Do you use Microsoft Defender XDR?
Updated by Rob Thomlinson [SSW] 10 months ago. See history
123
Microsoft Defender XDR is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It is managed at <https://security.microsoft.com/>
<imageEmbed
alt="Image"
size="large"
showBorder={false}
figureEmbed={{
preset: "default",
figure: 'Microsoft Defender XDR – Dashboard',
shouldDisplay: true
}}
src="/uploads/rules/microsoft-defender-xdr/defender365_2022-08-10.jpg"
/>
There are a number of licensing options - check out [Microsoft's documentation](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) for information.
### Configuration
Follow the instructions to install Defender on Workstations:
* [Onboard devices with a GPO](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints-gp?view=o365-worldwide)
* [Onboard devices through Intune](https://learn.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-configure#enable-microsoft-defender-for-endpoint-in-intune)
Follow the instructions to install Defender on Servers:
* [Defender for Endpoint: Onboard servers](https://learn.microsoft.com/en-us/defender-endpoint/configure-server-endpoints)
* [Defender for Identity: Onboard domain controllers](https://learn.microsoft.com/en-us/defender-for-identity/deploy/install-sensor)
* The Azure Advanced Threat Protection sensor configurations vary depending on whether Endpoint or Identity is installed.
### Secure Score
Microsoft Secure Score is a measurement of an organization's security posture, based on data from Defender for Endpoint and other Microsoft security products. It can be found at [security.microsoft.com/securescore](https://security.microsoft.com/securescore).
Points are given as per the following actions:
* Configuring recommended security features
* Remediating vulnerabilities
* Addressing the improvement action with a third-party application or software, or an alternate mitigation
<imageEmbed
alt="Image"
size="large"
showBorder={false}
figureEmbed={{
preset: "default",
figure: 'Microsoft Secure Score',
shouldDisplay: true
}}
src="/uploads/rules/microsoft-defender-xdr/secure_score-2022-08-10.jpg"
/>
### How to increase Secure Score
Each improvement activity is worth up to 10 points, based on their importance. Points are obtained by implementing security recommendations, such as updating software or configuring Intune policies (or GPOs) to secure user accounts and devices.
Security admins should check this score regularly and improve the score where possible.
## Device Inventory
Device inventory shows a list of the devices in your network. Devices are added to the device inventory through the Microsoft Defender for the Endpoint onboarding process. You’ll see information such as device name, domain, risk level, exposure level, OS platform, onboarding status, sensor health state, and other details for easy identification of devices most at risk.
Risk level reflects the overall risk assessment of the device based on combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
Exposure level reflects the current exposure of this device based on the cumulative impact of its pending security recommendations.
<imageEmbed
alt="Image"
size="large"
showBorder={false}
figureEmbed={{
preset: "badExample",
figure: 'Bad example - High exposure level',
shouldDisplay: true
}}
src="/uploads/rules/microsoft-defender-xdr/badexample_exposure-2022-08-10.jpg"
/>
<imageEmbed
alt="Image"
size="large"
showBorder={false}
figureEmbed={{
preset: "goodExample",
figure: 'Good example – No High exposure level',
shouldDisplay: true
}}
src="/uploads/rules/microsoft-defender-xdr/goodexample_exposure-2022-08-10.jpg"
/>
Security admins should check this page regularly and reduce the risk/exposure/criticality levels where possible.
<imageEmbed
alt="Image"
size="large"
showBorder={false}
figureEmbed={{
preset: "default",
figure: 'Severity level – High Exposure',
shouldDisplay: true
}}
src="/uploads/rules/microsoft-defender-xdr/discoveredvulner-2022-08-10.jpg"
/>
### Security Recommendations
The Microsoft Defender portal has security recommendations for exposed devices which can be remediated manually after doing the needful (maybe a simple update): <https://security.microsoft.com/security-recommendations/>
### Incidents & Alerts
In Microsoft Defender XDR, an incident is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 alerts, automated investigation and response (AIR), and the outcome of the investigations are natively integrated and correlated on the Incidents page.
When critical incidents occur, you should receive an email notification so that you can act on the alert immediately.
<imageEmbed
alt="Image"
size="large"
showBorder={false}
figureEmbed={{
preset: "default",
figure: 'Example email alert from Defender',
shouldDisplay: true
}}
src="/uploads/rules/microsoft-defender-xdr/defender-alert.png"
/>
However, it is also important to check the [Incidents page](https://security.microsoft.com/incidents) in Defender, to resolve less critical alerts - or email alerts that you may have missed. It is a good idea to set a reminder to check this page weekly.
These alerts can include emails that have been reported as malware or phishing, data loss prevention (DLP), or unwanted software detections.
<imageEmbed
alt="Image"
size="large"
showBorder={false}
figureEmbed={{
preset: "badExample",
figure: 'Bad example - Unresolved incidents',
shouldDisplay: true
}}
src="/uploads/rules/microsoft-defender-xdr/defender-incidents.png"
/>
<imageEmbed
alt="Image"
size="large"
showBorder={false}
figureEmbed={{
preset: "goodExample",
figure: 'Good example - All incidents resolved',
shouldDisplay: true
}}
src="/uploads/rules/microsoft-defender-xdr/defender-no-incidents.png"
/>