Microsoft Defender Suite ReferenceMicrosoft Defender Suite Reference
Produktüberblick, Lizenzmatrix, Integrationen und operative Einsatzmuster für die Microsoft-Defender-Suite.Product overview, licensing matrix, integrations, and operational usage patterns for the Microsoft Defender suite.
PortalPortal
security.microsoft.com als einheitliche Incident-Ansicht.security.microsoft.com as the unified incident view.
AbdeckungCoverage
Endpoints, Identity, Email, SaaS, Cloud und SIEM.Endpoints, identity, email, SaaS, cloud, and SIEM.
IntegrationIntegration
Defender XDR + Sentinel + Entra + Intune.Defender XDR + Sentinel + Entra + Intune.
Defender XDR ÜberblickDefender XDR overview
Die Microsoft-Defender-Suite konsolidiert Sicherheitsdaten und Steuerungen rund um Endpunkte, E-Mail, Identitäten, Cloud-Apps und Cloud-Ressourcen. Das operative Zentrum ist das einheitliche Portal unter security.microsoft.com, ergänzt um Defender for Cloud im Azure-Portal und Sentinel für SIEM/SOAR.The Microsoft Defender suite consolidates security data and controls around endpoints, email, identities, cloud apps, and cloud resources. The operational center is the unified portal at security.microsoft.com, complemented by Defender for Cloud in the Azure portal and Sentinel for SIEM and SOAR.
Defender for Endpoint P1/P2Defender for Endpoint P1/P2
| CapabilityCapability | P1P1 | P2P2 |
|---|---|---|
| Next-gen protection / AV | Ja | Yes |
| Attack Surface Reduction | Ja | Yes |
| EDR | Basis | Advanced |
| Device inventory | Ja | Yes |
| Threat & Vulnerability Management | Eingeschränkt | Full |
| Automated investigation and remediation | Nein | Yes |
Defender for Office 365 P1/P2Defender for Office 365 P1/P2
| KontrolleControl | NutzenPurpose |
|---|---|
| Safe LinksSafe Links | URL-Rewrite und Klickschutz für Mail und Collaboration.URL rewrite and click protection for email and collaboration. |
| Safe AttachmentsSafe Attachments | Sandboxing für Anhänge und detonationsbasierte Analyse.Sandboxing for attachments and detonation-based analysis. |
| Anti-phishingAnti-phishing | Spoof-, impersonation- und mailbox-intelligence-basierter Schutz.Spoof, impersonation, and mailbox-intelligence-based protection. |
| AIRAIR | Automated investigation and remediation für Mail-Events.Automated investigation and remediation for email events. |
Defender for IdentityDefender for Identity
| BereichArea | BeschreibungDescription |
|---|---|
| Sensor deploymentSensor deployment | Sensoren auf Domänencontrollern oder per standalone sensor bereitstellen.Deploy sensors on domain controllers or as standalone sensors. |
| AlertsAlerts | Kerberoasting, DCSync, Pass-the-Ticket, Suspicious LDAP und weitere Indikatoren.Kerberoasting, DCSync, pass-the-ticket, suspicious LDAP, and more indicators. |
| Lateral movement pathsLateral movement paths | Pfadanalysen für laterale Bewegung und kritische Abhängigkeiten.Path analysis for lateral movement and critical dependencies. |
Defender for Cloud AppsDefender for Cloud Apps
| FunktionFunction | BeschreibungDescription |
|---|---|
| DiscoveryDiscovery | Shadow-IT erkennen über Firewall-, Proxy- oder Defender-Daten.Discover shadow IT through firewall, proxy, or Defender data. |
| App governanceApp governance | OAuth-Apps, Permissions und riskante App-Verhaltensmuster überwachen.Monitor OAuth apps, permissions, and risky app behavior. |
| Session controlSession control | Reverse-Proxy-basierte Echtzeitkontrolle für Downloads, Watermarks und Monitoring.Reverse-proxy-based real-time control for downloads, watermarks, and monitoring. |
