Microsoft Defender

What is Microsoft Defender?

Microsoft Defender for Endpoint is Microsoft's cloud-native endpoint detection and response platform, providing advanced threat protection across Windows, macOS, Linux, Android, and iOS devices from a single management console. It uses behavioral sensors embedded in the operating system to collect a continuous stream of process, file, network, and registry activity, which is analyzed in Microsoft's cloud using machine learning and threat intelligence. Defender generates rich incident timelines that show exactly how an attack unfolded on a device, including the initial entry point, lateral movement steps, and any data accessed or exfiltrated. Its deep integration with the Microsoft 365 ecosystem means that endpoint signals are automatically correlated with email, identity, and cloud app data, giving analysts a cross-domain view of complex attacks without requiring manual correlation.

How does Microsoft Defender work with Qevlar?

Qevlar integrates with Microsoft Defender for Endpoint to retrieve endpoint alerts and device telemetry during automated investigations. When Defender detects malicious behavior on a device, Qevlar can pull the full incident timeline and correlate it with identity data from Entra ID and email signals from Exchange to determine the true scope of the compromise.