{"id":39678,"date":"2021-02-22T17:00:47","date_gmt":"2021-02-22T17:00:47","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=92898"},"modified":"2021-02-22T17:00:47","modified_gmt":"2021-02-22T17:00:47","slug":"what-we-like-about-microsoft-defender-for-endpoint","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/what-we-like-about-microsoft-defender-for-endpoint\/","title":{"rendered":"What we like about Microsoft Defender for Endpoint"},"content":{"rendered":"
<\/div>\n

This blog post is part of the Microsoft Intelligent Security Association <\/em>guest blog series<\/em><\/a>. Learn more about MISA<\/a><\/em>. <\/em> <\/em><\/p>\n

It\u2019s no secret that the security industry generally likes Microsoft Defender for Endpoint. After a few months of using and integrating it with our platform here at Expel, we feel the same.<\/p>\n

On Expel\u2019s EXE Blog<\/a>, we regularly share our thought process on how we think about security operations at scale at Expel and the decision support<\/a> (or additional context) we provide our analysts through automation.<\/p>\n

In short, Defender for Endpoint makes it easy for us to achieve our standard of investigative quality and response time, but it doesn\u2019t require a heavy lift from our analysts. And that\u2019s good news both for our customers and for us.<\/p>\n

So, what is Microsoft Defender for Endpoint?<\/h2>\n

Defender for Endpoint<\/a> is an enterprise endpoint security product that supports Mac, Linux, and Windows operating systems, along with Android and iOS. There are lots of cool things that Defender for Endpoint does at an administrative level (such as attack surface reduction and configurable remediation). However, from our vantage point, we know it best for its detection and response capabilities.<\/p>\n

Defender for Endpoint is unique because not only does it combine an Endpoint Detection and Response (EDR) and AV detection engine into the same product, but for Windows 10 hosts, this functionality is built into the operating system, removing the need to install an endpoint agent.<\/p>\n

With an appropriate Microsoft license, Defender for Endpoint and Windows 10 provide out-of-the-box protection without the need to mass-deploy software or provision sensors across your fleet.<\/p>\n

How EDR tools help us as an XDR vendor<\/h2>\n

When we integrate with an EDR product like Defender for Endpoint in support of our customers, our goal is to predict the investigative questions that an analyst will ask and then automate the action of getting the necessary data from that tool.<\/p>\n

This frees up our analysts to make the decision\u2014versus making them spend time extracting the right data.<\/p>\n

We think Defender for Endpoint<\/a> provides the right toolset that helps us reach that goal\u2014and removes some burden from our analysts\u2014thanks to its APIs.<\/p>\n

Thanks to Defender for Endpoint\u2019s robust APIs, we augmented its capability to provide upfront decision support to our analysts. As a result, we\u2019re able to arm them with the answers to the basic investigative questions we ask ourselves with every alert.<\/p>\n

To find these answers, there are a few specific capabilities of Defender for Endpoint we use that allow us to pull this information into each alert:<\/p>\n