More employees are now working from remote locations than ever before, relying on collaborative tools to communicate with co-workers and share sensitive data. Microsoft Defender for Endpoint uses EDR to ensure that devices such as desktop workstations, laptops, tablets, and smartphones are all protected.

The critical role endpoints play also makes them central targets for cybercriminals. Unfortunately, these remote devices are vulnerable to attacks. Criminals often use endpoint devices as entry points to penetrate corporate networks. From there, they execute malware and ransomware attacks. 

What Is Endpoint Detection Response (EDR)?

Endpoint Detection and Response (EDR) is an endpoint security solution that monitors end-user devices and detects and responds to cyber threats such as viruses, malware and ransomware.

EDR evaluates endpoint-system-level behaviours and applies data analytics to detect suspicious system behaviour. It can also provide contextual information, block malicious activity, and suggest appropriate remediation to restore systems.

In real-time, EDR provides advanced threat detection for enhanced security investigation and response capabilities. Also supported are incident data search, investigation alert triage, threat hunting, suspicious activity validation, and malicious containment.

Does Microsoft Defender for Endpoint Provide EDR?

Credit: Microsoft

Microsoft Defender for Endpoint, part of the Microsoft 365 Defender security suite, offers EDR. Microsoft Defender for Endpoint is an enterprise endpoint security platform that prevents, detects, investigates, and responds to advanced threats. It uses a combination of technologies built into Windows 10 and Microsoft’s cloud service. 

Microsoft 365 Defender is a unified pre/post-breach enterprise level defence suite. It coordinates detection, prevention, investigation, and response across all endpoints, email, identities, and applications, providing integrated protection against attacks. 

With Microsoft 365 Defender integration, security teams can leverage the threat signals that each Microsoft product receives to determine the full scope and impact of the threat.

Overview: Microsoft Defender for Endpoint

Microsoft Defender for Endpoint protects against advanced threats by leveraging several of Microsoft’s already robust features. The Windows 10, 11, and Microsoft cloud service technologies used include the following:

Endpoint Behavioural Sensors

Embedded in Windows, the endpoint behavioural sensors collect and process behavioural signals from the operating system. These can send the sensor data to the private cloud instance of Microsoft Defender for Endpoint.

Cloud Security Analytics

Cloud security analytics involves leveraging big data, device learning, and Microsoft optics across enterprise cloud products like Office 365. The system translates online assets and behavioural signals into detections and insights. With that, it can recommend calculated responses to advanced threats.

Threat Intelligence

Threat intelligence enables Defender for Endpoint to identify attacker techniques, tools, and strategies. It also generates alerts as they are observed via collected sensor data. Threat intelligence is further augmented by additional, partner-provided threat intelligence.

Microsoft Defender for Endpoint – Key Features

Here are 7 Microsoft Defender for Endpoint key features to boost endpoint security.

1. Threat and Vulnerability Management

Threat and Vulnerability Management
Credit: Microsoft

Defender for Endpoint uses endpoint behavioural sensors, cloud security analytics, and threat intelligence to handle threat and vulnerability management. 

When combined within the Windows ecosystem, they offer enterprises powerful tools for preventing, identifying, and blocking endpoint threats. 

2. Attack Surface Reduction

An organisation’s attack surface incorporates any area estate-wide that an attacker can compromise from a network or single device perspective. Thus, reducing your attack surface increases protection for those key areas, ensuring hackers have fewer avenues to execute attacks. 

One way to maximise this feature is to configure Microsoft Defender for Endpoint’s attack surface reduction rules. Some of these rules can restrict the following actions:

  • Launching executable files or scripts that download or run files
  • Running suspicious scripts
  • Performing behaviours that apps don’t typically initiate

Such software behaviours are often legitimate actions, though they are considered risky. Applying attack surface reduction rules constrains these software-based risky behaviours, which helps keep your organisation safe.

3. Next-Gen Protection

Microsoft Defender for Endpoint DER functionality enforces the security perimeter of your networks using next-generation protection. Next-generation protection catches emerging threats. 

Along with Microsoft Defender Antivirus, next-generation protection includes behaviour-based, heuristic, and real-time antivirus protection. This includes always-on scanning, file and process behaviour monitoring, and other real-time protection such as detecting and blocking unsafe app installations or updates.

