Assess Defender for Endpoint EDR settings

Microsoft Defender for Cloud integrates natively with Microsoft Defender for Endpoint as an endpoint detection and response (EDR) solution.

Understand EDR capabilities in Defender for Endpoint

EDR capabilities in Defender for Endpoint detect, investigate, and respond to advanced threats. These capabilities include advanced threat hunting (see Advanced threat hunting overview) and automatic investigation and remediation (see Automatic investigation and remediation).

• Defender for Cloud uses agentless scanning to assess EDR settings. See About agentless data collection.
• Agentless scanning for EDR settings is available when Defender for Cloud is running in your Azure subscription and either Defender for Servers Plan 2 (enable) or the Defender cloud security posture management (Defender CSPM) plan (enable) is enabled.

Assess Defender for Endpoint settings

When machines run Defender for Endpoint as their EDR solution, Defender for Servers scans them agentlessly. These checks confirm that Defender for Endpoint is configured correctly. Checks include:

• Full and quick scans are older than seven days
• Signatures are out of date
• Antivirus is off or partially configured

If misconfigurations are found, Defender for Cloud presents recommendations such as:

• EDR configuration issues should be resolved on virtual machines
• EDR configuration issues should be resolved on EC2s
• Anti-Virus component in your EDR is off or partially configured
• Anti-Virus component of your EDR uses outdated signatures

Once you locate these recommendations (learn how to review recommendations), you can remediate them (learn how to remediate recommendations).

Next step