1.1 Introduction to Microsoft Defender XDR Threat Protection
10-14 hours · Module 1 · Free
Operational Objective
This subsection covers introduction to microsoft defender xdr threat protection — a core operational skill for security teams working in Microsoft 365 environments. Every concept is demonstrated through practical scenarios from the Northgate Engineering environment.
Deliverable: Working proficiency with the techniques and operational patterns covered in this subsection.
Estimated completion: 25 minutes
Introduction to Microsoft Defender XDR Threat Protection
Introduction
Required role: Security Reader (minimum for portal navigation). Security Administrator for configuration changes.
Microsoft Defender XDR (Extended Detection and Response) is the unified security platform that ties together four specialized security products — Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps — under a single correlation engine and investigation interface.
Expand for Deeper Context
Before Defender XDR existed, each product operated independently. An email alert was in one portal. An endpoint alert was in another. An identity alert was in a third. An analyst investigating a phishing attack that compromised a user's credentials, led to malware on their device, and resulted in data exfiltration through a cloud app had to pivot between four separate portals, manually connecting the evidence.
Defender XDR solves this by:
1. Correlating alerts into incidents — a phishing email alert, a suspicious sign-in alert, and a malware detection alert become a single incident when XDR determines they are part of the same attack 2. Providing a unified investigation interface — one portal, one incident queue, one advanced hunting schema across all products 3. Enabling cross-product response — from a single incident view, you can remediate email, isolate a device, revoke user sessions, and block an OAuth app
This subsection maps the platform architecture so you understand what each component does, what data it produces, and how the pieces connect. Subsections 1.2-1.6 then go deep on each component.
Figure 1.1: The Defender XDR architecture. Four specialized products feed signals into the XDR correlation engine, which groups related alerts into incidents and presents them through a unified investigation interface at security.microsoft.com.
---
The four pillars of Defender XDR
Each Defender product protects a specific domain and produces specific data. Understanding what each one does — and what it does NOT do — is essential for knowing where to look during an investigation.
Microsoft Defender for Endpoint
What it protects: Devices — Windows, macOS, Linux, iOS, Android workstations and servers.
What it detects: Malware execution, suspicious process behavior, network connections to known-malicious destinations, credential dumping, lateral movement, privilege escalation, persistence mechanisms.
Key data tables: - DeviceProcessEvents — every process created on the device (the most important endpoint table) - DeviceNetworkEvents — every network connection made by processes - DeviceFileEvents — file creation, modification, deletion - DeviceLogonEvents — local and remote logon events - DeviceRegistryEvents — registry key changes (persistence indicators) - DeviceInfo — device inventory and health status
Key response actions: Isolate device, collect investigation package, run antivirus scan, restrict app execution, live response (remote shell).
Coverage gap: Does not protect email content, identity infrastructure, or cloud applications. If the attacker operates purely through OAuth tokens and never touches a device, Defender for Endpoint generates no alerts.
Microsoft Defender for Office 365
What it protects: Email (Exchange Online), collaboration (Teams, SharePoint, OneDrive) — the communication and file-sharing layer.
What it detects: Phishing emails (including impersonation and spoof), malicious attachments (sandbox detonation), malicious URLs (time-of-click scanning), business email compromise patterns, malicious files in SharePoint/OneDrive/Teams.
Key data tables: - EmailEvents — every email received, with delivery action and threat classification - EmailAttachmentInfo — attachment metadata and threat verdict - EmailUrlInfo — URLs in email bodies with scanning results - EmailPostDeliveryEvents — ZAP actions taken after delivery - UrlClickEvents — user click tracking for Safe Links
Key response actions: Soft delete/hard delete emails from mailboxes, block sender, submit for analysis, automated investigation of email campaigns.
Coverage gap: Does not protect endpoints, identity, or non-M365 cloud apps. A zero-day malware attachment that passes sandbox detection and executes on a device is an Endpoint problem, not an Office 365 problem.
Microsoft Defender for Identity
What it protects: On-premises Active Directory and hybrid identity infrastructure — the authentication backbone.
What it detects: Reconnaissance (LDAP enumeration, DNS reconnaissance), credential theft (Kerberoasting, AS-REP roasting, DCSync, pass-the-hash), lateral movement (pass-the-ticket, overpass-the-hash, remote code execution), privilege escalation (SID-history injection, domain controller exploitation).
