1.9 Module Summary

Module 1 Summary: Mitigate Threats Using Microsoft Defender XDR

What you learned in this module

This module taught you how Defender XDR operates as an integrated threat protection platform and how you — as a SOC analyst — use it to detect, investigate, and respond to threats that span email, identity, endpoints, and cloud applications.

In subsection 1.1, you learned the architecture of Defender XDR: the unified portal at security.microsoft.com, how it aggregates data from Defender for Office 365, Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, and Entra ID Protection into a single operational surface. You learned that the portal is not just a dashboard — it is your primary investigation workspace with Advanced Hunting, the Action Center, Threat Analytics, and Secure Score all accessible from a single navigation structure.

In subsection 1.2, you learned the incident lifecycle: how Defender XDR correlates individual alerts from multiple products into unified incidents, how to triage incidents using the 5-minute rule, how to classify alerts as True Positive, False Positive, Benign True Positive, or Unknown, and how automated investigation and response (AIR) handles remediation with varying levels of analyst involvement depending on your automation configuration.

In subsection 1.3, you learned how Defender for Office 365 protects the email layer: Safe Links detonation of URLs at click time, Safe Attachments sandboxing, Zero-hour Auto Purge (ZAP) for retroactive removal of threats discovered after delivery, and Automated Investigation and Response for email-based incidents. You learned to investigate phishing delivery using EmailEvents, track URL clicks with UrlClickEvents, and use Threat Explorer for campaign analysis.

In subsection 1.4, you learned endpoint investigation: reading device timelines and process trees, interpreting parent-child process relationships to identify malicious execution chains, performing response actions in the correct sequence (collect before isolate), using live response for remote forensic collection on isolated devices, and investigating evidence entities (files, IPs, URLs, users) to determine the blast radius of an endpoint compromise.

In subsection 1.5, you learned how Defender for Identity monitors on-premises Active Directory through domain controller sensors, detecting reconnaissance, credential theft (Kerberoasting, DCSync), lateral movement (pass-the-hash, pass-the-ticket), and domain dominance (golden ticket, skeleton key). You learned to use Lateral Movement Paths to understand how attackers traverse credential-sharing relationships between devices and accounts.

In subsection 1.6, you learned how Defender for Cloud Apps provides the cloud application layer: Cloud Discovery for shadow IT identification, app connectors for deep SaaS visibility, anomaly detection policies for behavioral analysis, OAuth app governance for detecting consent phishing, and Conditional Access App Control for real-time session enforcement. You learned to investigate post-compromise activity in CloudAppEvents — inbox rules, file downloads, OAuth consent grants — and to take response actions across Entra ID, Exchange Online, and connected applications.

In subsection 1.7, you learned the daily SOC workflow that Microsoft Learn does not teach: the shift start routine (queue review, handover, data pipeline health check, Threat Analytics), the 5-minute triage methodology, priority-based investigation, documentation standards that enable continuity across shifts, shift handover practices, and alert fatigue management through systematic false positive reduction.

In subsection 1.8, you learned cross-product incident correlation: the Advanced Hunting table schema mapped to each Defender product, entity-based pivoting (user, IP, device, file hash) to connect events across products, building unified attack timelines using KQL union queries, and correlation patterns for common attack types (phishing → credential theft → BEC, phishing → malware → endpoint compromise, credential theft → lateral movement → exfiltration).

How this module connects to the rest of the course

Module 1 provides the operational foundation for everything that follows. Every subsequent module teaches you to go deeper into a specific area that Module 1 introduced at an overview level:

Module 2 (Mitigate Threats Using Microsoft Defender for Endpoint) expands on subsection 1.4. Where this module taught you to investigate endpoint alerts in the XDR context, Module 2 teaches you to deploy, configure, and operationally manage Defender for Endpoint — onboarding, sensor configuration, ASR rules, EDR configuration, device groups, compliance policies, and Threat and Vulnerability Management.

Module 3 (Mitigate Threats Using Microsoft Defender for Cloud) introduces cloud workload protection — a product area not covered in this module because it operates outside the M365 ecosystem. Defender for Cloud protects Azure resources, hybrid workloads, and multi-cloud environments. Module 3 connects to Module 1 through the unified incident queue: cloud workload alerts from Defender for Cloud appear alongside M365 alerts in the same XDR portal.

Module 4 (Mitigate Threats Using Microsoft Defender for Office 365) expands on subsection 1.3. Where this module taught investigation, Module 4 teaches configuration: anti-phishing policies, Safe Links and Safe Attachments policy design, email authentication (SPF, DKIM, DMARC), transport rules, and AIR configuration.

Module 6 (KQL Fundamentals) provides the query language that powers every Advanced Hunting query in this module. The queries in subsections 1.4 through 1.8 used KQL operators like where, project, summarize, union, make_set, and strcat. Module 6 teaches these operators from the ground up so you can write your own investigation queries rather than relying on templates.

Modules 7-8 (Sentinel Environment and Data Connectors) expand on the Sentinel concepts briefly mentioned in this module. While Defender XDR's Advanced Hunting covers M365 data, Sentinel extends investigation to third-party data sources, custom detections, automation playbooks, and long-term log retention.

Module 12 (AiTM Credential Phishing Investigation) is the direct application of everything in this module. The AiTM investigation scenario uses every product covered here: email delivery analysis (MDO), sign-in investigation (Entra ID), endpoint analysis (MDE, if malware was involved), cloud app post-compromise analysis (MDA), and cross-product correlation (Advanced Hunting unions). Module 1 teaches you the tools. Module 12 teaches you to use them together on a real-world investigation.

Key skills to retain

The following skills from this module will be used repeatedly throughout the course:

Reading an incident in the unified queue and performing 5-minute triage. Writing Advanced Hunting queries against EmailEvents, IdentityLogonEvents, DeviceProcessEvents, and CloudAppEvents. Performing the correct response action sequence for endpoint compromise (collect → isolate → investigate). Using entity pivots (user, IP, device, file hash) to expand or narrow an investigation. Building cross-product union queries to construct a unified attack timeline. Documenting investigation findings in incident comments that enable shift continuity.

If any of these skills feel uncertain, revisit the relevant subsection and complete the try-it-yourself exercises before moving to Module 2.

What comes next

If you are following the recommended module order, your next module is Module 6: Create Queries for Microsoft Sentinel Using KQL. Module 6 teaches the query language that makes everything in Module 1 possible. You will learn KQL from first principles — constructing statements, analyzing results, multi-table queries, string manipulation, security-specific query patterns, and performance optimization. Once you complete Module 6, return to the Advanced Hunting queries in this module and you will understand not just what they do, but how to modify them for your specific investigation scenarios.