1.1 Introduction to Microsoft Defender XDR Threat Protection

10-14 hours · Module 1 · Free

Introduction to Microsoft Defender XDR Threat Protection

SC-200 Exam Objective

Domain 1 — Manage a SOC Environment: "Configure settings in Microsoft Defender XDR" and "Manage automated investigation and response capabilities in Microsoft Defender XDR." This subsection provides the foundational understanding of the platform that every configuration question depends on.

Introduction

Microsoft Defender XDR (Extended Detection and Response) is the unified security platform that ties together four specialized security products — Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps — under a single correlation engine and investigation interface.

Before Defender XDR existed, each product operated independently. An email alert was in one portal. An endpoint alert was in another. An identity alert was in a third. An analyst investigating a phishing attack that compromised a user’s credentials, led to malware on their device, and resulted in data exfiltration through a cloud app had to pivot between four separate portals, manually connecting the evidence.

Defender XDR solves this by:

Correlating alerts into incidents — a phishing email alert, a suspicious sign-in alert, and a malware detection alert become a single incident when XDR determines they are part of the same attack
Providing a unified investigation interface — one portal, one incident queue, one advanced hunting schema across all products
Enabling cross-product response — from a single incident view, you can remediate email, isolate a device, revoke user sessions, and block an OAuth app

This subsection maps the platform architecture so you understand what each component does, what data it produces, and how the pieces connect. Subsections 1.2-1.6 then go deep on each component.

Figure 1.1: The Defender XDR architecture. Four specialized products feed signals into the XDR correlation engine, which groups related alerts into incidents and presents them through a unified investigation interface at security.microsoft.com.

The four pillars of Defender XDR

Each Defender product protects a specific domain and produces specific data. Understanding what each one does — and what it does NOT do — is essential for knowing where to look during an investigation.

Microsoft Defender for Endpoint

What it protects: Devices — Windows, macOS, Linux, iOS, Android workstations and servers.

What it detects: Malware execution, suspicious process behavior, network connections to known-malicious destinations, credential dumping, lateral movement, privilege escalation, persistence mechanisms.

Key data tables:

DeviceProcessEvents — every process created on the device (the most important endpoint table)
DeviceNetworkEvents — every network connection made by processes
DeviceFileEvents — file creation, modification, deletion
DeviceLogonEvents — local and remote logon events
DeviceRegistryEvents — registry key changes (persistence indicators)
DeviceInfo — device inventory and health status

Key response actions: Isolate device, collect investigation package, run antivirus scan, restrict app execution, live response (remote shell).

Coverage gap: Does not protect email content, identity infrastructure, or cloud applications. If the attacker operates purely through OAuth tokens and never touches a device, Defender for Endpoint generates no alerts.

Microsoft Defender for Office 365

What it protects: Email (Exchange Online), collaboration (Teams, SharePoint, OneDrive) — the communication and file-sharing layer.

What it detects: Phishing emails (including impersonation and spoof), malicious attachments (sandbox detonation), malicious URLs (time-of-click scanning), business email compromise patterns, malicious files in SharePoint/OneDrive/Teams.

Key data tables:

EmailEvents — every email received, with delivery action and threat classification
EmailAttachmentInfo — attachment metadata and threat verdict
EmailUrlInfo — URLs in email bodies with scanning results
EmailPostDeliveryEvents — ZAP actions taken after delivery
UrlClickEvents — user click tracking for Safe Links

Key response actions: Soft delete/hard delete emails from mailboxes, block sender, submit for analysis, automated investigation of email campaigns.

Coverage gap: Does not protect endpoints, identity, or non-M365 cloud apps. A zero-day malware attachment that passes sandbox detection and executes on a device is an Endpoint problem, not an Office 365 problem.

Microsoft Defender for Identity

What it protects: On-premises Active Directory and hybrid identity infrastructure — the authentication backbone.

What it detects: Reconnaissance (LDAP enumeration, DNS reconnaissance), credential theft (Kerberoasting, AS-REP roasting, DCSync, pass-the-hash), lateral movement (pass-the-ticket, overpass-the-hash, remote code execution), privilege escalation (SID-history injection, domain controller exploitation).

Key data tables:

IdentityLogonEvents — authentication events from AD domain controllers
IdentityQueryEvents — LDAP, DNS, and SMB queries (reconnaissance indicators)
IdentityDirectoryEvents — directory changes (group membership, password resets)

Key response actions: Disable user account in Active Directory, force password reset, suspend user in Entra ID.

Coverage gap: Requires sensors installed on domain controllers. Does not protect cloud-only (Entra ID only) environments. Does not detect attacks that bypass AD entirely (e.g., AiTM token replay against Entra ID — this is why the Module 11 AiTM investigation does not rely heavily on Defender for Identity).

Microsoft Defender for Cloud Apps

What it protects: Cloud applications — both Microsoft (M365 services) and third-party SaaS (Salesforce, Google Workspace, Dropbox, etc.).

