Antivirus stops known threats. EDR stops everything else. Where traditional antivirus works from a signature database - blocking files that match known malware - Endpoint Detection and Response monitors device behaviour continuously, looking for patterns that indicate compromise even when no known malicious file is involved. Fileless attacks, living-off-the-land techniques, lateral movement: EDR catches what AV can't.
Microsoft Defender for Endpoint Plan 2 includes a full EDR capability built into the Defender platform you likely already have. This guide covers how to configure it properly - from alert triage and automated investigation through to live response and advanced hunting.
EDR vs Antivirus: What's the Difference
🧠 ConceptsThe distinction between AV and EDR matters when you're triaging alerts, so it's useful to be clear on what each one does.
| Capability | Antivirus (AV) | EDR |
|---|---|---|
| Detection method | Signature matching | Behavioural analysis |
| Fileless attacks | Limited | Detected |
| Alert context | File blocked | Full attack timeline |
| Forensic data | None | Process tree, network, registry |
| Response options | Quarantine | Isolate, live response, remediate |
| Threat hunting | Not available | KQL query engine |
In MDE, both capabilities run simultaneously. Windows Defender Antivirus handles real-time protection, and the EDR sensor (the MDE agent deployed via Intune) handles behavioural monitoring, telemetry collection, and the connection to the Defender Security Centre.
Alert Configuration and Severity
🔔 AlertsMDE generates alerts across four severity levels: Informational, Low, Medium, and High. By default all are enabled - but for most SMB environments you'll want to configure notification rules so you're not drowned in noise.
Create a notification rule to email your security team (or yourself) for High and Medium severity alerts. Low and Informational can be reviewed periodically in the portal rather than generating instant email noise.
Incident vs Alert
MDE groups related alerts into Incidents automatically. An incident might contain 10 alerts that are all part of the same attack chain. Always start your investigation from the Incident view rather than individual alerts - it gives you the full picture of the attack timeline and scope.
Automated Investigation and Response (AIR)
🤖 AutomationMDE's Automated Investigation and Response (AIR) engine can automatically investigate alerts and take remediation actions - quarantining files, stopping processes, removing persistence mechanisms - without requiring a human to approve each step. How much autonomy you give it depends on how much you trust the automation.
All automated actions (and any pending approvals) appear in the Action Centre:
Live Response
🖥️ Live ResponseLive Response gives you a remote command-line shell into any onboarded device, directly from the Defender portal. No VPN, no RDP - just a browser tab and a PowerShell-like interface. You can collect files, run scripts, kill processes, and investigate without touching the device physically.
Enable it first:
To start a live response session, go to the device page in the Defender portal and click Initiate Live Response Session. Useful commands once you're in:
- getfile <path> - download a file from the device for analysis
- processes - list running processes
- scheduledtasks - list scheduled tasks (common persistence mechanism)
- registry - browse registry keys
- run <script> - execute a script from the live response library
Advanced Hunting with KQL
🔎 Threat HuntingAdvanced Hunting is MDE's threat hunting query interface, powered by Kusto Query Language (KQL). It gives you 30 days of raw telemetry - process events, network connections, file operations, registry changes - that you can query freely to find threats that haven't generated alerts yet.
Useful Starter Queries
Find devices running PowerShell with encoded commands (common malware technique):
DeviceProcessEvents | where FileName == "powershell.exe" | where ProcessCommandLine has "-EncodedCommand" | project Timestamp, DeviceName, ProcessCommandLine | order by Timestamp desc
Find failed logon attempts on a specific device:
DeviceLogonEvents | where ActionType == "LogonFailed" | where DeviceName == "DEVICE-NAME-HERE" | summarize FailCount=count() by AccountName, RemoteIP | order by FailCount desc
Find processes making outbound connections on unusual ports:
DeviceNetworkEvents
| where RemotePort !in (80, 443, 53, 22, 3389)
| where InitiatingProcessFileName !in ("svchost.exe", "lsass.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
| order by Timestamp desc
| take 100
Device Response Actions
🔒 ResponseWhen a device is compromised or suspected to be, MDE gives you several response actions directly from the device page in the portal:
- Isolate device - cuts the device off from the network completely (only the Defender sensor can still communicate). Use this immediately for confirmed compromises.
- Restrict app execution - blocks all apps except those signed by Microsoft. Aggressive but effective for active attacks.
- Run antivirus scan - triggers a full Defender AV scan on the device remotely.
- Collect investigation package - collects a forensic bundle (event logs, running processes, network connections, prefetch files) for offline analysis.
- Initiate automated investigation - triggers a manual AIR investigation on the device immediately.