Sajed Naseem, New Jersey Courts, CISO

“If an alert comes in through our security information and event management tool, we can look at it, isolate the machine, and check it out with just a few clicks.”

Microsoft 365 Defender is a product that is made up of several tools, all included in a Microsoft 365 E5 license. The suite has significant functionality in terms of being able to install sensors and use indicators of compromise. It also has a networking interface so that if somebody is attacked by a particular virus, you can easily search the entire organization for all other occurrences of that virus. You can also access threat intelligence information to see the global extent of a particular attack you are experiencing.

When a machine is compromised, Microsoft 365 Defender enables you to use automation to isolate that machine quickly and prevent anyone from signing in to it. In fact, Microsoft 365 Defender allows a lot of customization in terms of the functions and actions you can automate.

One tool in the Microsoft 365 Defender suite is Microsoft Cloud App Security, a cloud-based cloud access security broker that monitors all user activities with cloud-based apps. The tool looks at IP addresses associated with user activity and can alert you if things are happening in the network that should not be. For example, if somebody is signed in to a computer in New York City, and then signs in again an hour later in San Jose, the system will flag that as something that should not be happening.


This is an excerpt from 7 Experts on Implementing Microsoft 365 Defender.  This eBook was generously sponsored by BlueVoyant.