-
Notifications
You must be signed in to change notification settings - Fork 0
Technical Reference
This page provides plain-English definitions for technical terms used in the tool, the compliance frameworks, and the Microsoft Security stack. Terms are listed alphabetically.
AIR (Automated Investigation and Remediation) A feature in Microsoft Defender for Endpoint that automatically investigates security alerts and takes remediation actions without waiting for a human analyst. It works by following a set of investigation steps similar to what an experienced analyst would do. Depending on how it is configured, it can either take actions automatically or present findings and wait for a human to approve the action before proceeding.
ASR (Attack Surface Reduction) Rules A set of specific blocks built into Windows that prevent common attack techniques. Each rule targets a specific behaviour — for example, one rule blocks Microsoft Office applications from starting other programmes (a technique malware commonly uses), and another blocks attempts to steal credentials from a Windows process called LSASS. Rules can be set to Audit mode (where they log what they would have blocked without actually blocking it) or Block mode (where they actively prevent the behaviour).
ATO (Authority to Operate) A formal written decision issued by an Authorizing Official stating that a system is approved to operate, for how long, and under what conditions. ATOs are a specific requirement of the NIST Risk Management Framework and are used primarily in US federal and defence environments.
Baseline A documented starting point or reference state. In the context of this tool, a baseline refers to a JSON export of the compliance tracker state at a specific point in time, which can later be imported for gap analysis. In a security configuration context, a baseline refers to a standard set of settings that all devices should have applied.
BitLocker A Windows feature that encrypts the contents of a storage drive. If a device is lost or stolen, the data on it cannot be read without the recovery key. BitLocker can be enabled and managed through Microsoft Intune and keys can be stored securely in Microsoft Entra ID.
CASB (Cloud Access Security Broker) A security tool or service that sits between users and cloud applications and applies security controls. Microsoft Defender for Cloud Apps is Microsoft's CASB solution. It can discover which cloud applications are being used (including unapproved ones), enforce policies on how those applications can be used, and provide visibility into user activity.
CDE (Cardholder Data Environment) The part of an organisation's systems, network, and people that directly handle payment card data. PCI DSS requirements apply specifically to the CDE. Correctly scoping and isolating the CDE is one of the most important steps in a PCI DSS compliance programme.
Conditional Access A feature in Microsoft Entra ID that enforces access control policies based on conditions. For example, a Conditional Access policy can require multi-factor authentication for all users, or block access from devices that have a high MDE risk score. When a user tries to access a corporate application, Conditional Access checks whether the conditions are met before allowing or blocking access.
CVE (Common Vulnerabilities and Exposures) A standardised identifier for publicly known security vulnerabilities in software. Each CVE has a unique identifier (for example, CVE-2024-12345) and a CVSS score that indicates severity. Security teams use CVE IDs to track and prioritise vulnerability remediation.
CVSS (Common Vulnerability Scoring System) A numerical score from 0 to 10 that indicates the severity of a software vulnerability. Scores 0 to 3.9 are Low, 4.0 to 6.9 are Medium, 7.0 to 8.9 are High, and 9.0 to 10 are Critical. Compliance frameworks like PCI DSS and Cyber Essentials specify remediation timeframes based on CVSS severity levels.
Device Group A logical grouping of devices in Microsoft Defender for Endpoint. Device groups can be used to apply different policies, automation levels, and role-based access controls to different sets of devices. For example, a CDE device group contains only the servers and workstations that process payment data and has stricter policies applied to it than the general workstation group.
EDR (Endpoint Detection and Response) A category of security technology that records activity on devices, analyses that activity for signs of compromise, and enables investigation and response actions. Microsoft Defender for Endpoint is an EDR solution. The "sensor" that runs on each device collects telemetry and sends it to the MDE portal for analysis.
Entra ID Microsoft's cloud-based identity and access management service, formerly known as Azure Active Directory (Azure AD). Entra ID manages user accounts, groups, role assignments, and Conditional Access policies. It is the foundation of identity management in the Microsoft 365 ecosystem.
EOS (End of Support) The date after which a software product no longer receives security updates from its vendor. Software that is end-of-support poses a significant security risk because newly discovered vulnerabilities will not be patched. Both Cyber Essentials and PCI DSS explicitly require that end-of-support software is removed or replaced.
False Positive When a security tool incorrectly identifies something legitimate as a threat. For example, if an antivirus tool flags a legitimate business application as malware, that is a false positive. False positives waste analyst time and can disrupt business operations if the tool takes automatic action. Managing false positive rates is particularly important for AI-powered security features.
FIPS 199 A US federal standard (Federal Information Processing Standard 199) that defines how to classify the sensitivity of information systems based on the potential impact of a security breach. Impact levels are Low, Moderate, or High for three categories: Confidentiality, Integrity, and Availability. FIPS 199 classifications are used in the NIST RMF to determine which security controls must be implemented.
FPR (False Positive Rate) The percentage of alerts generated by a security tool that turn out to be benign. Calculated as (false positive alerts divided by total alerts) multiplied by 100. A high false positive rate means analysts spend significant time investigating alerts that turn out to be nothing, reducing their capacity to investigate real threats.
GPO (Group Policy Object) A feature in Windows environments that allows administrators to apply configuration settings to multiple computers at once. GPOs are distributed through Active Directory. In the context of MDE, GPOs can be used to deploy the MDE onboarding package and configuration settings to Windows devices in an organisation that uses on-premises Active Directory.
Intune Microsoft's cloud-based device management service, formally called Microsoft Intune. Intune allows administrators to create and deploy configuration policies, compliance policies, and security baselines to Windows, macOS, iOS, and Android devices. Most of the protection-related tasks in this tool involve creating and deploying policies through Intune.
IoC (Indicator of Compromise) Evidence that a system may have been breached. Examples include a specific IP address known to be associated with malware, a file with a known malicious hash value, or a domain name used in phishing campaigns. MDE can block connections to known malicious IoCs and can be configured with custom IoCs specific to an organisation's threat environment.
KQL (Kusto Query Language) A query language used to search and analyse data in Microsoft products including Microsoft Sentinel and Microsoft Defender for Endpoint's Advanced Hunting feature. KQL queries are used to search through large volumes of security telemetry, build detection rules, and produce reports. This tool includes pre-written KQL queries in the "How to comply" guidance for tasks that involve searching or analysing security data.
LAPS (Local Administrator Password Solution) A Microsoft feature that manages and regularly rotates the passwords for local administrator accounts on Windows devices. Without LAPS, local admin accounts often have the same password across all devices — which means that if an attacker discovers the password on one device, they can use it to access all others. LAPS assigns a unique, randomly generated password to each device's local admin account.
Lateral Movement A technique attackers use to move from one compromised system to other systems within the same network. Once an attacker has access to one device, they typically try to access other, more valuable devices using credentials, exploits, or legitimate remote access tools. Several attack surface reduction rules in MDE specifically target lateral movement techniques.
Live Response A feature in Microsoft Defender for Endpoint that allows security analysts to connect directly to a device that is under investigation and execute commands, collect files, run scripts, and perform remediation actions. It is similar to remote desktop access but designed specifically for incident response and forensic investigation.
MAPS (Microsoft Active Protection Service) The component of Microsoft Defender Antivirus that connects to Microsoft's cloud to check files and processes against a constantly updated database of known threats. When MAPS is enabled with Advanced membership, even files not previously seen in the wild can be checked in real time against cloud intelligence. This is significantly more effective than relying on locally installed signature updates.
MDE (Microsoft Defender for Endpoint) Microsoft's enterprise endpoint detection and response (EDR) platform. MDE protects Windows, macOS, Linux, Android, and iOS devices by providing antivirus protection, behavioral monitoring, attack surface reduction, vulnerability management, and investigation and response capabilities. MDE is the primary focus of all tasks in this tool.
MFA (Multi-Factor Authentication) An authentication method that requires a user to provide two or more verification factors before being granted access. The most common combination is a password (something you know) plus a notification on a phone app (something you have). MFA significantly reduces the risk of account compromise because an attacker who steals a password cannot log in without also having the second factor. Phishing-resistant MFA methods such as FIDO2 security keys and Microsoft Authenticator provide stronger protection than SMS-based codes.
MSSP (Managed Security Service Provider) A company that provides outsourced monitoring and management of security systems for other organisations. MSSPs typically manage security operations on behalf of multiple clients, providing services like security monitoring, incident response, vulnerability management, and compliance support. This tool is designed for MSSP security engineers managing MDE deployments on behalf of clients.