Key data tables: - IdentityLogonEvents — authentication events from AD domain controllers - IdentityQueryEvents — LDAP, DNS, and SMB queries (reconnaissance indicators) - IdentityDirectoryEvents — directory changes (group membership, password resets)
Key response actions: Disable user account in Active Directory, force password reset, suspend user in Entra ID.
Coverage gap: Requires sensors installed on domain controllers. Does not protect cloud-only (Entra ID only) environments. Does not detect attacks that bypass AD entirely (e.g., AiTM token replay against Entra ID — this is why the Module 12 AiTM investigation does not rely heavily on Defender for Identity).
Microsoft Defender for Cloud Apps
What it protects: Cloud applications — both Microsoft (M365 services) and third-party SaaS (Salesforce, Google Workspace, Dropbox, etc.).
What it detects: Anomalous cloud app usage, OAuth consent phishing (malicious app registrations), impossible travel for cloud apps, mass file download (data exfiltration), shadow IT (unauthorized SaaS usage), suspicious inbox rules.
Key data tables: - CloudAppEvents — activity across connected cloud applications
Coverage gap: Requires app connectors for third-party SaaS visibility. Detection depth depends on the API access granted by each SaaS provider. On-premises applications without cloud connectivity are invisible.
---
The XDR correlation engine — how signals become incidents
The defining capability of Defender XDR is automated incident correlation. Individual alerts from different products are automatically grouped into incidents when XDR identifies shared entities — the same user, the same IP address, the same device, the same email.
Example: an AiTM phishing attack across the stack
1. Defender for Office 365 detects a suspicious email → generates an alert 2. Entra ID Protection detects a sign-in from an unusual location with a suspicious token → generates an alert 3. Defender for Cloud Apps detects an inbox rule creation with suspicious keywords → generates an alert 4. Defender for Endpoint detects a suspicious process on the user's device → generates an alert
Figure 1.2: Four alerts from four different products automatically correlated into a single incident because they share the same user entity. The analyst investigates one incident, not four separate alerts.
All four alerts reference the same user. XDR correlates them into a single incident: "Multi-stage attack: phishing → credential theft → post-compromise activity → endpoint compromise." The analyst sees one incident with four correlated alerts, not four separate alerts in four separate queues.
The unified incident is the starting point for every investigation
You do not investigate individual alerts. You investigate incidents. An incident may contain 1 alert or 20 alerts. The correlation engine has already done the initial grouping for you — your job is to validate the correlation (are these truly related?), determine the scope (what else is affected?), and take action (contain, eradicate, recover).
---
The unified portal — security.microsoft.com
The Defender XDR portal at security.microsoft.com is your primary workspace. Understanding its layout saves time during every investigation.
Figure: The Defender XDR portal layout. The left navigation provides access to all investigation tools. The main area shows the incident queue with Attack disruptions summary, filter bar, and incident list sorted by priority score. This is the view you check at the start of every shift.
Figure: The Defender XDR incident queue at security.microsoft.com → Incidents & alerts → Incidents. Each row represents a correlated incident with severity, name, status, attack categories, impacted assets, and last activity time. The analyst triages from highest severity and most recent activity first.
Key sections:
Portal section
What it shows
When you use it
Incidents & alerts
The unified incident queue — all correlated alerts across products
Every shift. Triage, investigate, resolve.
Hunting → Advanced Hunting
KQL query interface across all Defender tables
When the incident queue does not have the answer. Module 6 skills apply here.
Actions & submissions → Action center
Pending and completed response actions (AIR approvals, manual actions)
When reviewing automated investigation results, approving remediation.
Threat intelligence → Threat analytics
Microsoft's threat intelligence reports with environment impact assessment
When a new threat is published and you need to check exposure.
Assets → Devices / Identities
Device and user inventory with security posture
During investigation to check device health, user risk level.
Email & collaboration → Explorer
Threat Explorer for email investigation (P2 only)
During phishing investigation — campaign analysis, bulk remediation.
Settings
Configuration for all Defender products, automation, RBAC
During initial setup and policy changes (Module 4 deep dive).
Secure Score
Organization security posture measurement
Weekly review for security improvement recommendations.
Bookmark security.microsoft.com — it is your home for the rest of the course
Navigate to it now and click through the sections above. Find the incident queue (Incidents & alerts → Incidents). Find Advanced Hunting (Hunting → Advanced Hunting). Find Threat Explorer (Email & collaboration → Explorer). Knowing where things are before an incident reduces friction during an investigation.
