L2. Defender for Endpoint: Onboarding and Alert Triage
Video generating
Check back soon for the video lesson on Defender for Endpoint: Onboarding and Alert Triage
Defender for Endpoint protects devices through behavioral sensors, cloud analytics, and threat intelligence. This lesson covers onboarding methods, the alert queue, automated investigation, and the response actions SC-200 candidates must know.
Defender for Endpoint Architecture
Microsoft Defender for Endpoint (MDE) uses behavioral sensors embedded in Windows, macOS, Linux, Android, and iOS to collect telemetry. This data flows to the Microsoft cloud backend for analysis against threat intelligence and behavioral models.
Key components:
- Endpoint behavioral sensors: Collect process, network, registry, and file signals
- Cloud security analytics: Machine learning models that detect anomalies
- Threat intelligence: Microsoft and third-party IOCs and attack pattern matching
Onboarding Methods
The SC-200 exam tests your knowledge of onboarding approaches:
| Method | Best For |
|---|---|
| Microsoft Intune | Cloud-managed devices at scale |
| Group Policy | Domain-joined Windows endpoints |
| Local script | Testing and small deployments |
| Microsoft Endpoint Configuration Manager (MECM) | On-premises managed environments |
| VDI onboarding script | Non-persistent virtual desktops |
The Alert Queue and Triage
When MDE detects suspicious activity, it generates alerts with severity levels: Informational, Low, Medium, and High. Analysts triage alerts using these classifications:
- True positive: Confirmed malicious activity requiring response
- True positive (benign): Suspicious but expected behavior (e.g., a pen test)
- False positive: Incorrectly flagged legitimate activity
The alert page shows a process tree, file details, device timeline, and related alerts. Use the device timeline to reconstruct the full sequence of events on an endpoint.
Automated Investigation and Response (AIR)
MDE can automatically investigate alerts and take remediation actions. AIR examines:
- Running processes and services
- Scheduled tasks
- Registry modifications
- Files and persistence mechanisms
Automation levels control how AIR behaves:
| Level | Behavior |
|---|---|
| Full automation | Remediate threats automatically |
| Semi (any folder) | Require approval for all remediations |
| Semi (non-temp) | Auto-remediate in temp folders, require approval elsewhere |
| Semi (core folders) | Require approval for core OS folder remediations |
| No automation | No automated response |
Response Actions
Key response actions available on devices:
- Isolate device: Cuts network access while maintaining Defender cloud connectivity
- Restrict app execution: Limits execution to Microsoft-signed binaries only
- Run antivirus scan: Triggers a quick or full scan remotely
- Collect investigation package: Gathers forensic data from the endpoint
- Initiate live response: Opens a remote shell session for manual investigation
File-level actions include: stop and quarantine, add indicators (block/allow), and download file for analysis.
Device Groups
Device groups let you segment your fleet and apply different automation levels, RBAC permissions, and remediation policies. Group membership is determined by device tags, names, domains, or OS types.
- ✓Onboarding methods include Intune, Group Policy, local script, MECM, and VDI-specific scripts.
- ✓Non-persistent VDI environments require the dedicated VDI onboarding script.
- ✓Automated Investigation and Response (AIR) has four automation levels from full to no automation.
- ✓Device isolation cuts network access but maintains the Defender cloud connection for management.
- ✓Alert classifications are: true positive, true positive (benign), and false positive.
- ✓Device groups enable segmented automation levels and RBAC scoping.
1. An organization uses non-persistent VDI sessions. Which onboarding method should they use for Defender for Endpoint?
2. A SOC analyst isolates a compromised device using Defender for Endpoint. What network connectivity does the device retain?
3. Which automation level requires analyst approval for all remediation actions?