Defender XDR: Security Posture and Threat Intelligence
Navigate the unified Microsoft Defender XDR portal, use Exposure Management to assess security posture, improve Secure Score, and leverage Threat Intelligence.
The unified security operations hub
Defender XDR is the single pane of glass where every security signal across your M365 environment converges.
Rather than jumping between separate consoles for email threats, identity risks, endpoint detections, and cloud app anomalies, security.microsoft.com pulls everything into one portal. Exposure Management shows you where your attack surface is weakest. Secure Score quantifies your posture. Threat Intelligence tells you what adversaries are doing right now and whether your environment is exposed to their techniques.
For the MS-102 exam, you need to know how to navigate this portal, interpret its reports, and take action on what it surfaces.
Navigating the Defender XDR portal
The portal at security.microsoft.com organises capabilities into sections that map directly to exam objectives:
| Portal Section | What You Find There | Exam Relevance |
|---|---|---|
| Incidents and alerts | Correlated multi-workload incidents, individual alerts | Incident investigation (next module) |
| Hunting | Advanced hunting (KQL), custom detection rules | Threat hunting (next module) |
| Exposure Management | Attack surface, attack paths, security initiatives, Secure Score | This module |
| Threat Intelligence | Threat analytics, Intel Explorer, Intel profiles | This module |
| Reports | Security dashboards, email and collaboration reports, device health | This module |
| Actions and submissions | Action center, user-reported messages, admin submissions | Email threat module |
Elena bookmarks the Exposure Management dashboard as her morning-check page at MedGuard Health — it surfaces the most impactful posture gaps before she dives into incident triage.
Security Exposure Management
Exposure Management is a proactive posture capability — it answers “where are we weak?” before an attacker finds out.
Attack surface
The attack surface view aggregates your exposed assets across workloads:
- Devices — unmanaged endpoints, devices with outdated OS or missing EDR
- Identities — accounts without MFA, stale admin accounts, over-privileged service principals
- Cloud apps — unsanctioned SaaS apps discovered by Defender for Cloud Apps, OAuth app consent risks
- Data — sensitive content in unprotected locations, DLP policy gaps
Attack paths
Attack path analysis models how an attacker could chain weaknesses together to reach a critical asset. For example: a user account with no MFA on a device without EDR that has local admin on a server hosting patient records.
Elena uses this at MedGuard to demonstrate to leadership why patching a “low severity” endpoint vulnerability matters — because it sits on a path to their electronic health record system.
Security initiatives
Initiatives group related improvement actions by theme — such as “Ransomware Protection” or “Zero Trust” — giving you a structured roadmap rather than an unranked to-do list.
Exam tip: Exposure Management vs Secure Score
The exam may present scenarios where you need to choose between Exposure Management and Secure Score. The distinction: Secure Score is a numeric metric with individual improvement actions. Exposure Management is broader — it includes Secure Score, plus attack surface views, attack path analysis, and security initiatives. Think of Secure Score as one component within Exposure Management.
Microsoft Secure Score
Secure Score quantifies your security posture as a percentage. Every improvement action adds points — the higher the score, the more hardened your environment.
How Secure Score works
- Total possible points — the maximum score if every improvement action were completed
- Current score — points earned from completed and partially completed actions
- Percentage — current / total possible (displayed as the headline metric)
Improvement actions
Each action has:
- Points — how much completing it adds to your score
- Status — To address, Planned, Risk accepted, Resolved through third party, Resolved through alternate mitigation, Completed
- Implementation category — whether it requires configuration, user training, or both
- Impact — High, Medium, or Low (not just points — some high-point actions are easy wins, others are complex)
Elena prioritises actions by impact-to-effort ratio. A 9-point action requiring “enable MFA for all admins” is a quick win; a 5-point action requiring “deploy Defender for Endpoint to all devices” is a multi-week project.
Score comparison
Secure Score includes a comparison tab showing how your score stacks up against:
- Similar organisations — filtered by industry, seat count, and licensing
- Your own history — trend line over 90 days to track improvement or regression
Deep dive: When Secure Score drops
Score regressions happen for three reasons:
- Microsoft adds new improvement actions — the total possible points increase, so your percentage drops even though you haven’t changed anything
- A previously completed action regresses — for example, an admin disables a policy that was earning points
- Your environment changes — new users provisioned without MFA, new devices onboarded without EDR
Elena sets up a weekly review cadence to catch regressions early. She also marks low-priority actions as “Risk accepted” with documented justification — this removes them from her active list without hiding them.
Threat Intelligence
Defender Threat Intelligence (Defender TI) provides curated, actionable intelligence about active threats.
Threat analytics
The Threat analytics dashboard in the portal surfaces:
- Analyst reports — Microsoft security researchers publish detailed write-ups of active campaigns, including TTPs (tactics, techniques, and procedures), affected industries, and recommended mitigations
- Exposure indicators — for each threat, the portal shows whether your environment has exposed assets (vulnerable devices, unpatched software, missing protections)
- Mitigations status — which recommended mitigations you’ve already implemented and which are outstanding
Intel Explorer and profiles
- Intel Explorer — search for indicators (IPs, domains, file hashes, URLs) to check if they’ve been associated with known threats
- Intel profiles — detailed adversary profiles covering threat actors, their targets, known tools, and infrastructure
Elena subscribes to threat analytics for healthcare-targeted campaigns. When a new report lands about a ransomware group targeting hospitals, she immediately checks MedGuard’s exposure status and prioritises any outstanding mitigations.
Exam tip: Threat Intelligence licensing
Threat analytics (basic reports and exposure data) is included with Defender XDR licensing. The full Defender TI experience (Intel Explorer, Intel profiles, advanced indicator search) requires an additional Defender Threat Intelligence licence. The exam typically focuses on threat analytics within the Defender XDR portal — not the premium TI features.
XDR reports and dashboards
The Reports section provides pre-built dashboards that the exam expects you to interpret:
| Feature | What It Shows | When to Use It |
|---|---|---|
| Incident report | Incident volume, classification breakdown, MTTR | Track SOC performance and incident trends over time |
| Device health | Sensor status, OS distribution, AV status | Identify devices with missing or degraded Defender for Endpoint coverage |
| Vulnerable devices | Devices with unpatched CVEs, exploitability scores | Prioritise patching based on active exploitation data |
| Email and collaboration | Malware, phishing, spam detection rates, override trends | Validate email protection effectiveness and tune policies |
| Threat protection status | Detection trends across all Defender workloads | Spot spikes in detections that may indicate an active campaign |
Elena reviews the email and collaboration report weekly to validate that Safe Attachments and Safe Links are catching threats at MedGuard — and that users aren’t overriding protections by adding sender exceptions.
Key concepts to remember
Knowledge check
Elena notices that MedGuard Health's Secure Score dropped by 4% overnight, but no one changed any security policies. The IT team hasn't made any configuration changes. What is the most likely explanation?
Dev Patel is advising Oakwood Financial on where to start their security posture improvement. The Secure Score shows 45% with 23 improvement actions in 'To address' status. Dev has limited time and needs maximum impact. What approach should he recommend?
Elena sees a new Threat Analytics report titled 'Healthcare-targeted ransomware campaign using vulnerable VPN appliances.' The report shows MedGuard has 3 exposed devices. What should Elena do first?
🎬 Video coming soon
Next up: Investigate Incidents with Advanced Hunting — where Elena correlates alerts across workloads and uses KQL to hunt for threats hiding in MedGuard’s telemetry.