Get Started Free

1.9 Microsoft Defender XDR

60–90 minutes · Module 1 · Free

Defender XDR is the unifying layer. It is positioned last in the component subsections because you now understand all the components that feed into it.

Where alerts become attack stories

Without Defender XDR, a phishing email alert, a suspicious sign-in alert, and an inbox rule alert are three separate items in three separate queues. With Defender XDR, they become one incident that tells the complete attack story. This is the difference between alert fatigue and actionable intelligence.

Defender XDR is an Extended Detection and Response platform that correlates signals across all Defender products and Entra ID into unified incidents. It is not a separate product you buy — it is the orchestration layer that sits on top of Defender for Endpoint, Office 365, Identity, and Cloud Apps. It is where individual alerts become multi-stage attack stories.

Unified Incident Queue. All alerts from all Defender products and Entra ID Protection are correlated into incidents. A single incident can contain alerts from three or four different products, telling the complete attack story. Example: a phishing email is detected by Defender for Office 365, a suspicious sign-in is flagged by Entra ID Protection, an inbox rule is created and caught by Defender for Cloud Apps, and lateral phishing is sent and detected by Defender for Office 365 again. Defender XDR presents this as one incident, not four disconnected alerts.

Cross-Product Correlation Engine. Automatic grouping of related alerts based on shared entities — users, devices, IP addresses, file hashes. This reduces alert fatigue by presenting one incident instead of dozens of individual alerts from the same attack.

Advanced Hunting. The KQL query interface that queries across all Defender data tables simultaneously. The tables from subsections 1.1 through 1.4 — DeviceProcessEvents, EmailEvents, IdentityLogonEvents, CloudAppEvents, and more — are all accessible here. This is where Modules 2, 23, and the investigation scenarios spend most of their time.

Automated Investigation and Response. Cross-product AIR that investigates across endpoint, email, and identity simultaneously. It can take coordinated remediation actions across products.

Attack Disruption. Automatic containment of in-progress attacks. When Defender XDR detects a high-confidence attack in progress — for example, active ransomware deployment — it can automatically disable the compromised account and isolate affected devices without waiting for analyst approval. Designed for machine-speed response to human-speed threats.

Threat Analytics. Curated threat intelligence reports from Microsoft’s security researchers. Each report covers a specific threat (a new ransomware variant, an active exploitation campaign) with an analyst summary, affected assets in your tenant, detection coverage assessment, and recommended actions.

Action Centre. Centralised view of all remediation actions taken across all products — pending approvals, completed actions, and action history. This is where you approve or reject AIR recommendations.

Exposure Management. Assessment of organisational security posture based on attack paths, vulnerabilities, and configuration weaknesses across all connected assets. Covered in depth in Module 12.

Advanced hunting schema reference

The unified schema spans all products. Device tables come from Defender for Endpoint. Email tables come from Defender for Office 365. Identity tables come from Defender for Identity. CloudApp tables come from Defender for Cloud Apps. Alert tables contain cross-product alert data. AAD and Signin tables come from Entra ID when ingested into Sentinel.

You will learn to query these tables in Module 2. For now, understand that advanced hunting gives you a single query surface across the entire security stack.

How it connects

Defender XDR is the connection layer — it consumes signals from all four Defender products plus Entra ID. Incidents can be forwarded to Sentinel for additional correlation with non-Microsoft data. The Defender portal is increasingly becoming the unified SOC workspace with Sentinel integration. Actions taken in Defender XDR are logged and auditable in the action centre and in Sentinel.

Key takeaways

  • Defender XDR is the correlation layer — it turns individual alerts into multi-stage incident narratives
  • Advanced hunting provides a single KQL query surface across all security data
  • Attack disruption can contain high-confidence attacks without analyst approval
  • The unified incident queue is where most SOC analysts start their day
  • Requires two or more Defender products; full XDR requires M365 E5

Licensing

Defender XDR capabilities are available when you have two or more Defender products licenced (for example, Defender for Endpoint P2 plus Defender for Office 365 P2). Full XDR with all four signal sources requires M365 E5. Advanced hunting is available with any Defender product, but cross-product queries require the relevant product licences.