What it detects: Anomalous cloud app usage, OAuth consent phishing (malicious app registrations), impossible travel for cloud apps, mass file download (data exfiltration), shadow IT (unauthorized SaaS usage), suspicious inbox rules.

Key data tables:

CloudAppEvents — activity across connected cloud applications

Key response actions: Revoke OAuth app permissions, suspend user, require step-up authentication via conditional access app control.

Coverage gap: Requires app connectors for third-party SaaS visibility. Detection depth depends on the API access granted by each SaaS provider. On-premises applications without cloud connectivity are invisible.

The XDR correlation engine — how signals become incidents

The defining capability of Defender XDR is automated incident correlation. Individual alerts from different products are automatically grouped into incidents when XDR identifies shared entities — the same user, the same IP address, the same device, the same email.

Example: an AiTM phishing attack across the stack

Defender for Office 365 detects a suspicious email → generates an alert
Entra ID Protection detects a sign-in from an unusual location with a suspicious token → generates an alert
Defender for Cloud Apps detects an inbox rule creation with suspicious keywords → generates an alert
Defender for Endpoint detects a suspicious process on the user’s device → generates an alert

Figure 1.2: Four alerts from four different products automatically correlated into a single incident because they share the same user entity. The analyst investigates one incident, not four separate alerts.

All four alerts reference the same user. XDR correlates them into a single incident: “Multi-stage attack: phishing → credential theft → post-compromise activity → endpoint compromise.” The analyst sees one incident with four correlated alerts, not four separate alerts in four separate queues.

The unified incident is the starting point for every investigation

You do not investigate individual alerts. You investigate incidents. An incident may contain 1 alert or 20 alerts. The correlation engine has already done the initial grouping for you — your job is to validate the correlation (are these truly related?), determine the scope (what else is affected?), and take action (contain, eradicate, recover).

The unified portal — security.microsoft.com

The Defender XDR portal at security.microsoft.com is your primary workspace. Understanding its layout saves time during every investigation.

Figure: The Defender XDR portal layout. The left navigation provides access to all investigation tools. The main area shows the incident queue with Attack disruptions summary, filter bar, and incident list sorted by priority score. This is the view you check at the start of every shift.

Figure: The Defender XDR incident queue at security.microsoft.com → Incidents & alerts → Incidents. Each row represents a correlated incident with severity, name, status, attack categories, impacted assets, and last activity time. The analyst triages from highest severity and most recent activity first.

Key sections:

Portal section	What it shows	When you use it
Incidents & alerts	The unified incident queue — all correlated alerts across products	Every shift. Triage, investigate, resolve.
Hunting → Advanced Hunting	KQL query interface across all Defender tables	When the incident queue does not have the answer. Module 6 skills apply here.
Actions & submissions → Action center	Pending and completed response actions (AIR approvals, manual actions)	When reviewing automated investigation results, approving remediation.
Threat intelligence → Threat analytics	Microsoft’s threat intelligence reports with environment impact assessment	When a new threat is published and you need to check exposure.
Assets → Devices / Identities	Device and user inventory with security posture	During investigation to check device health, user risk level.
Email & collaboration → Explorer	Threat Explorer for email investigation (P2 only)	During phishing investigation — campaign analysis, bulk remediation.
Settings	Configuration for all Defender products, automation, RBAC	During initial setup and policy changes (Module 4 deep dive).
Secure Score	Organization security posture measurement	Weekly review for security improvement recommendations.

Bookmark security.microsoft.com — it is your home for the rest of the course

Navigate to it now and click through the sections above. Find the incident queue (Incidents & alerts → Incidents). Find Advanced Hunting (Hunting → Advanced Hunting). Find Threat Explorer (Email & collaboration → Explorer). Knowing where things are before an incident reduces friction during an investigation.

Advanced Hunting — the KQL interface

Advanced Hunting is where Module 6 (KQL) meets Module 1 (Defender XDR). The same KQL queries you wrote against Sentinel tables work in Advanced Hunting — but the tables are slightly different.

The same KQL syntax from Module 6 works here. The query editor, Run button, and tabular results are identical to the Sentinel Logs interface.

Figure: The Advanced Hunting interface at security.microsoft.com → Hunting → Advanced Hunting. The KQL query editor (top) accepts the same syntax from Module 6. Results display in tabular form below. This is where you pivot from the incident UI to raw data investigation.

Sentinel vs Advanced Hunting table availability:

Table	Available in Sentinel (via connector)	Available in Advanced Hunting
DeviceProcessEvents	Yes (when connected)	Yes (native)
EmailEvents	Yes (when connected)	Yes (native)
SigninLogs	Yes (native Sentinel table)	No — use IdentityLogonEvents instead
IdentityLogonEvents	Yes (when connected)	Yes (native)
CloudAppEvents	Yes (when connected)	Yes (native)
AlertInfo / AlertEvidence	Yes	Yes

SigninLogs is a Sentinel table, not a Defender table

If you write a KQL query using SigninLogs in Advanced Hunting, it will fail. The equivalent data in Advanced Hunting is in IdentityLogonEvents and AADSignInEventsBeta. When the course provides a KQL query, it specifies whether the query is for Sentinel or Advanced Hunting. Most investigation queries work in both — the table names may differ.

