Azure Security Center and Microsoft Defender for Endpoint Integration

5 Min. Read

Introduction

Within the realm of endpoint detection and response (EDR) solutions, Azure Security Center, and Microsoft Defender for Endpoint, I often get asked by customers the following question:

How Azure Security Center integrates with Microsoft Defender Advanced Threat Protection (ATP) to protect Windows server machines, do we need a separate license, do we still need access to Microsoft Defender Security Center portal?

In this article, I will clarify those frequent questions and share with you how Azure Security Center (ASC) integrates with Microsoft Defender for Endpoint, formerly known as Microsoft Defender Advanced Threat Protection (MDATP) so you can harness the power of these solutions.

Microsoft Defender ATP (MDATP)

Microsoft Defender for Endpoint is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Microsoft Defender ATP is a full endpoint detection and response (EDR) available on a range of operating systems–Windows 10, macOS, Linux (in public preview), iOS and Android (both in private preview). The platform offers preventive protection, post-breach detection, and automated investigation and response. These alerts indicate attacks, compromises, and other threat indicators which can be automatically or manually remediated.

Microsoft Defender for Endpoint provides the following capabilities:

  • Advanced post-breach detection sensors: Microsoft Defender ATP sensors for Windows servers collect a vast array of behavioral signals.
  • Analytics-based, cloud-powered post-breach detection: Microsoft Defender ATP quickly adapts to changing threats. It uses advanced analytics and big data. Microsoft Defender ATP is amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts and enables you to respond quickly.
  • Threat intelligence: Microsoft Defender ATP generates alerts when it identifies attacker tools, techniques, and procedures. It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.

Microsoft Defender Security Center (https://securitycenter.windows.com) is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives you and your security operations teams a single pane of glass experience to help secure your networks and endpoints.

For more information about Microsoft Defender Advanced Threat Protection, please check Microsoft documentation.

Azure Security Center (ASC)

Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value proposition:

  1. Cloud Security Posture Management (CSPM) – Helps you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
  2. Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises or different clouds such as Amazon AWS or Google GCP, in additional to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.

Azure Security Center is meant to be that one tool that gives you a unified overview of your hybrid cloud environment’s current security configuration and informs you about current threats and attacks against your workloads and services.

For more information about Azure Security Center, please check Microsoft documentation.

ASC and MDATP integration

For Azure Security Center to integrate with Microsoft Defender for Endpoint, you need to make sure that:

  1. Security Center | Azure Defender is enabled, formerly known as the Standard Tier.
    • For Azure VMs, you need the standard tier enabled on the subscription level as shown below.Azure Security Center and Microsoft Defender for Endpoint Integration 2
    • For Non-Azure VMs (on-premises / other clouds), you need to enable the standard tier at the workspace level only as shown below.Azure Security Center and Microsoft Defender for Endpoint Integration 3
  2. To enable integration and data collection between ASC and MDATP, you need to allow Defender ATP to access your data in the Security Center | Pricing & Settings page under (Settings->Threat detection) as shown below.Azure Security Center and Microsoft Defender for Endpoint Integration 4
  3. Last, you need to have the (MMA) agent properly installed and configured on each server. Microsoft Defender for Endpoint in Security Center supports detection on Windows Server 2019, 2016, 2012 R2, and 2008 R2 SP1 only. Please check the following article to learn more on how to onboard Windows server machines to Security Center. At the time of this writing, please note that Windows Server 2019 integration with ASC for Microsoft Defender for Endpoint is not supported yet. It is on the roadmap. Stay Tuned!

The good news is from the virtual machine threat detection perspective, Security Center integrates with Microsoft Defender for Endpoint, what that really means is, Security Center will deploy the Microsoft Defender for Endpoint sensor for Windows servers as part of the standard tier, so you don’t have to pay any extra license for Defender ATP, this will enable an entirely new set of capabilities from this powerful EDR solution which is based on behavioral analytics. If the Defender ATP identifies malicious activity, it will then trigger an alert on its own, but the alert goes to Microsoft Defender Security Center portal, and then it’s also showing in Security Center | Security alerts portal, now you can utilize Security Center dashboard as your centralized location for the alerts triage that you usually do, so you will be able to see not only the alerts that generated by Security Center analytics but also the alerts generated by Microsoft Defender for Endpoint.

When you integrate Azure Security Center with Microsoft Defender for Endpoint, you have also connected to your Azure Active Directory tenant, as well as to Azure Security Center. As mentioned above, Microsoft Defender for Endpoint gives you the alert in the Azure Security Center dashboard. To uncover more information about a breach, you can explore the details in the interactive Investigation Path within Security Center alerts page as shown in the below figure.

Azure Security Center and Microsoft Defender for Endpoint Integration 5

But if you want to dig deeper into these alerts, then you should look at it from the Microsoft Defender Security Center portal. Here is an example of how the ‘Incident graph‘ looks like in the ATP portal to understand this suspicious activity.

