Mastering Microsoft 365 Defender

# Mastering Microsoft 365 Defender ![rw-book-cover](https://m.media-amazon.com/images/I/51Zxsjxmy3L._SY160.jpg) ## Metadata - Author: [[Ru Campbell, Viktor Hedberg, and Heike Ritter]] - Full Title: Mastering Microsoft 365 Defender - Category: #books ## Highlights - How does M365D differ from a traditional SIEM or niche SOAR solution? M365D differs from a traditional SIEM or a niche SOAR solution in several key ways. First, M365D leverages a broad and integrated suite of Microsoft products, including MDE, MDO, and MDA, to provide end-to-end security coverage for organizations. This approach allows for a deeper and more comprehensive analysis of security events, as signals from different sources are correlated and analyzed together. In contrast, traditional SIEMs and niche SOAR solutions often rely on point products or limited integrations, which can result in blind spots and a lack of visibility. Second, M365D’s built-in automated response capabilities allow for immediate and real-time action to be taken against threats. The automated attack disruption feature, for example, leverages AI models to counteract the complexities of advanced attacks and contain them in real time, limiting their impact on an organization’s assets. This capability is not typically found in traditional SIEMs or niche SOAR solutions, which may rely on manual intervention or limited automation. Third, M365D’s cloud-based architecture allows for more efficient and scalable security operations, as security events and data are analyzed and processed in the cloud rather than on-premises. This can result in faster detection and response times, as well as more effective threat hunting and investigation. In contrast, SIEMs and SOAR solutions generally may require significant on-premises infrastructure and resources, which can be costly and difficult to scale. Overall, M365D provides a comprehensive and integrated security solution that leverages the power of AI and automation to enable faster and more effective threat detection and response while also offering the scalability and efficiency benefits of the cloud-based architecture. ([Location 9929](https://readwise.io/to_kindle?action=open&asin=B0BYZLJFCR&location=9929)) ## New highlights added February 25, 2024 at 9:05 PM - Settings are deployed to Linux servers with a configuration profile, like the type of profile you learned about for macOS in the previous chapter. The difference for Linux is the format: JSON. ([Location 6368](https://readwise.io/to_kindle?action=open&asin=B0BYZLJFCR&location=6368)) - There’s a big difference in managing Linux server settings when compared to something such as Group Policy for Windows: files aren’t merged. Therefore, if different servers require different settings, you’ll need multiple files scoped specifically to the exact requirements, rather than mixing and matching pushed files. ([Location 6425](https://readwise.io/to_kindle?action=open&asin=B0BYZLJFCR&location=6425)) - The following diagram describes the mail flow with EOP, Safe Links, and Safe Attachments combined: Figure 15.4 – The combination of EOP, Safe Links, and Safe Attachments ([Location 8096](https://readwise.io/to_kindle?action=open&asin=B0BYZLJFCR&location=8096)) - You can think of Sentinel as an additional layer for a mature security operations center (SOC), where Microsoft 365 Defender telemetry, alerts, and incidents are combined with those from other services, such as other Microsoft data sources or third-party applications and appliances. ([Location 10317](https://readwise.io/to_kindle?action=open&asin=B0BYZLJFCR&location=10317)) - Where Microsoft 365 Defender goes deep for the services it is scoped to (MDE, MDO, MDI, MDA, and MDVM), Sentinel goes broad. ([Location 10425](https://readwise.io/to_kindle?action=open&asin=B0BYZLJFCR&location=10425))