| PoliciesPolicies | Anomaly, activity, file und app-based policies für SaaS und M365.Anomaly, activity, file, and app-based policies for SaaS and M365. |
Defender for CloudDefender for Cloud
| ModulModule | NutzenPurpose |
|---|---|
| CSPMCSPM | Secure Score, Empfehlungen und Governance für Cloud-Konfiguration.Secure Score, recommendations, and governance for cloud configuration. |
| CWPCWP | Workload-Schutz für VMs, SQL, Storage, Containers und mehr.Workload protection for VMs, SQL, storage, containers, and more. |
| RecommendationsRecommendations | Priorisierte Maßnahmen mit regulatorischem Mapping.Prioritized actions with regulatory mapping. |
Microsoft SentinelMicrosoft Sentinel
| BausteinBuilding block | NutzenPurpose |
|---|---|
| Data connectorsData connectors | Entra, M365, Defender, Firewalls, EDR und viele Drittquellen anbinden.Connect Entra, M365, Defender, firewalls, EDR, and many third-party sources. |
| Analytics rulesAnalytics rules | KQL-basierte Erkennung, Fusion und UEBA.KQL-based detection, fusion, and UEBA. |
| PlaybooksPlaybooks | SOAR-Orchestrierung via Logic Apps.SOAR orchestration through Logic Apps. |
| WorkbooksWorkbooks | Dashboards für Jagd, Metriken und Management-Berichte.Dashboards for hunting, metrics, and management reporting. |
Integration der ProdukteIntegration between products
| QuelleSource | Integriert mitIntegrates with | MehrwertValue |
|---|---|---|
| Defender for Endpoint | Defender XDR, Sentinel, Intune | Gerätealarme, TVM und Device Context in Incident-Ketten.Device alerts, TVM, and device context inside incident chains. |
| Defender for Office 365 | Defender XDR, Exchange, Sentinel | Mail-Events werden mit Identität und Endpoint-Telemetrie korreliert.Email events are correlated with identity and endpoint telemetry. |
| Defender for Identity | Defender XDR, Entra ID, Sentinel | On-prem AD-Angriffe werden mit Cloud-Identität verbunden.On-prem AD attacks are connected with cloud identity. |
| Defender for Cloud Apps | Conditional Access, Defender XDR, Sentinel | Session Control und OAuth-Governance schließen die SaaS-Lücke.Session control and OAuth governance close the SaaS gap. |
LizenzanforderungenLicensing requirements
| ProduktProduct | Typische LizenzTypical license |
|---|---|
| Defender for Endpoint | Microsoft 365 E5 / Security E5 / Defender for Endpoint P2Microsoft 365 E5 / Security E5 / Defender for Endpoint P2 |
| Defender for Office 365 | Defender for Office 365 P1/P2 oder M365 E5Defender for Office 365 P1/P2 or M365 E5 |
| Defender for Identity | M365 E5 / Security E5 / standaloneM365 E5 / Security E5 / standalone |
| Defender for Cloud Apps | M365 E5 / Security E5 / standaloneM365 E5 / Security E5 / standalone |
| Defender for Cloud | Azure-planabhängig, pro Resource und PlanAzure-plan-dependent, per resource and plan |
| Sentinel | Azure consumption-basiert + DatenvolumenAzure consumption-based plus data volume |
GitHub-ReferenzenGitHub references
| RepositoryRepository | NutzenPurpose |
|---|---|
| microsoft/Microsoft-365-Defender-Hunting-Queries | KQL- und Hunting-Queries für Defender XDR.KQL and hunting queries for Defender XDR. |
| Azure/Azure-Sentinel | Analytics Rules, Workbooks, Playbooks und Community Content für Sentinel.Analytics rules, workbooks, playbooks, and community content for Sentinel. |
PowerShell
Connect-MgGraph -Scopes "SecurityEvents.Read.All"
# Grundlegend: Entra Risk + Defender Incident Korrelationsdaten lesen
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/security/incidents"