Microsoft Defender Family/Suite Explained

Microsoft Defender Family/Suite Explained

If you are in the Microsoft cloud security space for a while then you have already known about the variants of Microsoft Advanced Threat Protection (ATP). ATP has rebranded/renamed as Microsoft Defender now and broadens its family members. If you are new in this space like me then it's better to start with the new name Microsoft Defender suite. I have started looking into Microsoft cloud security recently and found ATP and Defender things very confusing, especially which product is aligned to Office 365 or Azure resources or endpoint and so on. This post might help you to understand the Microsoft Defender family/suite.

What is Microsoft Defender?

Microsoft Defender is a holistic solution, known as eXtended Detection and Response (XDR) in industry,  to apply the right layer of defense to end-user environments, multi-cloud, and on-premises to stop sophisticated attacks. This has now been combined with Azure Defender to provide an end-to-end XDR experience in Microsoft cloud, On-prem, and other clouds. It has two main classifications, Microsoft 365 Defender and Azure Defender. These two have sets of further classified in multiple variants for the specific purpose that we will discuss later in the post. The below image gives you the big picture of the Microsoft Defender family.


If it starts with "Microsoft Defender for" then the solution is to protect the Microsoft cloud (Office 365, Microsoft 365) that comes under M365 E5, Office365 E5, etc license. If it starts "Azure Defender for" then the solution is to protect Azure resources like VM, App Service, SQL, etc and it comes under the Azure Security Center license.

What is Microsoft 365 Defender?

Microsoft 365 Defender is a defense suite that combines Defender for Identity, Defender for Office 365, Defender for Endpoint, and Cloud App Security to protect Email, Teams/Skype for business, Azure AD identity, and windows & mobile devices. This defense suite shares signal cross-products and coordinates to give context to the security team in the case of an attack.

As per Microsoft Docs, "Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks."

Microsoft Defender suite can take automatic action to prevent or stop attacks or self-healing. Give a single pane of glass by combining incidents among products. The below image from Microsoft Docs gives how it looks like when coordination happens cross-products.

Microsoft Defender 365.png


What is Microsoft Defender for Identity?

Microsoft Defender for Identity is a cloud-based security solution for the on-prem Active Directory. We need to install a small piece of software called 'Defender for Identity Sensor' on the Domain Controller. The sensor will collect all the signals and send them to the cloud to analyze. We can see the alerts on the 'Defender for Identity Portal'. This security solution, identify, detect and investigate advanced threats, compromised identity, and malicious insider activities. The below image is from Microsoft Docs.

Defender for Identity architecture topology diagram

Top points

Use forActive Directory
AgentNeed to install MDI sensor on Domain Controller
Top FeatureIdentity, detect, investigate advanced threats, compromised identity, and insider malicious activities

What is Microsoft Defender for Office 365?

Microsoft Defender for Office 365 is a safeguard for Office 365 products, especially against threats posed by email messages, links, and collaboration tools. It has two plans as below.

  • Defender for Office 365 Plan 1: This plan has configuration, protection, and detection capabilities like Safe Attachment, Safe Link, Safe Attachment for SharePoint, Teams, OneDrive, Anti-Fishing, and real-time protection.
  • Defender for Office 365 for Plan 2: This plan includes Plan 1 + automation, investigation, and remediation like Threats Trackers, Threat Explorer, Attack Simulator, etc.
Defender for Office 365.jfif

What is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint is an endpoint security solution. This solution is used to prevent Windows 10, iOS/iPadOS, macOS, and Android devices. It is designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.


What is Microsoft Cloud App Security?

Microsoft Cloud App Security is CASB (Cloud Access Security Broker) which provides rich visibility of Microsoft and third-party cloud services including the on-prem and external apps. The below image from Microsoft gives you the overall picture.

Microsoft Cloud App Security.jfif

What is Azure Defender?

Azure Defender is a cloud and hybrid workload protection solution that is integrated with Azure Security Center. This prevents resources like VM, Apps, and SQL from Azure, third-party cloud, and on-prem from attacks. Earlier, it was known as the Azure Security Center Standard tier. Azure Defender has two pricing SKUs.

  • Azure Defender OFF (Free): Includes CSPM (Cloud security posture management) that gives a secure score, security misconfigurations, assets inventory, and many more.
  • Azure Defender ON: Includes CWP (Cloud workload protection) that brings intelligence, protection, regulatory compliance for Azure, and hybrid (Non-Azure, AWS, and GCP) resources.
Azure Defender.png

What is Azure Defendor for Servers?

Azure Defender for Servers is a threat detection and advanced defense system for Windows and Linux machines. It should not have to be Azure VM, it could be from on-prem or other cloud providers.

Top points

Use forVirtual Machine
AgentLog Analytics Agent
Top FeatureVulnerability assessment scanning, Just-in-time (JIT), File integrity monitoring (FIM), Adaptive application controls (AAC), Adaptive network hardening (ANH), Fileless attack detection

What is Azure Defender for App Service?

Azure Dender for App Service provides protection for App Services from pre-attack threats, initial access threats, execution threats, and dangling DNS detection. It gives security recommendations for App Service and detects threats by monitoring underlying VM instances, requests & responses, and App Service internal logs. This is not supported by the Shared & Basic App Service Plan.

What is Azure Defender for SQL?

Azure Defender for SQL is a cloud-native security solution that gives vulnerability assessment and advanced threat protection for SQL and prevents SQL injection attacks, anomalous database access and query pattern, and suspicious database activities. It has two plans.

  • Azure Defender for Azure SQL database servers: It protects Azure SQL Databases, Azure SQL Managed Instance, and Dedicated SQL pool in Azure Synapse.
  • Azure Defender for SQL servers on machines: It protects SQL Servers on ┬áVirtual Machines and On-prem SQL Servers.

You might explore other components of Azure Defender from this Microsoft Docs. I hope I am able to give you the context of the Microsoft Defender family. Please contact me @sakaldeep on Twitter for any queries.