Do you use Microsoft Defender 365?

Last updated by Harry Ross [SSW] about 2 months ago.See history

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It is managed at

defender365 2022 08 10
Figure: Microsoft Defender 365 – Dashboard 

There are a number of licensing options - check out Microsoft's documentation for information.

Microsoft Defender for Endpoint can be used to manage and investigate all devices on your network - whether on your domain or joined to Intune.

To onboard devices with a GPO, follow the instructions here.

To onboard devices through Intune, follow the instructions here.

Secure Score:

Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. It can be found at

Points are given as per the following actions:

  • Configuring recommended security features
  • Remediating vulnerabilities  
  • Addressing the improvement action with a third-party application or software, or an alternate mitigation

secure score 2022 08 10
Figure: Microsoft Secure score

How to increase Secure Score:

Each improvement activity is worth no more than ten points, and most of them are assessed in a binary manner. Points are received if we carry out the improvement activity, such as setting up a new policy or turning on a certain setting, or updating recommended software. Points are awarded as a proportion of the overall configuration for additional enhancement actions.

There are many Recommendation actions suggested by Microsoft with Ranks. Score impact, Points achieved, and status  

Device Inventory

The Device inventory shows a list of the devices in your network where alerts were generated. Devices are gradually added to the device inventory throughout the Microsoft Defender for the Endpoint onboarding process. Briefly, you'll see information such as device name, domain, risk level, exposure level, OS platform, onboarding status, sensor health state, and other details for easy identification of devices most at risk.

The exposure score is continuously calculated on each device in the organization and influenced by the following factors:

  • Weaknesses, such as vulnerabilities discovered on the device  
  • External and internal threats such as public exploit code and security alerts  
  • Likelihood of the device getting breached given its current security posture  
  • Value of the device to the organization given its role and content

badexample exposure 2022 08 10
Figure:❌Bad Example - High exposure level

goodexample exposure 2022 08 10
Figure: ✅ Good Example – No High exposure level

For all the high exposure level devices, address the discovered vulnerabilities starting with Critical severity recommendations. Once remediated, we can get those devices or servers from High exposure to Low exposure.

discoveredvulner 2022 08 10
Figure: Severity level – High Exposure

Security Recommendations

The Microsoft Defender portal has security recommendations for exposed devices which can be remediated manually after doing the needful (maybe a simple update).

security recommendation 2022 08 10
Figure: Security Recommendation - Request remediation

When you request remediation, you will need to add notes, which should show the remediation activity details.

Incidents & Alerts

An incident in Microsoft Defender is a collection of correlated alerts and associated data that define the complete story of an attack. Defender for Office 365 alerts, automated investigation and response (AIR), and the outcome of the investigations are natively integrated and correlated on the Incidents page in Microsoft Defender.

When critical incidents occur, you should receive an email notification so that you can act on the alert immediately.

defender alert
Figure: Example email alert from Defender

However, it is also important to check the Incidents page in Defender, to resolve less critical alerts - or email alerts that you may have missed. It is a good idea to set a reminder to check this page weekly.

These alerts can include emails that have been reported as malware or phishing, data loss prevention (DLP), or unwanted software detections.

defender incidents
Figure: Bad example - Unresolved incidents

defender no incidents
Figure: Good example - All incidents resolved

We open source. Powered by GitHub