Defender for Endpoint integration in Defender for Cloud - Microsoft Defender for Cloud (original) (raw)
Microsoft Defender for Endpoint and Microsoft Defender Vulnerability Management integrate natively with Defender for Cloud to provide:
- Integrated security capabilities: Security capabilities provided by Defender for Endpoint, Defender Vulnerability Management, and Defender for Cloud come together to provide end-to-end protection for machines protected by the Defender for Servers plan.
- Licensing: Defender for Servers licensing entitles customers with the same benefits on their servers as Defender for Endpoint Plan 2 provides on client endpoints. Licensing is charged per hour instead of per user, reducing costs by protecting VMs only when they're in use.
- If you already have licenses for Microsoft Defender for Endpoint for Servers and also use Defender for Servers, request the billing discount to avoid double billing. For steps, see Can I get a discount if I already have a Microsoft Defender for Endpoint license?.
- Agent provisioning: Defender for Cloud can automatically provision the Defender for Endpoint sensor on supported machines connected to Defender for Cloud.
- Unified alerts: Alerts and vulnerability data from Defender for Endpoint appear in Defender for Cloud in the Azure portal. You can move to the Defender portal to drill down for detailed alert information and context.
Security capabilities
Defender for Cloud integrates security capabilities provided by Defender for Endpoint and Defender Vulnerability Management.
- Vulnerability management: Provided by Defender Vulnerability Management.
- Features include an inventory of known software, continuous vulnerability assessment and insights, secure score for devices, prioritized security recommendations, and vulnerability remediation.
- Integration with Defender Vulnerability Management also provides premium features in Defender for Servers Plan 2.
- Attack surface reduction: Use of attack surface reduction rules to reduce security exposure.
- Next-generation protection providing antimalware and antivirus protection.
- Endpoint detection and response (EDR): EDR detects, investigates, and responds to advanced threats, including advanced threat hunting, and automatic investigation and remediation capabilities.
- Threat analytics. Get threat intelligence data provided by Microsoft threat hunters and security teams, augmented by intelligence provided by partners. Security alerts are generated when Defender for Endpoint identifies attacker tools, techniques, and procedures.
Integration architecture
Defender for Endpoint automatically creates a tenant when you use Defender for Cloud to monitor your machines.
Defender for Endpoint stores collected data in the tenant's geo-location as identified during provisioning.
- Customer data, in pseudonymized form, might also be stored in the central storage and processing systems in the United States.
- After you configure the location, you can't change it.
- If you have your own license for Defender for Endpoint and need to move your data to another location, contact Microsoft support to reset the tenant.
Resource discovery and onboarding status
Defender for Cloud can discover machines independently of Microsoft Defender for Endpoint onboarding.
Machines that exist in Azure, Azure Arc–enabled environments, or connected multicloud accounts (AWS, GCP) are identified by Defender for Cloud through its native resource discovery processes. These machines can appear in the Defender for Endpoint device inventory even before the Defender for Endpoint sensor is installed and reporting.
In this state, devices may show Defender for Cloud as the discovery source and a status of Can be onboarded, indicating that the machine is known to Defender for Cloud but isn’t yet onboarded to Defender for Endpoint. Onboarding occurs only after the Defender for Endpoint sensor is deployed and successfully reports to the service.
Move between subscriptions
You can move Defender for Endpoint for servers between subscriptions in the same tenant or between different tenants.
- Move to a different subscription in the same tenant: To move your Defender for Endpoint for servers extension to a different subscription in the same tenant, delete either the
MDE.LinuxorMDE.Windowsextension from the virtual machine. Defender for Cloud will automatically redeploy it. - Move subscriptions between tenants: If you move your Azure subscription between Azure tenants, some manual preparatory steps are required before Defender for Cloud deploys Defender for Endpoint. For full details, contact Microsoft support.
Health status for Defender for Endpoint
Defender for Servers provides visibility to the Defender for Endpoint agents installed on your VMs.
Prerequisites
You must have either:
- Defender for Servers P2 enabled.
or, - Defender cloud security posture management (Defender CSPM) enabled with Defender for Servers Plan 1 enabled.
Visibility into health issues in Defender for Servers
Defender for Servers provides visibility into two main types of health issues:
- Installation Issues: Errors during the agent's installation.
- Heartbeat Issues: Problems where the agent is installed but not reporting correctly.
In some situations, Defender for Endpoint doesn't apply to certain machines, such as when a client operating system is installed. These devices need coverage from a Defender for Endpoint user license, such as Microsoft 365 E5. This status is also shown as described in the last query.
Defender for Servers shows specific error messages for each issue type. These messages explain the problem. When available, you'll also find instructions to fix the issue.
Health status updates every four hours. This ensures the issue reflects the state from the last four hours.
To see Defender for Endpoint health issues, use the security explorer as follows:
- To find all the unhealthy virtual machines (VMs) with the issues mentioned, run the query shown in the following screenshot:
- Another way to access this data is shown in the following screenshot:
- To find all the healthy VMs where Defender for Endpoint works correctly, run the query shown in the following screenshot:
- To get the list of VMs where Defender for Endpoint isn't applicable, run the query shown in the following screenshot:
