Microsoft Defender for Endpoint (MDE) – architektúra, képességek és ökoszisztéma áttekintés
Microsoft Defender for Endpoint (MDE) – An Overview of Architecture, Capabilities, and the Ecosystem
Microsoft Defender for Endpoint is a comprehensive endpoint security platform designed to prevent, detect, investigate, and automatically respond to threats in modern environments. It is not a single product, but a unified security platform that integrates multiple capabilities: next-generation antivirus, Endpoint Detection and Response, Attack Surface Reduction, vulnerability management, and automated investigation and response.
The platform is supported on multiple operating systems, including Windows, Linux, macOS, iOS, and Android, providing unified protection across diverse environments. Microsoft Defender for Endpoint is now a key component of the Microsoft 365 Defender architecture and plays a central role in Microsoft’s XDR strategy.
The main integrated components are:
- Microsoft Defender for Endpoint (MDE) – Endpoint protection and EDR
- Microsoft Defender for Office 365 (MDO) – Email and collaboration security
- Microsoft Defender for Cloud Apps (MDA) – SaaS and Cloud Application Security
- Microsoft Defender for Identity (MDI) – detection of identity-based attacks
- Microsoft Entra ID Protection – Identity risk management and conditional access
These components share data and signals through a common security graph. As a result, an attack does not appear as an isolated event but can be interpreted as a complete chain of attacks.
The Microsoft 365 Defender portal brings together:
- Incident response
- Alert correlation
- Threat hunting (Advanced Hunting)
- Threat intelligence analysis
- Automated response operations
This centralized model significantly reduces analysis time and enables more effective handling of complex, multi-stage attacks.
A Microsoft Defender for Endpoint fő komponensei
The platform consists of several interrelated capabilities:
Asset Discovery
It provides comprehensive visibility into devices in the environment, including unmanaged or previously unknown endpoints.
Threat & Vulnerability Management (TVM)
It continuously analyzes the risk level of endpoints, identifies vulnerabilities, configuration errors, and outdated software.
Attack Surface Reduction (ASR)
A set of rules designed to reduce the attack surface, for example:
- blocking script-based attacks
- limiting exploit techniques
- preventing suspicious process launches
Next-Generation Protection (NGP)
A cloud-based, machine learning-powered security layer capable of detecting both known and unknown malware based on behavior.
Endpoint Detection & Response (EDR)
It provides a detailed behavioral analysis capable of:
- for detecting complex attacks
- for detecting lateral movement
- for reconstructing attack chains
Automated Investigation & Response (AIR)
An automated monitoring and response mechanism capable of processing alerts and executing remediation steps without human intervention.
Microsoft Threat Experts
An optional managed threat hunting service provided by Microsoft that offers expert support for analyzing complex incidents.
Microsoft Defender for Endpoint csomagok
Microsoft offers several licensing models:
- Microsoft Defender for Individuals
- Microsoft Defender for Business
- Microsoft Defender for Endpoint Plan 1 (P1)
- Microsoft Defender for Endpoint Plan 2 (P2)
In addition, Defender Vulnerability Management is available as a separate add-on or as a standalone product.
Simplified comparison
| Feature | Defender for Business | Defender for Endpoint P1 | Defender for Endpoint P2 |
|---|---|---|---|
| Threat & Vulnerability Management | ✔ | ✖ | ✔ |
| Attack Surface Reduction | ✔ | ✔ | ✔ |
| Next-Generation Protection | ✔ | ✔ | ✔ |
| Endpoint Detection & Response | ✔ | ✖ | ✔ |
| Automated Investigation & Response | ✔ | ✖ | ✔ |
| Advanced Hunting and Data Retention | ✖ | ✖ | ✔ |
| Device Discovery | ✔ | ✖ | ✔ |
| Custom detections | ✖ | ✖ | ✔ |
| Asset timeline | ✖ | ✖ | ✔ |
| Threat Analytics | SMB Focus | ✖ | ✔ |
| Cross-platform support | Limited | Limited | Full |
| Microsoft Threat Experts | ✖ | ✖ | ✔ |
Defender for Endpoint vs Defender for Cloud vs Defender for Servers
A common question is what the difference is between them.
Microsoft Defender for Endpoint
Endpoint-level protection:
- EDR
- malware protection
- behavioral analysis
- endpoint telemetry
Microsoft Defender for Cloud
A cloud-based security platform (CSPM + CWPP) that provides protection for multiple workloads:
- Defender for Servers
- Defender for App Service
- Defender for Databases
- Defender for Storage
- Defender for Containers
- Defender for AI Services
- Defender for Key Vault
- Defender for Resource Manager
- Defender for APIs
Defender for Servers (P1 / P2)
Server workload protection that integrates closely with Defender for Endpoint.
- P1: Basic protection with MDE integration
- P2: comprehensive cloud security features (e.g., FIM, advanced detection, vulnerability assessment, etc.)
| Feature | Defender for Servers Plan 1 (P1) | Defender for Servers Plan 2 (P2) |
|---|---|---|
| Multicloud and hybrid support | ✔ | ✔ |
| Defender for Endpoint automatic onboarding | ✔ | ✔ |
| Defender for Endpoint EDR | ✔ | ✔ |
| Integrated alerts and incidents | ✔ | ✔ |
| Software inventory discovery | ✔ | ✔ |
| Regulatory compliance assessment | ✔ | ✔ |
| Vulnerability scanning (agent-based) | ✔ | ✔ |
| Vulnerability scanning (agentless) | ✖ | ✔ |
| Defender for DNS alerts | ✖ | ✔ |
| Threat detection (Azure network layer) | ✖ | ✔ |
| OS system updates | ✖ | ✔ |
| Defender for Vulnerability Management premium features | ✖ | ✔ |
| Malware scanning (agentless) | ✖ | ✔ |
| Machine secrets scanning (agentless) | ✖ | ✔ |
| File integrity monitoring | ✖ | ✔ |
| Just-in-time virtual machine access | ✖ | ✔ |
| Network map | ✖ | ✔ |
| Free data ingestion (500 MB) | ✖ | ✔ |
Important: The Defender for Servers P1 and P2 packages also include the capabilities of Microsoft Defender for Endpoint Plan 2.
Azure Arc és szerver onboarding
One of the key components of modern hybrid environments is Azure Arc, which enables on-premises and multi-cloud servers to be integrated into a unified Azure management layer.
The process is as follows:
- The Servers P1 or P2 plan is enabled in Microsoft Defender for Cloud
- Azure Policy automatically configures onboarding
- The Azure Arc agent is installed on the servers
- The system automatically integrates the devices into Microsoft Defender for Endpoint
On Windows Server, this is typically done using the MDE Windows VM extension.
Összefoglalás
Microsoft Defender for Endpoint is not a traditional antivirus solution, but a comprehensive endpoint security platform that:
- provides consistent visibility across multiple operating systems
- performs behavior-based attack detection (EDR)
- provides vulnerability and attack surface management
- supports automated investigation and response
- integrates closely with the Microsoft 365 Defender XDR ecosystem
Its true value lies not in its individual features, but in the fact that it creates a unified, correlated layer of security intelligence across the entire enterprise environment.
Modern endpoint security no longer consists of isolated devices—but rather of interconnected, intelligent systems. Microsoft Defender for Endpoint is one of the most important pillars of this architecture.