Next-gen protection can also be delivered via the cloud, which means near-instant detection and threat blocking. Finally, it involves dedicated product updates, including Microsoft Defender Antivirus updates.

4. Endpoint Detection and Response

Endpoint Detection and Response
Credit: Microsoft

Defender for Endpoint detection and response EDR provides advanced near-time and actionable attack detections. Security teams can prioritise alerts, understand the scope of a breach, and respond immediately.

When EDR detects a threat, it can notify human analysts to investigate. Alerts that contain the same attack techniques or are attributed to the same attacker are aggregated, creating a single incident for clarity. Aggregating alerts into incidents makes it easier for analysts to investigate and respond to threats.

Defender for Endpoint continuously collects behavioural cyber telemetry. Collection processes include processing network activities, other information, kernel and memory manager optics, user login activities, and registry and file system changes, among other things. 

The system stores this information for six months, enabling security teams to review the attack from various timelines and viewpoints. When combined, these response capabilities give your security team the power to remediate threats immediately.

5. Automated Investigation and Remediation

Automated Investigation and Remediation (AIR) technology uses inspection algorithms based on processes used by security analysts. AIR capabilities examine alerts and then take action to resolve breaches. 

AIR significantly reduces alert volume, enabling security teams to focus on more sophisticated threats and other high-priority initiatives. The Action Centre tracks all remediation actions. Within the Action Centre, pending actions are approved or rejected.

An automated investigation starts when an alert triggers or someone manually initiates the investigation. Any subsequent alerts generated are automatically added until that investigation is completed. By default, the automated investigation expands EDR detects similar activity on a different device. 

As additional alerts add to the automated investigation, the system generates a verdict for each piece of evidence gathered. Those verdicts determine whether the evidence is malicious, suspicious, or benign. From there, it applies appropriate remediation actions.

6. Microsoft Threat Experts

Microsoft Threat Experts
Credit: Microsoft

Microsoft Threat Experts is a managed threat hunting service that offers expert monitoring and analysis for Security Operation Centres (SOCs). This service provides expert-driven insights and data through access to experts on-demand and targeted attack notification.

Users can communicate with security personnel within Microsoft 365 Defender and receive a timely response. Security experts aid in a better understanding of the latest complex threats affecting organisations, including potentially compromised devices, alert inquiries, and root causes of suspicious network connections.

Targeted attack notification enables proactive hunting for significant threats to your network like hands-on-keyboard attacks, advanced cyber-espionage attacks, and human adversary intrusions. These notifications show up as new alerts to ensure that critical threats don’t get missed.

7. Microsoft Secure Score for Devices

The threat and vulnerability management dashboard of the Microsoft 365 Defender portal contains the ‘Microsoft Secure Score for Devices’. A higher score means the device’s endpoints are more resilient from cybersecurity threats. The score reflects the collective security configuration state of your devices, including the following categories:

  • Accounts
  • Application
  • Network
  • Operating system
  • Security controls

You can select a category that takes you to the Security recommendations page and view any relevant recommendations for improving security on that device.

The data contained in the Microsoft Secure Score for Devices card comes from ongoing vulnerability discovery processes. The data is aggregated along with configuration discovery assessments that continuously monitor, analyse, and provide remediation and recommendations.


As the threat landscape becomes increasingly complex, protecting your network’s remote endpoints is a priority. Microsoft 365 Defender for Endpoint incorporates robust EDR features security and combines them with existing security technologies within the Microsoft ecosystem.

This feature-rich EDR service maintains your endpoints and fortifies them to prevent, detect, investigate, and respond to the most advanced threats.

From anti-malware, anti-phishing, SEO poisoning, and 2FA to SASE and cloud-based air-gap immutable backup storage, Securus has a security solution to suit your requirement and budget. If you would like to discuss your network security requirements in more detail with one of our cyber security professionals, please don’t hesitate to get in touch.

Further Technology Articles


Cybersecurity in education – the latest trends

Many education institutions are now using digital tools to put educational materials online, track student progress, share research and manage operations. However, by hosting a wealth of data online, it makes them increasingly vulnerable to cyberattacks. Education is among the…


Seven Use Cases where Low Latency is Key

With the ongoing demand for real-time business-critical applications like voice, video and the metaverse, the demand on network performance has intensified. Low latency is critical to all size of organisations because it directly influences the responsiveness and performance of systems,…