Licensing — what you get at each tier

Understanding licensing matters because it determines which features are available in your portal.

Feature	M365 E3	M365 E5	M365 Business Premium
Defender for Endpoint	P1 (basic)	P2 (full EDR)	P1
Defender for Office 365	Not included	P2 (full)	P1
Defender for Identity	Not included	Included	Not included
Defender for Cloud Apps	Not included	Included	Not included
Defender XDR (full correlation)	Partial	Full	Partial
Advanced Hunting	Limited	Full	Limited
Threat Explorer	Not included	Included	Not included
AIR (Automated Investigation)	Basic	Full	Basic

This course assumes M365 E5

All four Defender products, full Advanced Hunting, Threat Explorer, and complete AIR require E5. If you are on E3 or Business Premium, you will have access to some features but not all. The developer tenant from Module 0 provides E5 licensing for lab exercises.

Try it yourself

Navigate to security.microsoft.com in your lab tenant. Find and click through these sections: (1) Incidents queue, (2) Advanced Hunting, (3) Threat Explorer, (4) Action center, (5) Secure Score. For each, note whether it is populated with data or empty. If Advanced Hunting is accessible, run the query DeviceInfo | take 5 to confirm the table is queryable.

Incidents queue: Likely empty in a new lab — no threats detected yet. This is normal.

Advanced Hunting: Should be accessible. DeviceInfo | take 5 may return results if you have onboarded a device, or may be empty if no devices are onboarded yet. The query should not error — if it errors, your E5 license may not be fully provisioned.

Threat Explorer: Accessible with E5. Shows email traffic — may have minimal data from test emails you sent in Module 0.6.

Action center: Empty — no automated investigations have run yet.

Secure Score: Should show your current security posture score with improvement recommendations. New tenants typically score 30-40% — the recommendations show what needs configuration.

Check your understanding

1. An analyst receives four separate alerts: a suspicious email delivery, a risky sign-in, an inbox rule creation, and a malware detection — all involving the same user within 30 minutes. In Defender XDR, how do these appear?

As a single incident containing four correlated alerts. The XDR correlation engine identifies the shared entity (the user) and groups the alerts automatically. The analyst investigates one incident, not four separate alerts.

As four separate incidents, one per alert

As one alert with four sub-alerts

As a threat analytics report

Incident correlation is the defining feature of XDR. Individual alerts are evidence. The incident is the investigation context. Starting from the incident gives you the full picture — starting from individual alerts gives you fragments.

2. A user's account is compromised via AiTM phishing. The attacker replays the stolen token from their own device (not enrolled in the organization) and accesses the user's mailbox. Which Defender product detects the mailbox access?

Defender for Endpoint — it detects malware on the user's device

Defender for Identity — it detects the credential theft

Defender for Cloud Apps — CloudAppEvents captures the anomalous inbox activity and rule creation. Defender for Endpoint does not detect this because the attacker never touched the user's device. Defender for Identity may not detect it because AiTM bypasses on-premises AD (token replay goes directly to Entra ID/Exchange Online).

None — Defender XDR cannot detect token replay

Understanding each product's detection domain is critical for investigation. AiTM token replay operates at the cloud authentication and application layer — Defender for Cloud Apps and Entra ID Protection are the detection points, not Endpoint or Identity. This is why the Module 11 AiTM investigation focuses on sign-in logs and cloud app events, not device timelines.

3. You write a KQL query using SigninLogs in the Advanced Hunting interface and it fails. Why?

SigninLogs is a Sentinel-native table, not available in Advanced Hunting. The equivalent data in Advanced Hunting is in IdentityLogonEvents and AADSignInEventsBeta. When moving queries between Sentinel and Advanced Hunting, verify table availability — the schema overlaps significantly but table names differ.

Your KQL syntax is wrong

Advanced Hunting does not support KQL

You need a P2 license for sign-in data

Table availability differences between Sentinel and Advanced Hunting are a common gotcha. Always check which interface you are using before running a query. The KQL syntax is identical — the data tables are not.

4. Your organization has M365 E3 licensing. Which Defender XDR capability is NOT available?

Defender for Endpoint P1 (basic protection)

Basic incident queue

Defender for Identity. E3 does not include Defender for Identity, Defender for Cloud Apps, Defender for Office 365, or full Advanced Hunting. E3 provides Defender for Endpoint P1 and basic XDR functionality. Full XDR requires E5.

Email delivery logs

Licensing determines detection coverage. An E3 organization has significant blind spots in identity, cloud apps, and email protection. Understanding what is and is not available helps you advise leadership on the security implications of licensing decisions — a skill the exam tests indirectly.

1.2 Mitigate Incidents Using Microsoft Defender XDR →