Defender XDR: Detection and Response at Scale
Design detection and response strategies using Microsoft Defender XDR — covering the product family, unified incident correlation, automated investigation, attack disruption, and the unified SecOps portal.
Defender XDR: Detection and Response at Scale
The Defender XDR Product Family
Microsoft Defender XDR isn’t a single product — it’s a family of specialized security products that share signals and coordinate responses. Understanding what each one protects and the signals it generates is essential for SC-100.
Microsoft Defender for Endpoint (MDE)
Protects: Windows, macOS, Linux, iOS, and Android devices.
Defender for Endpoint provides deep visibility into what’s happening on every managed device. It monitors process execution, file activity, network connections, registry changes, and memory operations. Its sensors detect everything from commodity malware to sophisticated fileless attacks.
Key signals generated:
- Malicious process execution chains
- Suspicious file downloads and modifications
- Lateral movement attempts (unusual remote connections)
- Credential theft activities (LSASS access, Kerberoasting)
- Vulnerability and misconfiguration data (Threat & Vulnerability Management)
Response capabilities: Isolate device, restrict app execution, run antivirus scan, collect investigation package, initiate live response session.
Microsoft Defender for Office 365 (MDO)
Protects: Email (Exchange Online), collaboration tools (SharePoint, OneDrive, Teams).
The email pipeline is the #1 initial access vector for attackers. Defender for Office 365 inspects every email for phishing, malware, business email compromise (BEC), and impersonation. It also protects file sharing in SharePoint and OneDrive with Safe Attachments.
Key signals generated:
- Phishing email detections with URL detonation results
- Malicious attachment analysis (sandboxing)
- BEC and impersonation attempts
- User click-on-phishing-link events
- Suspicious mailbox rule creation (forwarding, deletion)
Response capabilities: Purge malicious emails across all mailboxes (ZAP — Zero-hour Auto Purge), block sender/URL, submit for analysis.
Microsoft Defender for Identity (MDI)
Protects: On-premises Active Directory and hybrid identity infrastructure.
Defender for Identity monitors Active Directory domain controllers to detect identity-based attacks. It understands AD protocols deeply — Kerberos, LDAP, NTLM — and can identify attacks that abuse these protocols.
Key signals generated:
- Suspicious authentication patterns (pass-the-hash, pass-the-ticket)
- Reconnaissance activities (LDAP enumeration, DNS queries)
- Lateral movement paths (over-exposed credentials)
- Privilege escalation attempts (DCSync, DCShadow)
- Compromised entity detections
Response capabilities: Disable compromised user accounts in Active Directory, force password reset, confirm user as compromised.
Microsoft Defender for Cloud Apps (MDCA)
Protects: SaaS applications (both Microsoft and third-party).
Defender for Cloud Apps acts as a Cloud Access Security Broker (CASB). It provides visibility into which SaaS apps users access, detects risky user behavior within those apps, and can enforce data protection policies.
Key signals generated:
- Impossible travel detections (login from two distant locations)
- Mass file download or sharing
- Use of risky or unsanctioned cloud apps (shadow IT)
- Suspicious OAuth app grants
- Data exfiltration patterns
Response capabilities: Suspend user account, revoke OAuth app permissions, apply session policies (block download, require labeling).
| Product | Protects | Key Signals | Unique Strength |
|---|---|---|---|
| Defender for Endpoint | Devices (Windows, macOS, Linux, iOS, Android) | Process chains, file activity, lateral movement, credential theft | Deepest endpoint visibility + Threat & Vulnerability Management |
| Defender for Office 365 | Email, SharePoint, OneDrive, Teams | Phishing, malware attachments, BEC, malicious URLs | Email is #1 attack vector — catches threats before users click |
| Defender for Identity | Active Directory (on-prem and hybrid) | Pass-the-hash, reconnaissance, DCSync, lateral movement paths | Only product that deeply monitors AD protocols on domain controllers |
| Defender for Cloud Apps | SaaS applications (Microsoft + third-party) | Impossible travel, mass downloads, shadow IT, risky OAuth apps | CASB visibility across hundreds of SaaS apps + session controls |
Unified Incident Correlation: The XDR Superpower
The defining capability of XDR is cross-domain correlation. Individual alerts from different products are automatically correlated into a single, unified incident when they share entities (users, devices, IPs, files).
How a Multi-Stage Attack Becomes One Incident
Consider this real-world attack chain:
- Defender for Office 365 detects a phishing email with a malicious link sent to a user
- The user clicks the link — MDO records the click event
- The link steals the user’s credentials — Defender for Identity detects unusual authentication from a new location
- The attacker uses the stolen credentials to access SharePoint — Defender for Cloud Apps flags impossible travel and mass file download
- The attacker deploys a payload to the user’s device — Defender for Endpoint detects suspicious process execution
Without XDR, this would be five separate alerts handled by different analysts on different consoles. The email team sees a phishing email. The identity team sees an unusual login. The endpoint team sees suspicious processes. Nobody sees the full picture.
With Defender XDR, this is one unified incident. The incident timeline shows every step of the attack chain. The incident graph maps the relationships between the user, their device, the phishing email, the attacker’s IP, and the compromised files. One analyst sees the entire story.
☁️ Rajan Demonstrates Unified Incidents
Rajan is demonstrating Defender XDR to a prospective client — a financial services company that currently uses separate, disconnected security tools.
