You can still open the old portal and do the setup there but you are strongly advised to user Defender for Office 365 portal

Configure Microsoft Defender for Cloud Apps to generate alerts and reports to detect threats

Identity based protection policies has been moved under Global alerts

And you will find them here

And SMS alerts has been deprecated

But you can enable them with Power Automate flows

Creating policies

To create get alerts, you need to first create an policy

Or you can use predefined templates

You have these policies that you can choose from

Let’s use File policy as an example

When creating file policy, you these templates ready to use

You can choose the sending domain and other filters, you can also preview the results to see what files trigger the policy

You can then send the alerts as email and trigger Power Automate flow like mentioned earlier.

And you can also do some governance based on the policy

Once the policy is create, you will see actions is Alert and you can also view all alerts from the same menu

Privileged user activity

You can also monitor other things, like Privileged user logins, I will make it easy and

And put alerts on

If you want to see what Cloud provider means, you can see open the addresses here

There is an predefined list of public addresses

Once done, you will see the policy ready for action


You will see the alerts under old portal and Defender for Office 365 portal

And the new one, you can see the source as Cloud Apps

Will not cover the old portal, only the new one. When you open the alert, you will the details and the already created incident that it’s linked to

When you scroll down in the right side, you will the Application and more information on the account that triggered the alert

And you can mark the alerts

What the three options mean?

  • True positive: An alert on a confirmed malicious activity
  • Benign: An alert on a suspicious but not malicious activity, such as a penetration test or other authorized suspicious action
  • False positive: An alert on a non-malicious activity

Identify, investigate, and remediate security risks by using Microsoft Defender for Cloud Apps

Then to the hunting part, now the we the incident and let’s see what is under it.

Incidents and remediation

When you click the incident link, you will be taken to the familiar Incident page

Under Users you can expand the User information page

From there you will see all the activities the user has done and their status in the organization

Including their location and the activities done in that location, you can start a new query based on the location and see all the activities for all users

From the timeline, you will see all actions done by that specific user

From Incident main page, you can see Evidence and Response activities, in this case all the details of the public IP-address

And you can add it to Cloud apps IP ranges

Or go hunt some more and also investigate Activity logs

Finally you can assign forward, with a reason, classification and comments

See here for the full documentation from Learn

Mitigate endpoint threats by using Microsoft Defender for Endpoint

Getting your trial

Microsoft has good material for the process

In short, just click the following link to get your 90 days 25 seat trial

Another side note is that you can redirect the traffic to Defender for Office 365 also from Defender for Endpoint

Onboarding devices

The table below provides the various tools based on the endpoint that needs to be onboarded.

EndpointTool options
WindowsLocal script (up to 10 devices)
Group Policy
Microsoft Endpoint Manager/ Mobile Device Manager
Microsoft Endpoint Configuration Manager
VDI scripts
Windows servers

Linux servers
Integration with Microsoft Defender for Cloud
macOSLocal script
Microsoft Endpoint Manager
Mobile Device Management
Linux serversLocal script
AndroidMicrosoft Endpoint Manager
iOSMicrosoft Endpoint Manager
Mobile Application Manager

Microsoft has made an presentation on how and when to use what onboarding model.

How the signals are transferred to Defender from different sources

1Devices are on-boarded through one of the supported management tools.
2On-boarded devices provide and respond to Microsoft Defender for Endpoint signal data.
3Managed devices are joined and/or enrolled in Azure Active Directory.
4Domain-joined Windows devices are synchronized to Azure Active Directory using Azure Active Directory Connect.
5Microsoft Defender for Endpoint alerts, investigations, and responses are managed in Microsoft 365 Defender.

This what the script looks like

Once Onboarded you will them under Assets and Devices

Now when that’s done, let’s see how it works

Simulations & tutorials

I will use the simulation templates for generating alerts. You standalone ones under Tutorials

See more here on the evaluation lab itself

Manage data retention, alert notification, and advanced features

Data encryption

The Defender for Endpoint service makes use of cutting-edge data protection solutions built on Microsoft Azure infrastructure.

Our service takes care of a variety of data protection-related issues. One of the most important is encryption, which includes data encryption at rest, encryption in flight, and key management via Key Vault.

In all scenarios, data is encrypted using 256-bit AES encryption at the minimum.

Data retention

At service onboarding

Data from Microsoft Defender for Endpoint is maintained for 180 days after service onboarding and is viewable across the portal. Yet, it is accessible via a query in the advanced hunting research experience for a period of 30 days.

When a contract expires or is terminated

While the license is in grace period or suspended mode, your data will be saved and accessible to you. No later than 180 days after contract termination or expiration, such data will be wiped from Microsoft’s systems, rendering it unrecoverable.

Data on Advanced Hunting

Advanced hunting is a threat-hunting technology that uses queries to search through up to 30 days of raw data.

Alert notification

You can configure the vulnerability events that trigger notifications and add or remove email notification recipients using the notification rules. After vulnerabilities are added, new recipients are notified.

If you use RBAC, receivers will only get notifications based on the device groups specified in the notification rule. Only users with the appropriate authorization can create, update, or delete notifications that are exclusive to their device group management scope. Only users with the Global administrator role have access to the notification rules that are set up for all device groups.

The vulnerability incident is described briefly in the email notification. There are additional links to filtered views on the Defender Vulnerability Management Security suggestions and Weaknesses sections in the portal to help you dig deeper. You may, for example, obtain a list of all affected devices or other information about the vulnerability.

Advanced features

You can access advanced features from here

See more from this Learn documentation

Recommend security baselines for devices

There is couple of ways to work here, Intune baselines and Defender security recommendations. They don’t overtake the other one but they will have duplicates in some cases

Intune Security baseline

Intune has Security baselines for devices and you access them from here

It will suggest the optimal baseline for you

Defender Security recommendations

To get proactive you can use Secure score connector for devices

You can access the recommendations from

And you can request a remediation directly from the recommendations

And it will show you what will be done

And more details here

Respond to incidents and alerts

You will the the alerts and can create incidents from them

Or you can Block an app or the complete device and also start hunting

When you open the device you will see what Defender has done, risk levels and the recommendations mentioned earlier

Manage automated investigations and remediations

You can start Automated Investigation and Live Response. With Live response you can run on-demand activities to the devices

When the device is tagged for risks, you can initiate automated investigation

The automated investigation process

An alert generates an event, which can be used to initiate an automated inquiry. Each piece of evidence receives a verdict as a consequence of the automatic investigation. Verdicts can include:

  • Malicious
  • Suspicious
  • No threats found

Remediation actions are identified for harmful or questionable organizations. Examples of corrective interventions include:

  • Sending a file to quarantine
  • Stopping a process
  • Isolating a device
  • Blocking a URL
  • Other actions

Live response

Analysts can perform the following activities using live response:

  • Run basic and advanced commands to do investigative work on a device.
  • Download files such as malware samples and outcomes of PowerShell scripts.
  • Download files in the background (new!).
  • Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
  • Take or undo remediation actions.

Assess and recommend endpoint configurations to reduce and remediate vulnerabilities by using the Microsoft’s threat and vulnerability management solution

Built-in and agentless Defender Vulnerability Management scanners continuously monitor and detect risk in your business, even when devices are not connected to the corporate network.

A single inventory with an unified real-time picture of your organization’s software programs, digital certificates, network shares, and browser extensions aids in the discovery and assessment of all assets.

Examine extension permissions and risk levels, find certificates before they expire, detect potential vulnerabilities caused by poor signature methods, and check misconfigurations in internal network shares.

Start your trial here

It will take some time, in my setup not 6hrs but be prepared for it

How it will compare to others solutions

Defender Vulnerability ManagementDefender Vulnerability Management add-onDefender Vulnerability Management Standalone
Core capabilities part of Defender for Endpoint Plan 2Additional capabilities for Defender for Endpoint Plan 2Full vulnerability Management capabilities
Device discoverySecurity baselines assessmentDevice discovery
Device inventoryBlock vulnerable applicationsDevice inventory
Vulnerability assessmentBrowser extensionsVulnerability assessment
Configuration assessmentDigital certificate assessmentContinuous monitoring
Risk based prioritizationNetwork share analysisRisk based prioritization
Remediation trackingRemediation tracking
Continuous monitoringConfiguration assessment
Software assessmentSoftware assessment
Software usages insightsSoftware usages insights
Security baselines assessment
Block vulnerable applications
Browser extensions
Digital certificate assessment
Network share analysis

Once done you can access TVM here

You will see those recommendations and your organizational Exposure score

If you drill down deeper, you will be weaknesses and which devices are exposed

And see more information here

Manage endpoint threat indicators

You can create Threat indicators under settings page

You will see the File hashes, IP’s, URLs / domains and Certificates

Labs and deep dive content

Learning Path 2 – Mitigate threats using Microsoft Defender for EndpointExercise 1 – Deploy Microsoft Defender for Endpoint
Learning Path 2 – Mitigate threats using Microsoft Defender for EndpointExercise 2 – Mitigate Attacks with Microsoft Defender for Endpoint

If you want to have a serious deep dive for Defender for Endpoint, you really should see Jeffreys Appel’s series on it!


Some things to remember for the test.

Cloud Apps:

  • The new portal and how does it look like, remember that redirection!
  • What types of different policies there is and how you can trigger them.
  • Alerts in different portals
  • What action you can take when investigating and remediating

Defender for Endpoint:

  • Ways to onboard you device and why to use each one?
  • Simulation and how use them
  • Data retention and governance with Defender for Endpoint
  • How to setup Advanced features, remember that EDR in Block mode!
  • Security baselines in Intune and Security recommendations inside Defender portal
  • What is Defender threat and vulnerability management solution (TVM) and how it works as an agentless solution?

Hopefully you found this useful, then to the next one with the following topics:

  • Identify and remediate security risks related to events for Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra
  • Identify and remediate security risks related to Azure AD Identity Protection events
  • Identify and remediate security risks related to Azure AD Conditional Access events
  • Identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity

Link to main post

This image has an empty alt attribute; its file name is image-123.png
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *