New Microsoft products – Defender Threat Intelligence, External Attack Defender, & Sentinel for SAP

Photo by Susanne Jutzeler, suju-foto on

Microsoft have added more new products to the Defender family – “Microsoft Defender Threat Intelligence” and “Microsoft Defender External Attack Surface Management” – and have brought out an SAP add-on for Microsoft Sentinel.

Microsoft Defender Threat Intelligence

This new offering, incorporating what was RiskIQ, effectively “maps the internet” and gives customers direct access to Microsoft’s real-time data and security signals; this enables organisations to “proactively hunt” for threats within their environment.

Microsoft Defender External Attack Surface Management

This helps organisations identify all their internet facing resources – including those you’re not aware of and/or have forgotten about. It’s so easy to lose track of your external facing devices with COVID changes, mergers, good old shadow IT, and the potential for mis-configured assets around the business.

Being able to see a continuously updated map of potentially vulnerable assets will be key for organisations looking to protect themselves, their assets, and their users.

Microsoft Sentinel for SAP

They have announced an SAP specific add-on for Microsoft Sentinel that will:

  • Monitor all system layers
  • Detect & respond to threats
  • Enable customisation to extend protection

According to Microsoft it will integrate with “virtually any” NetWeaver system. It launched in August 2022 and is free for the first 6 months. After that it will be an add-on charge to the regular Sentinel pricing.

Further Reading

Threat Intelligence

External Attack Surface Management

Sentinel for SAP

Microsoft Defender for Cloud pricing

Photo by Pixabay on

Microsoft Defender for Cloud is a relatively new product name – created through a combination of “Azure Defender” and “Azure Security Center” – and is Microsoft’s solution for “cloud security posture management” (CSPM) and “cloud workload protection” (CWP).

It works not only in Azure but also Amazon AWS and Google GCP and hybrid scenarios via Azure Arc.

Licensing & Pricing

The main thing to understand is that Microsoft Defender for Cloud isn’t one thing, it is an umbrella for several separate products that all have their own costs.

Resource TypePrice
Microsoft Defender for Servers Plan 1£0.006/Server/hour
Microsoft Defender for Servers Plan 2£0.016/Server/hour
Included data – 500 MB/day
Microsoft Defender for Containers£0.0072/vCore/hour
Microsoft Defender for SQL on Azure£0.016/Instance/hour
Microsoft Defender for SQL outside Azure£0.012/vCore/hour
Microsoft Defender for MySQL£11.420/Instance/month
Microsoft Defender for PostgreSQL£11.420/Instance/month
Microsoft Defender for MariaDB£0.016/Instance/hour
Microsoft Defender for Storage£0.016/10K transactions
Microsoft Defender for App Service£0.016/App Service/hour
Microsoft Defender for Key Vault£0.02/10K transactions
Microsoft Defender for ARM£3.046/1M API calls
Microsoft Defender for DNS£0.533/1M Queries
Microsoft Defender for IoT agentless monitoring£107 per month per 100 monitored devices

Microsoft Defender for IoT agentless monitoring covers existing environments and is deployed on-premises. It can be connected to Microsoft Sentinel with no additional Sentinel charges – but it will require an IoT Hub which costs between £7.61 – £1903.17 per month.

For new IoT devices deployed via Azure IoT Hub, Defender pricing is:

Defender for IoT for devices managed by IoT Hub – by device£0.0008/month
Defender for IoT for devices managed by IoT Hub – by messages£0.153/25K transactions

Both of these offer free usage for the first 30 days and then the pricing kicks in, so be aware of what things people are turning on within your organisation.

Microsoft Defender for Cloud Free Tier

This is enabled on all Azure subscriptions when you visit the Defender for Cloud section of the Azure portal and includes:

  • Continuous assessment
  • Security recommendations
  • Secure Score for Azure
  • Secure Score for AWS

Further Reading

The Microsoft Defender for Cloud page is here.

Microsoft introduce Defender for Endpoint Plan 1

Photo by Pixabay on

Microsoft have announced the preview of “Microsoft Defender for Endpoint Plan 1”.

Microsoft Defender for Endpoint (MDfE) is the new name for “Microsoft Defender Advanced Threat Protection” (MDATP), which is the differentiator between Windows 10 E3 and E5. The existing version of MDfE will become Plan 2 and the newly introduced Plan 1 will contain a subset of features.

What’s included?

Defender for Endpoint Plan 1 diagram
Microsoft Docs site

The Plan 1 offering will include:

  • Next-generation protection
    • This includes anti-virus and anti-malware cover
  • Attack surface reduction
    • These include:
      • Ransomware mitigation
      • Web protection
      • Network firewall
      • and more
  • Manual response actions
    • These are:
      • Run anti-virus scan
      • Isolate device
      • Stop and quarantine
      • Indicators to block/allow files
  • Centralised management
    • Includes access to the Microsoft 365 Defender portal with RBAC access and reporting.
  • It will also include:
    • Security reports
    • APIs

The MS Docs page states that MDfE P1 will support:

  • Windows 10 1709 and later
  • macOS Big Sur, Catalina, and Mojave
  • iOS
  • Android OS

although the MS Tech Community page states “Windows 7, 8.1, 10, 11, macOS, Android, and iOS“.

Differences between Plan 1 & Plan 2

Features exclusive to Plan 2 include:

  • Device discovery
  • Threat & vulnerability management
  • Automated investigation & response
  • Advanced hunting
  • Endpoint detection & response
  • Microsoft Threat Experts
  • Support for Windows Server
  • Support for Linux


MDfE Plan 1 will be included in Microsoft 365 E3/A3 and will also be available as a standalone license.

You can check out the preview of MDfE P1 here – Preview signup.

Further Reading

Techcommunity announcement

MS Docs page

Microsoft 365 F5 licenses

Starting February 2021, Microsoft have introduced 3 new “frontline” SKUs:

  • Microsoft 365 F5 Security ($8)
  • Microsoft 365 F5 Compliance ($8)
  • Microsoft 365 F5 Security & Compliance($13)

These are available as add-ons to the existing Microsoft 365 F1 and F3 SKUs and include “the majority of capabilities” from the E5 versions.

The Microsoft announcement is here:

Microsoft 365 Security & Compliance additions

Image by Ryan McGuire from Pixabay

It seems Microsoft will be adding some new security and compliance SKUS in February 2021. According to a post from Bytes, a top UK Microsoft partner and LSP, we will soon be able to purchase:

Premium Compliance Assessments

There will be a range of over 150 assessments available which can be added to any Office 365 E5 or Microsoft 365 E5 plan, at a cost of $2,500 per assessments per month.

10-year audit log retention to Advanced Audit

This will enable organisations to retain audit logs for up to 10 years and can be added to:

  • Microsoft 365 E5
  • Microsoft 365 E5 Compliance
  • Microsoft 365 E5 eDiscovery & Audit
  • Office 365 E5

for $2 per user per month.

Data Connectors to E5

This looks like it will extend Microsoft 365 security and compliance capabilities to 3rd party services such as Slack and Zoom. It can be added to any Office 365 E5 or Microsoft 365 E5 plan and will cost $400 per 500GB of data.


The Data Connectors are, I think, the most interesting. Back in November 2019, Microsoft launched a preview of Azure Arc, which enables organisations to run Azure technologies and policies across other clouds such as Amazon AWS, and this new addition is the same thought process. The first time we saw this was when Satya Nadella opened up Office across Apple and Android – making Office available on those devices enables Microsoft to sell more Office 365 AND reach new customers…customers who may eventually purchase other Microsoft services.

While Microsoft would love everyone in every organisation to use Microsoft Teams, they’re pragmatic enough to realise that will never happen – their competitors’ products will always exist…so why not make some money out of it? 500GB of data isn’t much so that $400 a month will quickly start to become a pretty big number of organisations! It also helps Microsoft retain relationships with these organisations, ensuring they stay updated on respective changes and have reasons to talk – giving the chance for future sales…

I’ll keep an eye for more information and, hopefully, an entry in the February 2021 Product Terms.

Microsoft Security name changes – September 2020

Image by 200 Degrees from Pixabay

Microsoft have always enjoyed a good name change and nowhere has this been more true than their rapidly growing security portfolio. You’ll be pleased to know the pace of change continues following Microsoft Ignite 2020!

What’s changed?

