Additional license

required Cloud Compliance

Enforcement Microsoft
Intune
On-Premises
Microsoft Endpoint Configuration Manager
System Center Configuration Manager (SSCM)

Web Content Configuration

Filtering Management metadata

Windows 7 SP1 Windows AD

Microsoft Defender ATP Installation Package
Windows 10 MDATP Package Domain Controller
URL Categorization
Event IDs: 5007, 1121, 1122 AD Group Policy
Requires EMS E5
license
Threat & Vulnerability Management
Activities Alerts, Incidents, Automated Windows OS
Microsoft Investigations
Manual/Local Script
Alerts
Cloud App Host Metadata Attack Surface Reduction (Web Content Filtering) (security and health) Up to 10 devices
Security
Unsanctioned Apps
notifications
Next Generation Protection
Installation Package
Security Analyst
Requires EMS E3
minimum license
Endpoint Detection and Response (EDR) Configuration Package
Up to 10 devices
Manual/Local Script
Azure Alerts, Incidents
Information Automated Investigation & Remediation (security and health) macOS
Protection Apply labels

Microsoft Threat Experts

Alerts, Incidents
(security and health) Linux Configuration
Up to 10 devices Manager
Software Inventory Security Recommendations
Manual/Local Script

Azure ATP Data Enrichment Alerts, Incidents, Automated

Investigations Linux Installation Package
(security and health)
Storage Reports Rules Incidents Dashboards Live
Response Azure Security
Versions:
Threat Center 2008 R2 SP1, 2012
Intelligence Onboarding R2, 2016, 2019 Up to 10 devices
SHA, FIM, AAP Manual/ Local Script

Windows Server
Office 365 (via Microsoft Monitoring Agent)
MDATP included in ASC Standard license Intune ticket
Intelligent
Security Remediation Request ticket
User Information
Graph
ASR: Web Protection, Hardware Windows Defender
Isolation, firewall, FIM Application Guard
Requires O365 E5 or Live Response session Remediation
O365 ATP Plan 2 Activities
End User
license
Azure AD Skype Live Response session Windows OS

Consult Threat
Microsoft Experts
Threat Experts Security Operation Center
(SOC)
Security Alerts/Reports
Threat Analytics
IT Operation Center
MSSP Support Power BI Vulnerability Management

Advanced Hunting
Queries, Custom Detection
(KQL scripts)

Legacy SIEM
Alerts / SOAR

REST API through Microsoft Security Graph

Security Alerts
Security Alerts
Security Alerts

Managed Sentinel Azure Sentinel

[Link] Other logs
Log Analytics Workspace
Custom Alerts Security
Investigation Logs / Metrics

Kusto Query Language Queries / Log Correlation / Enrichment

SOAR Management &

Automation Health
Monitoring Playbooks
Security Incidents/Tickets/Reports
Alerts
Logic Apps
SOAR: Isolate endpoint

M365 Defender ATP

Microsoft Defender ATP Components – May 2020 © Marius Mocanu, Adrian Grigorof
Integration Deployment High Definition available at [Link]
Managed Sentinel MDATP supported features by OS