Microsoft Defender for Endpoint Adds Aggregated Reporting to Streamline Threat Analysis
Microsoft Defender for Endpoint gets new aggregated reporting feature to enhance threat analysis.
Published: Jan 24, 2025
Key Takeaways:
- Microsoft Defender for Endpoint now includes aggregated reporting in public preview.
- The aggregated reporting feature collects essential event properties at extended one-hour intervals.
- It may increase storage costs due to the larger volume of retained data.
Microsoft has added support for aggregated reporting in public preview within its Defender for Endpoint solution. This new feature aims to overcome limitations in event reporting and improve data analysis for endpoint security.
What is the problem?
Essentially, Microsoft Defender for Endpoint collects a lot of data from various points in enterprise networks to detect potential intruders. This data is quickly analyzed to highlight the higher-fidelity signals that are important for SOC analysts. During the analysis, redundant and irrelevant signals are discarded to minimize noise so that more significant analysis can be performed to detect significant security threats. However, some administrators have expressed the desire to be able to review all collected signals.
How does the aggregated reporting feature work?
The aggregated reporting feature provides summarized information on all supported event types, such as low-efficiency telemetry. This capability should be useful in analyzing and identifying potential security threats within an organization.
“With aggregated reporting, Defender for Endpoint ensures that all essential event properties valuable to investigation and threat hunting activities are continuously collected. It does this by extended reporting intervals of one hour, which reduces the size of reported events and enables efficient yet valuable data collection,” Microsoft explained.
How to enable aggregated reporting in Microsoft Defender for Endpoint?
To enable aggregated reporting, administrators will need to navigate to Settings > Endpoints > Advanced features and then enable the Aggregated reporting feature. Once enabled, aggregated reports may take up to seven days to become available within Defender for Endpoint.
The aggregated reporting feature requires customers to have a Defender for Endpoint Plan 2 license. It also requires permissions to enable advanced features and supports Windows 11, Windows 10, and Windows Server.
It’s important to note that aggregated reporting improves signal visibility but may increase storage costs due to the larger volume of data generated. The extent of these costs will vary depending on the organization’s specific needs and usage.