Module 1: Mitigate Threats Using Microsoft Defender XDR
What this module is about
Microsoft Defender XDR is the unified security platform that correlates threat signals across email, endpoints, identity, and cloud applications. It is the primary tool that a Security Operations Analyst uses every day. When an alert fires, you work in the Defender XDR portal. When you investigate an incident, you follow the evidence across Defender products. When you remediate a threat, you take actions through the portal’s unified interface.
This module teaches you to operate every major component of Defender XDR — not as isolated products, but as an integrated platform. You will learn how each component detects and remediates threats in its domain, and how the XDR correlation engine connects signals across domains to reveal the full attack chain.
The emphasis is operational: not “what features does Defender for Endpoint have” but “an alert fired on an endpoint — what do you do, in what order, using which tools, and how do you determine whether the incident extends to email or identity?”
What you will be able to do after completing this module
- Navigate the Microsoft Defender XDR portal confidently and understand the purpose of every major section
- Triage, investigate, and remediate incidents in the unified incident queue
- Investigate and remediate email threats using Defender for Office 365 (phishing, malware, BEC)
- Investigate endpoint alerts using Defender for Endpoint (device timelines, response actions, evidence collection)
- Investigate identity threats using Defender for Identity (lateral movement, credential theft, reconnaissance)
- Investigate cloud application threats using Defender for Cloud Apps (OAuth abuse, shadow IT, data exfiltration)
- Operate a daily SOC triage workflow using the unified portal
- Trace an attack across multiple Defender products using cross-product correlation
How this module is structured
1.1 — Introduction to Microsoft Defender XDR Threat Protection. The starting point. You will learn what Defender XDR is, how it unifies four security products under a single correlation engine, and what each product contributes. This subsection maps the entire platform so you understand where each subsequent subsection fits.
1.2 — Mitigate Incidents Using Microsoft Defender XDR. The incident lifecycle from first alert to closure. You will learn the unified incident queue, incident classification, severity assessment, alert correlation (how multiple alerts become one incident), investigation workflow, and remediation actions. This is the daily work of a SOC analyst.
1.3 — Remediate Risks with Microsoft Defender for Office 365. Email is the #1 attack vector. You will learn how Defender for Office 365 detects phishing, malware, and BEC; how to use Threat Explorer for email investigation; how to take remediation actions (soft delete, hard delete, block sender); and how automated investigation handles email threats.
1.4 — Manage Microsoft Defender for Endpoint Investigations. When malware reaches a device, you investigate here. You will learn to read device timelines, interpret process trees, identify malicious behavior chains, take response actions (isolate, collect investigation package, run antivirus scan), and use live response for remote forensics.
1.5 — Mitigate Threats Using Microsoft Defender for Identity. Identity is the attack surface that connects everything. You will learn how Defender for Identity detects reconnaissance (LDAP, DNS enumeration), credential theft (Kerberoasting, pass-the-hash), and lateral movement (pass-the-ticket, overpass-the-hash) in on-premises Active Directory environments.
1.6 — Secure Cloud Apps and Services with Microsoft Defender for Cloud Apps. Cloud applications extend your attack surface beyond the M365 boundary. You will learn how Defender for Cloud Apps provides visibility into SaaS usage, detects OAuth abuse and consent phishing, monitors data exfiltration, and enforces session controls through conditional access integration.
1.7 — Unified Portal Operations: Daily SOC Workflow. This subsection is our addition — not in Microsoft Learn. It teaches you the practical daily workflow: how to triage the incident queue efficiently, what to check at shift start, how to prioritize competing incidents, when to escalate, and how to document investigation progress. This is the operational rhythm that distinguishes a functional SOC analyst from someone who can navigate the portal.
1.8 — Cross-Product Incident Correlation. Also our addition. You will learn how Defender XDR’s correlation engine connects a phishing email (Office 365) → credential theft (Identity) → endpoint compromise (Endpoint) → data exfiltration (Cloud Apps) into a single incident. You will build KQL queries that trace this chain across the Advanced Hunting tables, directly applying the skills from Module 6.
1.9 — Module Summary. Key takeaways, skill checklist, SC-200 exam objectives covered, bridge to Module 7.
1.10 — Check My Knowledge. 20 scenario-based questions testing your ability to investigate and respond to threats in the Defender XDR portal.
You need the M365 E5 tenant from Module 0. Several exercises reference the Microsoft Defender XDR portal at security.microsoft.com and the Advanced Hunting interface. If your tenant has P1 only (Business Premium), you can follow the narrative but will not have access to Threat Explorer or Advanced Hunting — consider upgrading to E5 for the full experience.
This module covers exam objectives across two domains: Domain 1 (Manage a SOC Environment — configure Defender XDR settings, manage assets, automation) and Domain 3 (Manage Incident Response — respond to alerts from every Defender product). Approximately 30-40% of exam questions relate directly to content in this module.