---
Advanced Hunting — the KQL interface
Advanced Hunting is where Module 6 (KQL) meets Module 1 (Defender XDR). The same KQL queries you wrote against Sentinel tables work in Advanced Hunting — but the tables are slightly different.
Figure: The Advanced Hunting interface at security.microsoft.com → Hunting → Advanced Hunting. The KQL query editor (top) accepts the same syntax from Module 6. Results display in tabular form below. This is where you pivot from the incident UI to raw data investigation.
Sentinel vs Advanced Hunting table availability:
Table
Available in Sentinel (via connector)
Available in Advanced Hunting
DeviceProcessEvents
Yes (when connected)
Yes (native)
EmailEvents
Yes (when connected)
Yes (native)
SigninLogs
Yes (native Sentinel table)
No — use IdentityLogonEvents instead
IdentityLogonEvents
Yes (when connected)
Yes (native)
CloudAppEvents
Yes (when connected)
Yes (native)
AlertInfo / AlertEvidence
Yes
Yes
SigninLogs is a Sentinel table, not a Defender table
If you write a KQL query using SigninLogs in Advanced Hunting, it will fail. The equivalent data in Advanced Hunting is in IdentityLogonEvents and AADSignInEventsBeta. When the course provides a KQL query, it specifies whether the query is for Sentinel or Advanced Hunting. Most investigation queries work in both — the table names may differ.
---
Licensing — what you get at each tier
Understanding licensing matters because it determines which features are available in your portal.
Feature
M365 E3
M365 E5
M365 Business Premium
Defender for Endpoint
P1 (basic)
P2 (full EDR)
P1
Defender for Office 365
Not included
P2 (full)
P1
Defender for Identity
Not included
Included
Not included
Defender for Cloud Apps
Not included
Included
Not included
Defender XDR (full correlation)
Partial
Full
Partial
Advanced Hunting
Limited
Full
Limited
Threat Explorer
Not included
Included
Not included
AIR (Automated Investigation)
Basic
Full
Basic
This course assumes M365 E5
All four Defender products, full Advanced Hunting, Threat Explorer, and complete AIR require E5. If you are on E3 or Business Premium, you will have access to some features but not all. The developer tenant from Module 0 provides E5 licensing for lab exercises.
Try it yourself
Incidents queue: Likely empty in a new lab — no threa...
Navigate to security.microsoft.com in your lab tenant. Find and click through these sections: (1) Incidents queue, (2) Advanced Hunting, (3) Threat Explorer, (4) Action center, (5) Secure Score. For each, note whether it is populated with data or empty. If Advanced Hunting is accessible, run the query DeviceInfo | take 5 to confirm the table is queryable.
Incidents queue: Likely empty in a new lab — no threats detected yet. This is normal.
Advanced Hunting: Should be accessible. DeviceInfo | take 5 may return results if you have onboarded a device, or may be empty if no devices are onboarded yet. The query should not error — if it errors, your E5 license may not be fully provisioned.
Threat Explorer: Accessible with E5. Shows email traffic — may have minimal data from test emails you sent in Module 0.6.
Action center: Empty — no automated investigations have run yet.
Secure Score: Should show your current security posture score with improvement recommendations. New tenants typically score 30-40% — the recommendations show what needs configuration.
Compliance mapping
NIST CSF: DE.AE-1 (Baseline of operations established), PR.DS-1 (Data-at-rest is protected). ISO 27001: A.8.15 (Logging), A.8.16 (Monitoring activities). SOC 2: CC7.2 (Monitor system components). Every configuration in this subsection contributes to the logging and monitoring controls that auditors verify.
Compliance Myth: "Enabling all Defender products means you are protected"
The myth: Enabling all Defender products means you are protected
The reality: Licensing a product is not deploying a product. Defender for Endpoint requires onboarding devices, configuring policies, and validating telemetry. Defender for Office 365 requires configuring anti-phishing policies, safe links, and safe attachments for your specific domains and VIPs. An enabled-but-unconfigured Defender product provides less protection than a properly configured open-source alternative. Configuration is the capability — the license is just the starting point.
Check your understanding
1. An analyst receives four separate alerts: a suspicious email delivery, a risky sign-in, an inbox rule creation, and a malware detection — all involving the same user within 30 minutes. In Defender XDR, how do these appear?
