Microsoft Defender for Servers is a plan that is part of Microsoft Defender for Cloud. When you enable Microsoft Defender for Servers, you get a range of awesome functionality designed to protect your servers, including file integrity monitoring, adaptive application control, just in time access, among others.
One additional capability that comes included with Defender for Servers is Microsoft Defender for Endpoint. See more details about the integrated solution here.
One advantage of this native integration is the centralization of alerts, in other words, when an alert is triggered by MDE, it will be surfaced in the Microsoft Defender for Cloud / Security Alerts dashboard, as shown below:
If you select one alert, you can get more details about it and take action on the alert to start your investigation or remediation of it. You can also click on the link to be brought directly to the Microsoft 365 portal to investigate the alerts there.
In addition of appearing in the Security Alerts in Defender for Cloud, it will also appear in the Microsoft 365 Defender Alerts page, as shown the example below:
From this dashboard you can perform a deeper investigation of the alert, as shown the example below:
Which dashboard should you look at?
As you can see, these alerts can be investigated from both dashboards of Microsoft Defender for Servers in the Azure Portal and from Microsoft Defender for Endpoint in Microsoft 365 Defender.
So which dashboard should you use?
The answer is your choice and lies entirely with how your Information Security Team is consuming the alerts and managing the devices.
However, we can give you some guidance on best practises that we have seen to work with many customers.
Check out this handy diagram to help you with your dashboard selection!
A SIEM is the recommended started point for investigation for all Defender for Cloud alerts (not just those coming from MDE).
Note: You might see duplicate alerts in Microsoft Sentinel, coming from Microsoft defender for Cloud and Defender for Endpoint. This is a known behaviour if Defender for Endpoint sensor was onboarded via Defender for Cloud.
In the absence of a SIEM and if you’re a general SOC team doing the investigation (not focused on just endpoints), we recommend that you start your investigation of alerts on Microsoft Defender for Cloud, and you can easily go to Microsoft 365 Defender to further your hunt via Defender for Endpoint.
On the other hand, if you’re a team who focuses entirely on endpoints who are doing the investigation of the alerts, then you can use just the Microsoft 365 Portal.
In summary, you can use whichever dashboard or method you choose to investigate the alerts, but you can decide based on the criteria listed above.