Now that you understand all nine components individually, this is how they work as an integrated system.
The data flow model. Signal sources — the four Defender products, Entra ID, and Intune — generate telemetry and alerts. Defender XDR correlates alerts into incidents using shared entities (users, devices, IPs). Sentinel ingests all of the above plus third-party data for advanced detection and automation. Conditional access (Entra ID) combined with device compliance (Intune) provides real-time preventive enforcement. Purview provides the deep audit trail and data protection layer.
A real attack through the ecosystem
To make this concrete, here is how an AiTM phishing attack — the scenario you will investigate in detail in Module 13 — moves through every component.
Figure 1.10: An AiTM phishing attack flowing through every component of the ecosystem. Each numbered step involves a different security product.
This is the scenario you will investigate end-to-end in Module 13
Every step in this diagram corresponds to a data source and a set of KQL queries you will learn. The ecosystem overview gives you the map. The investigation modules teach you to follow the trail.
That is the ecosystem working as an integrated system. Every module in this course teaches you to operate within a specific part of this chain. Module 13 teaches you to investigate this exact scenario end-to-end.
Module 1 — Final knowledge check
1. In the AiTM attack scenario, which component detects the attacker creating an inbox rule to hide their activity?
Defender for Office 365
Entra ID Protection
Defender for Cloud Apps
Defender for Endpoint
Defender for Cloud Apps monitors activity across connected SaaS applications — including Exchange Online. Inbox rule creation is flagged as anomalous behaviour by its activity policies.
2. An organisation has M365 E3 licences. Which of these capabilities are they missing? (Select the best answer)
Basic antivirus on endpoints
Conditional access policies
Full EDR with device timeline, Threat Explorer, risk-based conditional access, and Defender for Identity
Email delivery
E3 includes Defender for Endpoint P1 (basic protection, no EDR timeline), Defender for Office 365 (none — not included), Entra ID P1 (conditional access but not risk-based), and no Defender for Identity or Cloud Apps. The investigation and advanced detection capabilities require E5 or individual add-ons.
3. Which two components would you describe as the "correlation layer" and the "brain of the SOC" respectively?
Defender for Endpoint and Entra ID
Defender XDR (correlation) and Sentinel (SIEM/SOAR)
Purview and Intune
Defender XDR correlates alerts from the four Defender products into unified incidents. Sentinel is the SIEM/SOAR that ingests data from all sources (including non-Microsoft) and provides detection, hunting, and automation. Together, they form the SOC analyst's primary workspace.
4. You need to determine what data an attacker accessed after compromising a mailbox. Which Purview feature and specific audit event do you need?
Audit Premium — MailItemsAccessed
Content Search
DLP Alerts
MailItemsAccessed (Audit Premium, E5) records every mail item read event. Without it, you know the attacker had access to the mailbox but cannot prove which emails they actually read — a critical gap for impact assessment and regulatory reporting.
5. Why does requiring a compliant device via conditional access help prevent AiTM attacks, even when MFA is already required?
Compliant devices have stronger passwords
Compliant devices block phishing emails
The attacker replays the stolen token from their own unmanaged device, which fails the compliance check regardless of the MFA claim in the token
AiTM tokens contain a valid MFA claim, so MFA alone does not stop them. But conditional access evaluating device compliance checks whether the device is Intune-managed and meets your policies. The attacker's machine is not enrolled — so the sign-in is blocked even though the token is valid. Device compliance is one of the strongest controls against token replay.
6. A Sentinel scheduled analytics rule fires every 5 minutes. An NRT rule fires every 1 minute. When would you use NRT over scheduled?
For all detections — faster is always better
For high-priority detections where even a 5-minute delay is unacceptable, such as admin account compromise or active ransomware
Only for compliance reporting
NRT rules consume more resources and should be used selectively for your most critical detections where speed matters — admin account compromise, ransomware indicators, high-confidence data exfiltration. Most detections work fine on 5-minute or longer schedules.
7. You are setting up a lab for this course. What is the first resource you need?
A free M365 Developer Tenant from developer.microsoft.com
An Azure Enterprise subscription
A production M365 E5 tenant
The M365 Developer Tenant is free, includes E5 licences for 25 users, and provides access to every Defender product, Entra ID P2, and all other features covered in this course. Setup instructions are in subsection 1.11.
Walkthrough: AiTM attack through the ecosystem
A phishing email arrives. Defender for Office 365 scans it with Safe Links and Safe Attachments. In this scenario, the email uses a novel AiTM proxy technique that bypasses standard detection — the URL appears clean at scan time.
The user clicks the link and enters their credentials on the AiTM proxy page. The proxy sits between the user and the real Microsoft login, capturing the complete session token — including the MFA claim. The attacker now has a token that is fully authenticated.
The attacker uses the stolen token to sign in. Entra ID records the event and the risk engine flags the anomalous location. Conditional access evaluates the sign-in — if device compliance is required, the attacker's unmanaged device is blocked. If not, they gain access to the mailbox.
The attacker reads emails (Purview records it), creates an inbox rule (Cloud Apps detects it), and sends lateral phishing (Defender for Office 365 catches it). Defender XDR correlates all alerts into one incident. Sentinel fires an analytics rule and triggers a containment playbook — revoking tokens and isolating the session.