Azure Security Center and Microsoft Defender for Endpoint Integration 6

You can also drill further and see the ‘Alert process tree‘ in details. This is so powerful.

Azure Security Center and Microsoft Defender for Endpoint Integration 7

Please note that having access to the Security Center portal is not enough, you still should have access to the Microsoft Defender Security Center portal to be able to completely manage the virtual machine in there. So, what you get with Azure Security Center is the management configuration and alerts, and not the management portal.

Summary

Microsoft Defender for Endpoint and Azure Security Center are completely two different products, the former is dedicated for endpoint protection and the latter is for Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platform (CWPP) scenarios, however, by integrating Security Center with Microsoft Defender for Endpoint it gives you a single pane of management to monitor your servers and to respond and investigate in case of an incident.

Azure Security Center team works closely with the Microsoft Defender for Endpoint team for endpoint protection which is part of the ‘Azure Defender’ of Security Center, so when you pay $15 per server to protect your virtual machines, you also get the Defender for Endpoint license activated on these machines.

Additional resources I highly encourage you to check:

Azure Security Center (ASC) harnesses the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers whether they are running on-premises, on Azure, or in other cloud environments. Microsoft’s vast threat intelligence enables Microsoft Defender for Endpoint to identify and notify you of attackers’ tools and techniques, so you can understand threats and respond quickly.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Enable Adaptive Application Controls in Azure Security Center

Protect Azure File Shares With Azure Defender in Azure Security Center

Next

4 thoughts on “Azure Security Center and Microsoft Defender for Endpoint Integration”

Leave a comment...

  1. Hi,
    thanks for this really good article, it explained few things to me (I am new to ATP & Azure Security center).
    Still, I have few questions regarding this topic:
    1.) I don’t understand pricing/licensing for it. For example if I have 50 on-prem Win2016 servers, how would pricing go? All of my users have M365 E5 or E3 licenses.
    2.) In what situations its better to use Azure Security center and when should I use ATP, in terms of using dashboards?
    3.) I understand that ATP gives me options for reporting, investigating etc… threats, but do I get Defender options from ATP or Security center?
    4.) I know there are 3 options to onboard device to ATP, but how should I choose which one is most appropriate one for my environment?

    Thats it for now, if I think of anything else, will write it here. :)
    Kr,
    Dino

  2. Hello Dino,
    Thank you for the comment.
    Please find my answers to your questions below:
    1.) I don’t understand pricing/licensing for it. For example if I have 50 on-premises Win2016 servers, how would pricing go? All of my users have M365 E5 or E3 licenses. Please note that you pay only $15 per server to protect your Windows Server 2016 in Azure Security Center, you also get the Micrsoft Defender for Endpoint (MDE formerly known as ATP) license activated on these machines. So one agent and one license. You should not pay double.
    2.) In what situations its better to use Azure Security center and when should I use ATP, in terms of using dashboards? If you have integrated, MDE (ATP) with Azure Security Center (ASC), I recommend using ASC dashbaord, and if you need to investigate an incident/alert, Azure Security Center will add a deep link directly in the incident page where you can browse to (MDE/ATP) for more detailed investigation.
    3.) I understand that ATP gives me options for reporting, investigating etc… threats, but do I get Defender options from ATP or Security center? I recommend using Azure Security Center for Windows Servers and ATP (Microsoft Defender for Endpoint) on Windows 10 machines. Then you get all the reporting and deep investigation in ASC for Windows Servers and ATP for Windows Clients.
    4.) I know there are 3 options to onboard device to ATP, but how should I choose which one is most appropriate one for my environment? If you want to onboard a large number of devices to ATP, I highly recommend to automate that task with PowerShell (Scripting) or with Microsoft Intune. To onboard to Azure Security Center, you can also automate the provisioning of the agent if your servers are on-premises.
    Hope this helps!

  3. About Licensing: You can license Windows defender for endpoint for Windows servers as wel. Price is around $5 per month.
    So the question is is ASC for on prem servers worth the extra 10$/month/server ? In my opinion that is a lot of money for a limite amount of extra level of protection.
    off course automatic onboarding is very nice, but that doesn’t work for Windows server 2019 at this moment.
    So if you have a lot of (2019) on prem servers? –> Go with Defender for endpoint only
    If you have most of your servers running in Azure –> ASC is the way to go.

  4. Thank you Rick for the comment! Yes, you are right about this question. I totally agree that 15$/month/server is expensive whether the server is deployed in the cloud or on-premises. However, the extra 10$/month/server will cover additional levels of protection such as Adaptive Application Controls, File Integrity Monitoring (FIM), and Vulnerability Assessment. Every organization and every industry has different requirements. So if you have a lot of (2016/2019) on-premises servers and you want to track changes (files/registry) and those servers are deployed in a highly regulated environment, then you need to go with full protection ($15), if not, then Defender for endpoint only might be enough for you with ($5).

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!