This is a question that I receive often from customers and partners I work with. Here is one view on this topic.
From a product perspective, the Microsoft 365 Defender is part of the Microsoft Defender XDR (Extended Detection & Response) portfolio which is divided into two different solutions, Microsoft 365 Defender and Azure Defender (picture from MS marketing material).
In a nutshell, M365 Defender protects M365 workloads and Azure Defender protects Azure workloads, on-premises & resources in 3rd party clouds (Threat protection).
Product Names Re-Branding
Before moving forward let’s familiar with the new names of M365 security solutions that were announced in Microsoft Ignite 2020. The Microsoft Cloud App Security (MCAS) name remains the same as it was before re-branding.
|New Name||Previous Name|
|Microsoft 365 Defender||Microsoft Threat Protection (MTP)|
|Defender for Endpoint (DFE)||Microsoft Defender Advanced Threat Protection (MDATP)|
|Defender for Identity (DFI)||Azure Advanced Threat Protection (Azure ATP)|
|Defender for O365 (DFO)||Office 365 Advanced Threat Protection (O365 ATP)|
|Cloud App Security (MCAS)||Cloud App Security (MCAS)|
Which Solution To Use?
Microsoft is heavily investing in both solutions, M365 Defender, Extended Detection and Response (XDR), and Azure Sentinel, the cloud-native SIEM. In the Microsoft cloud environment, I would put my effort into both Microsoft 365 Defender & Azure Sentinel, not only one of the solutions.
Microsoft 365 Defender
According to Microsoft: “Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
It’s the next level of M365 security and the perfect solution when it comes to identities, endpoints, and SaaS applications. It has features such as:
- One unified portal for the incident management
- Security posture management
- Automatic healing
- Cross-domain active protection
- Threat Hunting capabilities
- Unified Threat Intel & Analytics
- Brand new APIs
Microsoft Defender 365 suite protects (list from docs.microsoft.com)
- Endpoints with Microsoft Defender for Endpoint – Microsoft Defender for Endpoint is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response.
- Email and collaboration with Microsoft Defender for Office 365 – Defender for Office 365 safeguard the organization against malicious threats posed by email messages, links (URLs), and collaboration tools.
- Identities with Microsoft Defender for Identity and Azure AD Identity Protection – Microsoft Defender for Identity uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
- Applications with Microsoft Cloud App security – Microsoft Cloud App Security is a comprehensive cross-SaaS solution bringing deep visibility, strong data controls, and enhanced threat protection to your cloud apps.
- With App Connectors you can ingest data from 3rd party apps to MCAS such as AWS, Google, Box, etc
It’s also the only solution that you can use for incident/alert management that syncs natively alert status changes back to the source itself (in some scenarios). Also, Microsoft is investing heavily to develop the M365 Defender and the associated portal (security.microsoft.com portal) which means that more integrations are coming to it, stay tuned.
You might ask, how about Azure security stuff? Currently, Azure Security Center (together with Azure Defender) is the place for Azure security management and M365 Defender doesn’t have integration with it. But if you look at Microsoft blogs back to 2018 infrastructure management was one of the core components in M365 Defender (in those days Microsoft Threat Protection aka MTP). I wouldn’t be surprised if Azure Security Center integration would be announced in near future but it might also be that the day never comes.
Take into account that M365 Defender is not SIEM, the Azure Sentinel offers such capabilities.
Picture from Microsoft Security Compass material – ‘Microsoft SOC Reference Architecture‘.
Azure Sentinel is like ‘icing of the cake’, the solution that connects all the sources together including, Microsoft cloud solutions, network devices, 3rd party data sources, on-prem stuff, and so on.
Many of my customers have asked, do I need Sentinel because I have M365 Defender, and if I do, why I need it?
As written before, M365 Defender is not SIEM. Even though some capabilities are overlapping but still, Azure Sentinel offers many capabilities that you are not able to achieve with the M365 Defender, such as:
- Long-term storage for logs (Sentinel aka Log Analytics workspace is not a place for long-term storage but you can use storage accounts for it)
- Log Analytics data retention is 730 days, more than any of the security solutions
- Data export available from Log Analytics
- Threat Hunting capabilities with Jupyter Notebooks (also beyond MS stack)
- Data correlation with multiple data sources no matter where the actual solutions are located
- SOAR capabilities with custom playbooks
- User and Entity Behavior Analytics (UEBA)
Which one to pick?
If you want to have automated protection for M365 workloads in real-time select M365 Defender. If you want to have full-blown SOC with the benefits listed above, choose Azure Sentinel. As @RavivTamir said on Twitter: “For the best results – use both”.