M05 · Defender for Endpoint

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 3.5 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): MDE portal paths, ASR rule sets, and response-action labels change frequently. Verify rule IDs, default behaviors, and click-paths against current Microsoft Learn before relying on specifics.

Learning objectives

By the end of this module you will be able to:

  1. Describe the core capabilities of Microsoft Defender for Endpoint (MDE): EPP, EDR, and vulnerability management.
  2. Explain attack surface reduction (ASR) rules and identify common configurations.
  3. Use the device page to review alerts, timeline, and recommendations.
  4. Perform basic device response actions: isolate, collect investigation package, run antivirus scan.

1. MDE architecture

Microsoft Defender for Endpoint (MDE) is Microsoft’s endpoint security platform. Three pieces work together:

  • Sensor — built into modern Windows (and available for macOS, Linux, mobile); collects behavioral telemetry from the device and enforces protections locally. No separate agent is needed on current Windows builds — onboarding activates the sensor.
  • Cloud backend — receives telemetry, applies cloud-delivered protection, machine learning, and Microsoft threat intelligence to generate detections.
  • Portal integration — detections surface in the unified Defender portal (https://security.microsoft.com) as alerts/incidents, alongside the device inventory and configuration.
flowchart LR EP["Endpoint<br/>(sensor: telemetry + local protection)"] --> CLOUD["MDE cloud backend<br/>(ML, threat intel, detonation)"] CLOUD --> PORTAL["Unified Defender portal<br/>(alerts, device pages, recommendations)"] PORTAL -->|response actions| EP

Diagram alt text: A left-to-right flow. An endpoint with the built-in sensor sends telemetry to the MDE cloud backend, which applies machine learning, threat intelligence, and detonation. The backend feeds the unified Defender portal where alerts, device pages, and recommendations appear. A return arrow labeled “response actions” goes from the portal back to the endpoint, showing analysts can act on the device remotely.

2. Endpoint Protection Platform (EPP)

EPP is the preventive layer — stop threats before they execute:

  • Next-generation antivirus (Microsoft Defender Antivirus) — real-time and scheduled scanning.
  • Behavioral monitoring — watch what programs do, not just signatures, to catch novel threats.
  • Cloud-delivered protection — near-instant verdicts from the cloud backend on suspicious files, enabling rapid blocking of new threats.

EPP answers “stop the bad thing from running.” When prevention is not enough, EDR takes over.

3. Endpoint Detection and Response (EDR)

EDR is the detective/investigative layer — assume something got through and give the analyst the tools to find and understand it:

  • Alert creation — behavioral detections raise alerts that roll into incidents.
  • Device timeline — a chronological record of events on the device (processes, files, network, registry), so you can reconstruct what happened and when.
  • Process tree — a parent/child view of how a process came to run (e.g., Word → PowerShell → payload), making malicious execution chains visible at a glance.

You will use the timeline and process tree in the lab to investigate an endpoint alert.

4. Defender Vulnerability Management (MDVM)

Microsoft Defender Vulnerability Management (MDVM) continuously discovers and prioritizes weaknesses on your devices — proactive risk reduction rather than incident response:

  • Exposure score — an aggregate measure of how exposed your devices are; lower is better.
  • Software inventory — what software (and versions) is installed across devices.
  • Security recommendations — prioritized, actionable fixes (patch this, change that setting), ranked by impact.
  • Remediation tasks — recommendations can be turned into trackable remediation work (often handed to IT/Intune).

In the lab you will review the top vulnerability recommendations for the test device.

5. Attack Surface Reduction (ASR) rules

Attack surface reduction (ASR) rules are targeted rules that block common attack behaviors — the techniques malware and exploits rely on — before they lead to compromise. Examples of behaviors ASR rules can block (verify current rule set and GUIDs in Microsoft Learn, as of June 2026):

  • Office applications creating child processes or executable content.
  • Credential theft from the Windows local security subsystem (LSASS).
  • Execution of obfuscated or potentially malicious scripts.
  • Untrusted/unsigned processes launching from USB.

Operating modes — apply rules in stages to avoid breaking legitimate work:

  • Audit — log what would be blocked, without blocking. Use this first to measure impact.
  • Block — enforce; the behavior is prevented.
  • Warn — prompt the user, who can bypass (where supported).

