// What is MDE?
Microsoft Defender for Endpoint (MDE) is Microsoft's enterprise EDR (Endpoint Detection and Response) platform. It monitors endpoints � Windows, macOS, Linux, iOS, and Android � for malicious behaviour, provides automated investigation and remediation, and feeds into the broader Microsoft Defender XDR ecosystem.
MDE is tightly integrated with Microsoft Sentinel, Entra ID, Microsoft Defender for Identity, and Microsoft Defender for Office 365 � giving analysts a correlated view across the entire Microsoft security stack through the Microsoft Defender portal.
MDE is licensed as Plan 1 (basic EPP features) or Plan 2 (full EDR, Advanced Hunting, Threat & Vulnerability Management). Most enterprise deployments use Plan 2, which is included in Microsoft 365 E5 and Microsoft Defender XDR.
// Console Overview
The Defender portal (security.microsoft.com) is the unified interface for all Microsoft Defender products. Key sections for MDE:
| Section | Purpose |
|---|---|
| Incidents & Alerts | Correlated incidents and individual alerts from all data sources |
| Advanced Hunting | KQL query interface against the 30-day data lake |
| Device Inventory | All onboarded endpoints � status, risk level, exposure score |
| Vulnerability Management | CVE exposure per device, remediation guidance, software inventory |
| Actions & Submissions | Live response sessions, quarantined files, isolation status |
| Reports | Threat protection, device health, and web protection dashboards |
| Settings ? Endpoints | Onboarding packages, ASR rules, policies, exclusions |
// Alert Investigation
Each alert in MDE has an alert story � a visual timeline and process tree that shows the sequence of events leading to the detection.
Alert fields
| Field | Description |
|---|---|
| Alert title | Short description � e.g. "Suspicious PowerShell command line" |
| Severity | Informational / Low / Medium / High / Critical |
| Category | MITRE tactic � Execution, Persistence, Credential Access, etc. |
| Detection source | Which engine flagged it � MDE antivirus, EDR, custom detection rule, Sentinel |
| Impacted assets | Devices and users associated with the alert |
| Status | New / In Progress / Resolved |
| Classification | True Positive / Benign Positive / False Positive � set this when closing |
Alert story � what to look for
Process tree
Follow parent-child relationships up to find the root process � where did execution originate? Browser? Email attachment? Scheduled task?
Command line
Click any process node to see the full command line. Look for encoded commands, downloaded URLs, suspicious flags, or references to temp directories.
Network events
Outbound connections from the alerted process � C2 domains, download URLs, lateral movement attempts. Cross-reference IPs against threat intel.
File events
Files created or modified during the alert window � dropped payloads, modified system files, log deletion. Note full paths and hashes.
// Device Inventory
The Device Inventory lists all onboarded endpoints. From a device page you can see:
| Tab | Information |
|---|---|
| Overview | OS, last seen, risk level, exposure score, assigned user, IP addresses |
| Alerts | All alerts on this device � open and historical |
| Timeline | Chronological event log � processes, network events, file events, registry events � searchable |
| Security Recommendations | Vulnerability remediation and configuration improvements ranked by exposure |
| Software Inventory | All installed software with CVE exposure per application |
| Missing KBs | Missing security patches � direct link to Microsoft update catalog |
The Timeline tab is one of MDE's most powerful investigation tools. It gives you 30 days of granular endpoint telemetry � every process, network connection, and file event in chronological order. Use the search bar and filter by event type to quickly find relevant activity.
// Incident Management
MDE automatically groups related alerts across devices and users into incidents. An incident representing an attack campaign may include alerts from multiple devices, each showing a different stage of the attack chain.
Attack chain view
The incident's Attack story tab shows a graphical view of the attack � entities (devices, users, processes, files) connected by the actions that link them. This is useful for scoping: how many devices are affected, which accounts were involved, and what the attacker did at each stage.
Automated Investigation
MDE can automatically investigate alerts and take remediation actions (quarantine files, stop processes) without analyst intervention. Check the Investigations tab on an incident to see what automated actions were taken and whether any require analyst approval before proceeding.
// Advanced Hunting (KQL)
Advanced Hunting lets you query 30 days of raw endpoint telemetry using KQL. This is the primary tool for proactive threat hunting beyond the alerts MDE generates automatically.