NGAV (Next-Generation Antivirus) A term for modern antivirus that goes beyond signature-based detection (matching files against a known list of malicious files) to include behavioural analysis (detecting suspicious activity regardless of whether the file is previously known), machine learning-based detection, and cloud-based lookups. Microsoft Defender Antivirus, as configured in this tool, operates as an NGAV solution.
PIM (Privileged Identity Management) A feature in Microsoft Entra ID that controls when and how privileged roles (such as Security Administrator) can be activated. With PIM, there are no permanent admin accounts — instead, an administrator must actively request activation of the elevated role, provide a justification, receive approval from another authorised person, and have the elevated access automatically expire after a defined period. This reduces the risk of a compromised admin account being used for extended damage.
POA&M (Plan of Action and Milestones) A document used in the NIST RMF process that lists security control weaknesses, the actions planned to remediate them, the resources required, and the target dates for completion. The POA&M is a living document that is updated throughout the ATO lifecycle. It represents the acknowledged gap between the ideal security posture and the current reality, along with a commitment to close that gap.
PUA (Potentially Unwanted Application) Software that is not necessarily malicious but is considered undesirable in a managed environment — for example, adware, cryptocurrency miners, browser toolbars, and system optimisation tools that have questionable value. Microsoft Defender Antivirus can be configured to block PUAs from being installed, which reduces the noise and risk on managed devices.
RBAC (Role-Based Access Control) A method of controlling access to systems by assigning permissions to roles rather than individual users, and then assigning users to roles. In Microsoft Defender for Endpoint, RBAC allows you to define different levels of access — for example, a Tier 1 analyst can see alerts and device information but cannot take remediation actions, while a Tier 3 analyst can initiate device isolation and run scripts through Live Response.
Secure Score A measurement in the Microsoft Defender portal that quantifies the security posture of an organisation based on how many recommended configuration improvements have been implemented. The score is expressed as a number out of a maximum value and increases as you apply more of the recommended settings. Secure Score is used in this tool as a risk metric and as a way to track improvement over time.
Sentinel Microsoft Sentinel is a cloud-based security information and event management (SIEM) platform. It collects security data from multiple sources — including MDE, Entra ID, Intune, and other products — and provides a centralised view for detecting, investigating, and responding to security incidents. Many of the detection and monitoring tasks in this tool involve connecting MDE to Sentinel.
SSP (System Security Plan) A formal document required by the NIST RMF that describes a system's security controls, who is responsible for each control, how each control is implemented, and any weaknesses or gaps. The SSP is the primary documentation artefact in the RMF process and forms the core of the authorisation package submitted to the Authorizing Official.
Tamper Protection A feature in Microsoft Defender for Endpoint that prevents security settings from being changed by unauthorised users, processes, or malware. Once Tamper Protection is enabled, the MDE security settings can only be changed through Intune or the MDE portal — not through the Windows registry, PowerShell, or Group Policy at the local device level. This is important because attackers often try to disable antivirus before deploying their payloads.
TVM (Threat and Vulnerability Management) A feature in Microsoft Defender for Endpoint that continuously scans enrolled devices for known software vulnerabilities, provides an Exposure Score indicating overall vulnerability risk, and generates prioritised recommendations for remediation. TVM is the primary tool for patch management and vulnerability tracking tasks in this tool.
WCF (Web Content Filtering) A feature in Microsoft Defender for Endpoint that blocks access to websites in specified categories — for example, malicious sites, adult content, gambling, or high-risk content. WCF operates at the operating system level using Network Protection and applies to all browsers and applications on the device, not just the web browser.
WDAC (Windows Defender Application Control) A feature in Windows that restricts which applications are permitted to run on a device. Only software that meets defined criteria — such as being signed by a trusted publisher or explicitly listed as approved — is allowed to execute. WDAC is used in high-trust environments such as Privileged Access Workstations and Cardholder Data Environment devices to prevent unauthorised software from running.
Zero Trust A security model that treats every access request as potentially hostile, regardless of where it originates. The core principle is "never trust, always verify" — meaning that every user, device, and application must prove their identity and meet defined security requirements every time they request access to a resource, rather than being trusted automatically because they are inside the corporate network.