Exclusion considerations: some legitimate line-of-business apps trip ASR rules. Start in audit, review the events, add narrow exclusions only where justified, then move to block. Broad exclusions undermine the protection.

ATT&CK tie-in (M01): ASR rules map directly to ATT&CK techniques — e.g., blocking LSASS credential access corresponds to OS Credential Dumping: LSASS Memory (T1003.001). ASR is threat-informed prevention.

6. The device page

The device page in the portal is your single pane for one machine. From it you can review:

  • Alerts active on the device and the incidents they belong to.
  • Timeline of device events for reconstruction.
  • Security recommendations (from MDVM) for that device.
  • Inventory (installed software), discovered vulnerabilities, and exposure level.

It is also where you launch response actions (next section).

7. Device response actions

When a device is compromised or suspicious, MDE lets you act remotely from the portal:

  • Isolate device — cut the device off from the network (except its connection to the Defender service) to stop lateral movement and command-and-control, while preserving the ability to investigate. Releasing isolation restores connectivity.
  • Collect investigation package — gather a forensic bundle of artifacts from the device for offline analysis and evidence.
  • Run antivirus scan — trigger a quick or full Defender Antivirus scan remotely.
  • Restrict app execution — allow only Microsoft-signed code to run, neutralizing most malware while keeping the device partly usable.
  • Live response (overview) — an interactive remote shell to run investigative/remediation commands on the device. Introduced here at a high level; deeper coverage is beyond this module.

In the lab you will isolate the test device, confirm the effect, then release it, and run an antivirus scan and collect an investigation package.

Caution (lab safety): all response actions run against the dedicated lab/dev tenant and test VM only — never a production device. Isolation and app-restriction visibly affect the machine; always release/undo as the lab instructs.

8. Module summary

  • MDE = sensor (on device) + cloud backend + portal integration.
  • EPP prevents (next-gen antivirus, behavioral monitoring, cloud protection); EDR detects and investigates (alerts, device timeline, process tree); MDVM reduces risk proactively (exposure score, software inventory, recommendations, remediation tasks).
  • ASR rules block common attack behaviors; roll out audit → (warn) → block with narrow, justified exclusions; they map to MITRE ATT&CK techniques.
  • The device page centralizes alerts, timeline, recommendations, and inventory, and launches response actions: isolate/release, collect investigation package, run AV scan, restrict app execution, with live response for interactive work.

Glossary (first-use acronyms in this module)

  • ASR — Attack Surface Reduction.
  • AV — Antivirus.
  • EDR — Endpoint Detection and Response.
  • EPP — Endpoint Protection Platform.
  • LSASS — Local Security Authority Subsystem Service (credential-theft target).
  • MDE — Microsoft Defender for Endpoint.
  • MDVM — Microsoft Defender Vulnerability Management.

Sources

Citations recorded per CLAUDE.md. Living documents; “as of June 2026” stamps indicate currency.

  1. Microsoft Learn — “Microsoft Defender for Endpoint overview.” https://learn.microsoft.com/defender-endpoint/microsoft-defender-endpoint
  2. Microsoft Learn — “Overview of endpoint detection and response (EDR).” https://learn.microsoft.com/defender-endpoint/overview-endpoint-detection-response
  3. Microsoft Learn — “Microsoft Defender Vulnerability Management.” https://learn.microsoft.com/defender-vulnerability-management/defender-vulnerability-management
  4. Microsoft Learn — “Attack surface reduction rules reference.” https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference
  5. Microsoft Learn — “Take response actions on a device.” https://learn.microsoft.com/defender-endpoint/respond-machine-alerts
  6. Microsoft Learn — “Investigate devices in the Microsoft Defender for Endpoint Devices list.” https://learn.microsoft.com/defender-endpoint/investigate-machines
  7. MITRE ATT&CK — Enterprise techniques (for ASR/EDR mapping). https://attack.mitre.org/matrices/enterprise/

M05 of 10 · Microsoft Defender — Security Operations Fundamentals · maps to curriculum.md → M05 learning objectives 1–4. Student handout — distribute freely to learners. No answer keys contained.