Key MDE tables
| Table | Contents |
|---|---|
DeviceProcessEvents | Every process created � InitiatingProcessFileName, ProcessCommandLine, AccountName |
DeviceNetworkEvents | Network connections � RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName |
DeviceFileEvents | File create/modify/delete � FileName, FolderPath, SHA256, InitiatingProcessFileName |
DeviceRegistryEvents | Registry reads/writes � RegistryKey, RegistryValueName, RegistryValueData |
DeviceLogonEvents | Logon events � AccountName, LogonType, RemoteIP |
DeviceAlertEvents | All alerts per device with MITRE technique tags |
DeviceInfo | Device inventory � OS, domain, exposure level, risk level |
Hunting queries
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("-enc", "-EncodedCommand", "-e ")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| sort by Timestamp desc// Detects processes named lsass.exe spawned by unexpected parents
// (masquerading malware, not credential dumping via memory access)
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "lsass.exe"
| where InitiatingProcessFileName !in~ ("wininit.exe", "smss.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountNameTo detect credential dumping via LSASS memory access (e.g. Mimikatz), use DeviceEvents with ActionType == "OpenProcess" where FileName == "lsass.exe" � this captures handle opens to the LSASS process rather than new process creation events.
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath has_any (@"\AppData\Local\Temp", @"\Windows\Temp", @"\ProgramData")
| where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".bat"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| sort by Timestamp descDeviceLogonEvents
| where Timestamp > ago(24h)
| where LogonType == "Network"
| where isnotempty(RemoteIP)
| where not(ipv4_is_private(RemoteIP)) and RemoteIP != "127.0.0.1"
| project Timestamp, DeviceName, AccountName, RemoteIP, LogonType
| sort by Timestamp desc// Response Actions
| Action | Description | Where to find it |
|---|---|---|
| Isolate device | Cuts the device from the network (only Defender traffic allowed) | Device page ? Actions menu |
| Run antivirus scan | Triggers a full AV scan on the endpoint | Device page ? Actions menu |
| Collect investigation package | Downloads a ZIP of system artefacts � processes, network connections, prefetch, registry | Device page ? Actions menu |
| Live response | Interactive shell session � run scripts, collect files, examine memory | Device page ? Actions menu |
| Quarantine file | Moves a file to quarantine on the endpoint | File entity page |
| Stop and quarantine | Kills a running process and quarantines its file | Alert story ? process node |
| Add indicator | Add file hash/IP/domain to allow or block list | Entity page or Settings ? Indicators |
// Threat & Vulnerability Management
MDE's TVM module provides continuous vulnerability assessment without requiring separate scans. It uses the MDE agent's telemetry to inventory installed software and map it against known CVEs.
Exposure Score
Organisation-wide vulnerability risk score (0-100). Lower is better. Tracks trending � are you improving or degrading over time?
Microsoft Secure Score
Configuration security posture score � based on enabled security features, not vulnerabilities. Higher is better.
Security Recommendations
Prioritised list of remediations ranked by exposure reduction. Covers patch, configuration, and ASR rule recommendations.
Remediation Activities
Recommendations submitted as remediation tasks � assign to IT teams, track SLA compliance, and mark as resolved.
// Attack Surface Reduction Rules
ASR rules are Windows security controls that block specific attack techniques before they execute � regardless of whether they're detected by AV or EDR. They work at the kernel level and are configured through MDE or Group Policy.
| Rule | What it blocks |
|---|---|
| Block executable content from email and webmail | Executable files attached to or downloaded from email |
| Block Office apps from creating child processes | Word/Excel spawning cmd, PowerShell, etc. � macro attacks |
| Block credential stealing from LSASS | LSASS memory reads by non-system processes |
| Block untrusted/unsigned processes from USB | Execution of files from removable media |
| Block JavaScript/VBScript from launching executables | Script-based dropper execution |
| Block abuse of exploited vulnerable signed drivers | Kernel-mode exploitation via signed but vulnerable drivers (BYOVD) |
| Use advanced protection against ransomware | Ransomware-like bulk file encryption patterns |
Test ASR rules in Audit mode first. Deploying ASR rules in Block mode without testing can break legitimate applications (e.g. macros used by finance teams). Enable Audit mode, review the ASR report in MDE for 1-2 weeks to identify false positives, then switch to Block with exclusions in place.