Forum Discussion
HuyPham-VNYou don't need each platform, but the more telemetry you generate, the better detections you get. So in best case, using all portals and products of the "Microsoft 365 Defender Threat Protection Platform" will give you the coverage and drawing of a full killchain.
Let me take your producs:
- Microsoft Defender for Endpoint
Used for Clients and Servers
Used to manage devices
- Microsoft Defender for Office 365
Used for Mail, Phishing, Safe-Attachments etc.
- Microsoft Defender for Identity
Used for Domain-Controller
Used to manage identites/users/sessions
- Microsoft Cloud App Security
Used for cloud apps policies and Shadow-IT and DLP, e.g. you can define policies on session-level to "connected apps". There are not much yet. But the most common connected Apps: Teams, Skype, Outlook, SharePoint various Apps on the phone etc. Here you can add fine-granular policies.
- Azure Security Center
You missed this. Used for Risk-Level and Compliance of Users.
Used for sign-in and audit-logs in Azure
Each of these portals can share signals, therefor the data can be combined. That will add value by improving the backend cloud-detections/ML/behaviour based detections.
For example if you use O365 ATP, with Defender for Endpoint and Defender for Identity.
You can get an "incident" which has a full killchain from:
- Initial Attack: An Email has been opened by an User, Macro, Powershell, Executed (
- Attacker moves on Endpoint to Servers, fires malicious processes on endpoints etc. (Defender for Endpoint)
- Attacker moves to DCs, makes pass-the-hash, bruteforce etc. (Defender for Identity).
You can now see the whole attack from A-Z, but only if signals were shared. This is were the power comes from.
For example:
Alert Guide Defender for Identity (DCs)
Alert Guide Defender for Endpoint
Now imagine, you have all of these in one chain.