“Let me show you something,” Rajan says, pulling up the Defender portal. “Last week, one of our test environment users received a phishing email that impersonated a DocuSign notification. Watch what happens.”
He walks through the unified incident:
- MDO flagged the phishing email and blocked the malicious URL
- But the user had already clicked before ZAP removed it
- MDI detected the compromised credentials being used from an unfamiliar IP
- MDCA flagged impossible travel — the user appeared to log in from both Auckland and Romania within minutes
- MDE detected a suspicious PowerShell command on the user’s device that matched a known attack framework
“All of this appears as ONE incident,” Rajan explains. “The analyst sees the full attack chain — from initial phishing to credential theft to attempted lateral movement. Without XDR correlation, your email team would close the phishing ticket thinking it was handled, while the attacker is already inside your identity layer.”
Priya adds: “And the automated investigation traced the full scope — it identified two other users who received the same phishing campaign and checked whether they also clicked.”
Automated Investigation and Response (AIR)
When a unified incident is created, Defender XDR can automatically investigate it. AIR mimics what an experienced Tier 2 analyst would do — check user activity, examine device timelines, trace file origins, and analyze network connections.
What AIR does automatically:
- Examines all entities involved in the incident (users, devices, emails, files)
- Checks if malicious files exist on other devices in the organization
- Verifies if other users received the same phishing email
- Determines if the compromised account was used for further attacks
- Provides remediation recommendations (or automatically remediates)
AIR Approval Modes:
- Full automation: AIR investigates AND remediates automatically (e.g., quarantine malware, disable account). Best for high-confidence scenarios.
- Semi-automation: AIR investigates and recommends actions, but waits for analyst approval before remediating. Good balance of speed and control.
- No automation: AIR investigates only. All remediation is manual.
The automation level can be configured per device group, allowing different policies for different asset types (e.g., full automation for standard workstations, semi-automation for servers).
🌐 Elena Evaluates Automation Levels
Elena Vasquez is rolling out Defender XDR across Meridian Global Industries. She’s debating automation levels with Li Wei, her IT Operations lead.
“I want full automation for our standard employee workstations,” Elena says. “If Defender detects confirmed malware, I want it quarantined immediately — not sitting there while we wait for analyst approval.”
Li Wei looks uncomfortable. “What about our manufacturing floor systems? Those run custom SCADA software. If AIR automatically quarantines a file that the SCADA system needs…”
“Great point,” Elena nods. “Manufacturing systems get semi-automation. AIR investigates and recommends, but an analyst approves before any remediation action. We can’t afford to accidentally shut down a production line.”
“And the executive devices?” Li Wei asks.
“Full automation there too,” Elena says. “Executives are the highest-value targets. If their device gets compromised, every minute counts. I’d rather have a false positive disruption than let an attacker sit on the CFO’s laptop while we debate approval.”
Attack Disruption
Attack disruption is Defender XDR’s most aggressive automated capability. When XDR detects a high-confidence in-progress attack (ransomware, business email compromise, adversary-in-the-middle), it can automatically contain the threat within minutes — faster than any human analyst could respond.
How attack disruption works:
- XDR detects high-confidence attack signals across multiple products
- The system identifies the compromised assets (user accounts, devices)
- Automatic containment actions execute: disable compromised accounts, isolate compromised devices, block network connections
- The analyst is notified with full context to investigate further
Attack types that trigger disruption:
- Human-operated ransomware (lateral movement + encryption indicators)
- Business email compromise (attacker in mailbox)
- Adversary-in-the-middle (AiTM) phishing attacks
- Financial fraud attacks
Architect’s critical insight: Attack disruption requires high confidence to avoid business impact. The system only triggers when multiple corroborating signals from different products confirm the attack is real. This is why XDR’s cross-domain correlation is foundational — a single suspicious event won’t trigger disruption, but the combination of compromised identity + lateral movement + encryption prep will.
The Unified SecOps Portal
The Defender portal (security.microsoft.com) is where it all comes together. As a security architect, you design how the SOC interacts with this portal.
Key portal capabilities:
- Incident queue: Unified view of all incidents, prioritized by severity and entity count
- Incident management: Assign incidents to analysts, set status, add tags, link related incidents
- Investigation graph: Visual map showing all entities and relationships in an incident
- Advanced hunting: KQL-based cross-product hunting across all Defender data
- Threat analytics: Curated reports on active threat campaigns with exposure assessment
- Secure Score: Posture improvement recommendations across all Defender products
Integration with Sentinel: When Sentinel is connected, the unified portal shows both Defender XDR incidents and Sentinel incidents in a single queue. Analysts don’t need to switch between portals.
SC-100 Exam Strategy: Defender XDR
A phishing email delivers a malicious link to an employee. The employee clicks the link, which steals their credentials. The attacker uses those credentials to log in from a foreign country and begins downloading files from SharePoint. Which Defender XDR products generate signals in this attack chain?
Elena is configuring AIR automation levels for Meridian Global Industries. She has three device groups: standard employee workstations (10,000 devices), manufacturing floor SCADA systems (200 devices), and executive laptops (50 devices). Which automation configuration best balances security and operational risk?
🎬 Video coming soon
Next up: Microsoft Sentinel and SOAR Automation — We’ll explore how to design Sentinel workspace architectures, build SOAR playbooks, and manage the cost of cloud-native SIEM at enterprise scale.