Try it yourself

An attacker sends a phishing email (Defender for Office 365), the victim clicks the link and enters credentials (Entra ID sign-in), the attacker creates an inbox rule (Defender for Cloud Apps), and sends lateral phishing (Defender for Office 365). Without Defender XDR, how many separate alerts would this generate? With Defender XDR, how many incidents?
Without Defender XDR: At least 4 separate alerts in 3 different consoles — a phishing detection in Defender for Office 365, a risky sign-in in Entra ID Protection, an anomalous activity alert in Defender for Cloud Apps, and another phishing detection for the lateral email. Each one would need to be investigated independently and manually correlated.

With Defender XDR: 1 incident. The correlation engine groups all alerts by shared entities (the same user, same IP, same timeframe) into a single multi-stage incident that tells the complete attack story. This is the difference between alert fatigue and actionable intelligence.

Check your understanding

1. What does Defender XDR use to correlate alerts from different products into a single incident?

Alert severity levels
Shared entities — users, devices, IP addresses, file hashes
Timestamps only

2. Defender XDR detects active ransomware deployment. What can Attack Disruption do without waiting for analyst approval?

Send an email notification to the SOC
Create a Sentinel incident
Automatically disable the compromised account and isolate affected devices

3. You need to query across DeviceProcessEvents, EmailEvents, and IdentityLogonEvents in a single query. Where do you do this?

Advanced Hunting in the Defender portal
Sentinel Log Analytics
Purview Content Search
security.microsoft.com/incidents
Multi-stage AiTM phishing with credential harvest and lateral movement
4 alerts · 3 products · 2h ago
Incident: AiTM credential phishing campaign

This incident was automatically correlated from 4 alerts across 3 products. The correlation engine matched the same user entity (j.morrison@northgateeng.com) and the same source IP across all alerts.

Defender O365 Phishing email delivered with suspicious URL
Entra ID High-risk sign-in from anomalous location
Cloud Apps Suspicious inbox rule creation
Defender O365 Internal phishing sent from compromised account
This is how Defender XDR turns 4 separate alerts from 3 products into 1 incident. Without correlation, each alert would be in a different queue investigated by a different analyst — and the attack story would never be assembled.
Suspicious mailbox forwarding rule — possible BEC
2 alerts · 2 products · 5h ago
Incident: Mailbox forwarding rule to external domain

Two correlated alerts based on shared user entity. The user signed in from a new location, then created a forwarding rule to an external email address — a classic BEC indicator.

Entra ID Sign-in from unfamiliar location
Cloud Apps Mail forwarding rule to external domain
Click the other incidents to explore different correlation patterns. Notice how each incident groups alerts from different products that share the same affected user or device.
Token replay from anomalous IP — non-interactive sign-in
2 alerts · 1 product · 8h ago
Incident: Possible token replay attack

A non-interactive sign-in from an IP that has never been associated with this user, accessing Exchange Online and SharePoint. No corresponding interactive sign-in from the same location.

Entra ID Anomalous non-interactive sign-in
Entra ID Impossible travel between sign-in locations
Token replay attacks often appear only in AADNonInteractiveUserSignInLogs. This incident shows why checking both interactive and non-interactive sign-in tables is critical.
Mass file download from SharePoint — departing employee
1 alert · 1 product · 1d ago
Incident: Potential data exfiltration

A user downloaded 847 files from SharePoint within a 30-minute window. HR has confirmed this employee submitted their resignation last week.

Cloud Apps Mass file download activity detected
Not all incidents are external attacks. Insider threat detection — especially around departing employees — is covered in Module 18. Defender for Cloud Apps monitors for bulk data operations that may indicate exfiltration.

Advanced Hunting lets you query across all data tables with KQL.

EmailEvents
| where TimeGenerated > ago(24h)
| where ThreatTypes has "Phish"
| project TimeGenerated, SenderFromAddress, RecipientEmailAddress, Subject
| sort by TimeGenerated desc

You will learn to write queries like this in Module 2: KQL Fundamentals.

The Action Centre shows all remediation actions — pending approval and completed.

COMPLETED Soft delete phishing email from 15 mailboxes AIR · 2h ago
PENDING Isolate device DESKTOP-NGE042 Awaiting approval
COMPLETED Block sender phishing-domain.com Manual · 3h ago
← 1.10 How the Ecosystem Integrates 1.8 Microsoft Intune →