Old nameNew name
Microsoft Threat ProtectionMicrosoft 365 Defender
Microsoft Defender Advanced Threat ProtectionMicrosoft Defender for Endpoint
Office 365 Advanced Threat ProtectionMicrosoft Defender for Office 365
Azure Advanced Threat ProtectionMicrosoft Defender for Identity
Azure Security Center Standard EditionAzure Defender for Servers
Azure Security Center for IoTAzure Defender for IoT
Advanced Threat Protection for SQLAzure Defender for SQL 

So gone are the various ATPs and Security Centers but now, like Marvel, we’ve got a bunch of Defenders to contend with!

There have also been a range of new features additions which will continue to strengthen Microsoft’s security offering including support for Amazon AWS and Google Cloud.

Further Reading

Microsoft SIEM & XDR features and name changes

Microsoft make security magic

Back in 2005, Microsoft bought an anti-virus company called Sybari to, as this ComputerWorld article put it, “give them more of a presence in the enterprise security market”. They rcontinued with the “Antigen” line and had variants for Exchange, SharePoint etc. and used multiple different scanning engines including Norman, Sophos, Kaspersky, and Computer Associates (CA).

I was a reseller at this point, focused primarily on software. It’s going back quite a while now to be fair but I remember it as being very difficult to sell it, or even to have a proper conversation about it. Those were the days of security dominance by Mcafee, Symantec, and CA eTrust – and Microsoft were not taken seriously when it came to security.

Alongside this, they also had “Internet Security & Acceleration (ISA) Server” and “Intelligent Application Gateway (IAG)”. The former subsequently became “Threat Management Gateway (TMG)” and the latter, “Unified Application Gateway (UAG)”. I remember ISA/TMG being relatively successful, certainly more so than the desktop anti-virus, and I also remember being surprised when Microsoft turned TMG 2010 End of Life with no replacement! We had a range of customers who had been using it for years and, as it covered firewall, router, VPN, web cache and more, it had become quite integral to their server side setup; Microsoft choosing not to replace it definitely led to some negative sentiment among organisations! They announced in 2012 that there’d be no further development and it would no longer be available to buy from the end of that year – although it is still in mainstream support until 2020! If you’re still running TMG 2010, I’d love to hear from you! 😁

Regardless of the product and its capabilities though, there was still a lot of anti-Microsoft sentiment, distrust, and cynicism stemming from the various legal cases of the late 90’s/early 00’s – and this seemed particularly strong in the security space.

All this is to show how far Microsoft have come in the security space in this 14 year period. Now, in Gartner’s latest Magic Quadrant for Endpoint Protection Platforms, they are top for “ability to execute” and 2nd (behind CrowdStrike) for “completeness of vision”.

For them to be so far ahead of established security players like Sophos, Trend Micro, and Symantec is fascinating. Gartner state that Windows Defender Antivirus is the market share leader for business endpoints – quite the turnaround! It’s clear the work Microsoft has been doing around Microsoft Defender Advanced Threat Protection (MDATP) (formerly WDATP) is paying off. Among the “cautions” mentioned by Gartner are:

  • Licensing is difficult to navigate
  • Windows 10 E5 is more expensive than competitive offerings
  • The MDATP features aren’t all available on Windows 7/8
  • No support for XP
  • Group Policy settings can be complex

Nothing too major there really, certainly not compared to many of the other participants. As we move towards 2020, Microsoft’s security game is strong. Not just on the desktop but it so many other areas, some of the cloud security and information protection products seem really good and innovative in numerous areas. I think it’s safe to say that Microsoft are a security company now – as well as everything else!

Check out the Microsoft post here –


Office 365 and Multi-Factor Authentication

Cloud Services, rightly, throw up a number of questions around security and Microsoft always seem to be making improvements to the, already substantial, security of Office 365.

A recent one is the availability of Multi-Factor Authentication (MFA) for all Office 365 users. This has been available for admins since June 2013 but has now rolled out across the board.

With Multi-Factor Authentication for Office 365, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied can a user sign in.

This will be very similar to the process already in place for Microsoft Accounts, when you sign into a new device and you receive a confirmation text.

Admins can set MFA for some/all users in the admin console, as you’d expect.

The second authentication factor options are:

  • Call my mobile
  • Text my mobile
  • Call my Office phone
  • Notify me through app
  • Show one-time code in app

Currently this isn’t available with the desktop apps of Office 2013 so MS have introduced App Passwords to help increase the security here.

