Microsoft 365 Defender - part 1

Our journey to the cloud has created some new ways of thinking, new ways of working, and of course a bunch of new portals to work in. It's beginning to be a while since Microsoft started consolidating their different security products under the defender name. Some of the big ones like the Advanced Threat Protection solutions are well known to many of us and more products are being added under the Defender umbrella all the time. Today we are going to look at Defender for Microsoft 365. What it is, and how it can help us. My demo tenant has Microsoft 365 E5 licenses, and this gives us the full power of the defender suite. 

What is the Microsoft 365 Defender product really?

In this post, which is part 1 in a series, we will look at some of the basics of Microsoft 365 Defender. Many of us are used to defining Microsoft 365 Defender from what we can see in the portal, where we can: 

- Detect Security risks

- Investigate attacks

- Prevent harmful activities

And much more. A lot of the security stuff here will be done automatically. Microsoft has quite a few success stories (like the bad rabbit attack (Ransom:Win32/Tibbar.A – Protection in 14 minutes ) where we are protected in minutes, without any human intervention.

Microsoft 365 Defender is a collection of several products in what Microsoft calls a unified enterprise defense suite:

- Microsoft Defender for Endpoint

- Microsoft Defender for Office 365

- Microsoft Defender for Identity

- Microsoft Defender for Cloud Apps (Cloud App security)

Previously we have had to use many different portals for these products but these days it is all in the Microsoft 365 Security center. Here we can monitor and respond to threat activity and strengthen security posture across identities, email, data, endpoints, and apps. The gathering of all this info into one portal gives us a great overview of what's going on in our tenant. 


As we first look at we will see the different cards available to us. 

Microsoft 365 Defender start page
Microsoft 365 Defender start page

My demo tenant isn't very well secured as you can see. My secure score is only at 38,75% which is quite terrible. The great thing about the secure score system is that not only can we see our security posture, but we get help for increasing our score, and making it easier to improving our security posture. 

Improvement actions
Improvement actions

The view we first see in Microsoft 365 Security center is highly configurable. It is a collection of different cards (as they are called) and each of those cards contain a piece of information like Secure Score, Threat analytics, device compliance and much more. One of the great things about this is that we can add/remove "cards" as shown below. This way we can focus on what is important to us.

Add remove cards

Press the add cards button. 

Add a card

Unless we already have them all in our view, we can add the missing ones here. 

We can also drag and drop the cards, giving us the opportunity to customize the view, so we have the cards most important to us at the top. 

Move cards around

The left menu is filled with goodies. Here we can look at incidents, we can go hunting, look closer at our security stance, and much, much more. It can be easy to get a little lost in all these options, so let's take a look at some of them. 


The main focus for this post is what we can do through Incidents & alerts. This is one of the panes I look at every day. This gives us the latest stuff that has been going and allows us to play detectives and find out if there are attacks happening or any other security breaches that we need to look closer at. 

Incidents & Alerts

Lets take a look at an incident that has been logged in my demo tenant. 

An alert!

Here we have something that is logged as a Cloud Discovery anomaly detection. If we select this, we will first see some details:

Different types of info can be found by going into the alert. 

By selecting the alerts(1) option at the top line, we get a little more info about what's going on and who is involved:

Looking at details. 

Not only can we see details, like the offending user (me in this case), the IP address and app name, but we can see when this happend, what has happened and more. Very useful. 

Since I want to know more, I want to hunt for answers. I select the Evidence and Response option, and go hunt. 

Go hunting without a hunting license. 

This takes me to the advanced hunting pane (which I can also reach from the left menu) and my query is filled in and ready to run. 

Many possibilities in the Advanced hunting panel. 

Also notice the suggestions on the left. Some of these are pretty awesome, and can show if we have vulnerable devices in our organization. 

That's it for our first post about Microsoft 365 Defender. I hope that it has been helpful, and maybe will get you interested in what can be done with it, and how it can help us. Next time we will dive a little deeper into things and see what more we can gain by using this actively. Surprisingly a lot of customers do not use the full power of Microsoft 365 Defender, but with a few simple steps we can get started. 


Popular posts from this blog

Do not Forward and the protection of attachments

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label