As a single incident containing four correlated alerts. The XDR correlation engine identifies the shared entity (the user) and groups the alerts automatically. The analyst investigates one incident, not four separate alerts.
As four separate incidents, one per alert
As one alert with four sub-alerts
As a threat analytics report
Incident correlation is the defining feature of XDR. Individual alerts are evidence. The incident is the investigation context. Starting from the incident gives you the full picture — starting from individual alerts gives you fragments.
2. A user's account is compromised via AiTM phishing. The attacker replays the stolen token from their own device (not enrolled in the organization) and accesses the user's mailbox. Which Defender product detects the mailbox access?
Defender for Endpoint — it detects malware on the user's device
Defender for Identity — it detects the credential theft
Defender for Cloud Apps — CloudAppEvents captures the anomalous inbox activity and rule creation. Defender for Endpoint does not detect this because the attacker never touched the user's device. Defender for Identity may not detect it because AiTM bypasses on-premises AD (token replay goes directly to Entra ID/Exchange Online).
None — Defender XDR cannot detect token replay
Understanding each product's detection domain is critical for investigation. AiTM token replay operates at the cloud authentication and application layer — Defender for Cloud Apps and Entra ID Protection are the detection points, not Endpoint or Identity. This is why the Module 12 AiTM investigation focuses on sign-in logs and cloud app events, not device timelines.
3. You write a KQL query using SigninLogs in the Advanced Hunting interface and it fails. Why?
SigninLogs is a Sentinel-native table, not available in Advanced Hunting. The equivalent data in Advanced Hunting is in IdentityLogonEvents and AADSignInEventsBeta. When moving queries between Sentinel and Advanced Hunting, verify table availability — the schema overlaps significantly but table names differ.
Your KQL syntax is wrong
Advanced Hunting does not support KQL
You need a P2 license for sign-in data
Table availability differences between Sentinel and Advanced Hunting are a common gotcha. Always check which interface you are using before running a query. The KQL syntax is identical — the data tables are not.
4. Your organization has M365 E3 licensing. Which Defender XDR capability is NOT available?
Defender for Endpoint P1 (basic protection)
Basic incident queue
Defender for Identity. E3 does not include Defender for Identity, Defender for Cloud Apps, Defender for Office 365, or full Advanced Hunting. E3 provides Defender for Endpoint P1 and basic XDR functionality. Full XDR requires E5.
Email delivery logs
Licensing determines detection coverage. An E3 organization has significant blind spots in identity, cloud apps, and email protection. Understanding what is and is not available helps you advise leadership on the security implications of licensing decisions — a skill the exam tests indirectly.
Decision point
You manage NE's M365 security stack. Microsoft releases a new Defender feature in preview. The feature promises to reduce AiTM risk by 80%. Do you enable it immediately?
Not in production. Enable in a test tenant or for a pilot group first. Preview features may: change behavior before GA, have undocumented interactions with existing CA policies, or produce unexpected results in specific tenant configurations. The deployment sequence: (1) enable in a test tenant and validate against NE's CA policy set, (2) enable for a pilot group of 10 users for 2 weeks, (3) monitor for FPs and operational impact, (4) roll out to all users after successful pilot. Microsoft's '80% reduction' claim is based on their telemetry across all tenants — NE's specific configuration may produce different results.
You've set up your M365 tenant and learned the Defender XDR unified portal.
Module 0 got your M365 developer tenant configured with sample data. Module 1 took you through the Defender XDR unified incident queue across endpoint, email, identity, and cloud apps. Now you investigate every major M365 attack type and deploy the detections that catch them next time.
15 investigation and configuration modules — Defender for Endpoint, Purview, Defender for Cloud, Security Copilot, Sentinel workspace design, log ingestion, analytics rules, and threat hunting
5 named attack investigations — AiTM credential phishing, BEC and financial fraud, consent phishing and OAuth grant abuse, token replay and session hijacking, insider threat
KQL from fundamentals through advanced hunting — dedicated modules on query language, cross-table joins, statistical analysis, and threat hunting queries
SC-200 exam objectives fully covered — every module maps to the January 2026 SC-200 update. The certification is the side effect of operational competence, not the goal
Production artefacts per module — detection rules, investigation playbooks, and hardening checklists you deploy to your own tenant