Once an information worker has logged in with multi-factor authentication, they will be able to create one or more App Passwords for use in Office client applications. An App Password is a 16-character randomly generated password that can be used with an Office client application as a way of increasing security in lieu of the second authentication factor.


It’s interesting to see that Microsoft are continuing to invest in MFA with Office desktop applications, and so App Passwords will be only a temporary method.

We’re planning to add native multi-factor authentication for applications such as Outlook, Lync, Word, Excel, PowerPoint, PowerShell, and OneDrive for Business, with a release date planned for later in 2014. This update includes the current phone-based multi-factor authentication, and it adds capability to integrate other forms of authentication such as: third-party multi-factor authentication solutions and smart cards.

Multi Factor Authentication with desktop apps isn’t something I’ve really though about to be honest, but as ever more data is accessed via Office and desktops, it certainly makes sense.

Read more about Office 365 & MFA here:

Forefront Product Cull

Microsoft are discontinuing a number of their Forefront security products:

  • Forefront Protection 2010 for Exchange Server (FPE)
  • Forefront Protection 2010 for SharePoint (FPSP)
  • Forefront Security for Office Communications Server (FSOCS)
  • Forefront Threat Management Gateway 2010 (TMG)
  • Forefront Threat Management Gateway Web Protection Services (TMG WPS)
  • There will be no further releases of these products and “Forefront Online Protection for Exchange” AKA “FOPE” will, from the next release be known as, “Exchange Online Protection”.

    Additionally, “basic malware protection” is being added to Exchange 2013, although this can be “easily turned off, replaced, or paired with other services”.

    Both Forefront Identity Manager (FIM) & Unified Access Gateway (UAG) are continuing to be actively developed.

    The full Microsoft post is here:

    Microsoft Windows Intune: Online Systems Management

    Microsoft Windows InTune is the new Cloud based systems management tool from Microsoft, formerly known as “System Center Online” and has been long awaited. The ability to manage multiple locations/organizations from one central, online point is attractive to a lot of people for a lot of reasons…so let’s take a look @ InTune.

    There are at least 10 sections inside InTune so I’m going to cover them in a number of posts, we’ll start with – System Overview:



    This is the first screen you see when you log in to the Windows InTune Admin Console and it immediately gives you a great overview of yours systems. It shows:

    • If Machines are infected/unprotected
    • If there are updates for your machines
    • A number of other alerts

    Malware Protection:

    From here you can see which machines have Malware protection turned off completely and also if they have overdue scans or specific parts of the protection, such as USB device scanning, turned off.

    1 click takes you to a list of machines, from where you can turn on protection.


    This, not surprisingly, gives you a list of all the updates that are available for you machines be they for the OS or applications.

    One issue with this is that, as default, it shows you ALL possible updates:


    however, these can easily be filtered:



    Another problem I have noticed is that it wants to give my laptop updates for Office 2007, as well as Office 2010; oddly, this doesn’t happen with my other 2010 machines. I had a number of issues when upgrading Office versions and I’m inclined to believe that there are some Office 2007 remnants on the machine that are being picked up by Intune.

    Should you choose to approve an update for a machine/machines, you then reach this screen:


    Choose the groups on which you want to install the updates, click approve and job done!

    I feel it would be a smoother experience and require less clicks, if you could see the machine names on the same screen as all the updates. Currently, you must:

    • Select the update
    • click on “x computers need this update”
    • Check the groups/machines
    • Go back to the previous screen
    • Approve Update

    Showing the machines names/groups on the initial screen would remove a lot of that.

    You can also access the updates via the individual machine screen, I’ll cover that in a later post.

    Alerts by Type:

    This section, as well as the above, also includes other types of alerts…not just updates and malware. This is where InTune starts to differentiate itself from other products, for example:


    If I click through, it tell me:


    That is pretty cool, and something that is very useful for System Admins. I didn’t expect InTune to cover things like this, certainly not in the beta, so I’m pleasantly surprised Smile However, you can’t initiate the defrag from InTune.

    The 2 options on the right hand side “Create Computer Group” and “View a Report” will be covered in later posts.


    This is a brief look at just the first screen of Microsoft Windows InTune but I’m sure you will agree that it already looks very interesting. So stay tuned for the remaining posts in this series (at least 9!) and ask any questions you may have in the comments Smile



    %d bloggers like this: