Defender XDR: The Unified Threat Platform
How Microsoft Defender XDR correlates signals across endpoints, email, identity, and cloud apps β and how the Defender portal unifies it all in one place.
What is XDR?
Imagine a team of detectives who each cover a different part of the city β but they all share one case board.
One detective watches email. Another watches laptops and phones. A third monitors cloud apps. A fourth watches identity systems (whoβs logging in where).
Individually, each detective sees only their piece of the puzzle. But when they share findings on the same case board, patterns emerge: βThe phishing email landed on Sarahβs laptop, which then connected to a suspicious cloud app, which tried to steal her credentials.β
That case board is XDR (Extended Detection and Response) β it correlates signals from multiple security products into a single, connected story. Defender XDR is Microsoftβs XDR platform, and the Defender portal is the case board.
How XDR differs from SIEM
This is an important exam concept β XDR and SIEM serve different but complementary roles:
| Feature | XDR (Defender XDR) | SIEM (Microsoft Sentinel) |
|---|---|---|
| Data sources | Microsoft Defender products (tightly integrated) | Everything β Microsoft, third-party, on-prem, custom |
| Correlation | Automatic β built-in cross-product intelligence | Rules-based β analytics rules and Fusion engine |
| Primary strength | Deep, integrated detection within Microsoft ecosystem | Broad visibility across the entire environment |
| Investigation | Unified incidents with automatic entity mapping | Investigation graph with manual and automated hunting |
| Response | Built-in automated investigation and response (AIR) | Playbooks via Logic Apps |
| Best analogy | A specialist team of detectives who share one case board | A citywide surveillance system that feeds one operations center |
Key exam point: XDR is an integrated product suite that correlates its own signals. SIEM is a data aggregation platform that collects from any source. Microsoft offers both β and they work together in the unified Defender portal.
The Defender XDR product suite
Defender XDR brings together several Defender products. Each product focuses on a specific attack surface:
Defender for Office 365
Protects email and collaboration tools (Outlook, Teams, SharePoint, OneDrive) from threats like:
- Phishing emails with malicious links or attachments
- Business email compromise (BEC)
- Malware delivered via email
Uses Safe Links (scans URLs at time of click) and Safe Attachments (detonates attachments in a sandbox before delivery).
Defender for Endpoint
Protects devices β laptops, desktops, servers, and mobile devices β from threats like:
- Malware and ransomware
- Fileless attacks (malicious scripts running in memory)
- Credential theft tools
Provides endpoint detection and response (EDR), attack surface reduction rules, and automated investigation capabilities.
Defender for Cloud Apps
Protects cloud applications β both Microsoft and third-party SaaS apps β by providing:
- Shadow IT discovery (which unsanctioned cloud apps are employees using?)
- Threat detection for cloud app sessions
- App governance and policy enforcement (for example, block file downloads from unmanaged devices)
This is Microsoftβs Cloud Access Security Broker (CASB).
Defender for Identity
Protects identity infrastructure β specifically on-premises Active Directory β from threats like:
- Lateral movement (pass-the-hash, pass-the-ticket)
- Reconnaissance (attackers mapping the AD environment)
- Compromised credentials
It monitors domain controller traffic to detect identity-based attacks that start on-premises and move to the cloud.
Defender Vulnerability Management
Provides continuous vulnerability assessment across your environment:
- Discovers software vulnerabilities across all devices
- Prioritises remediation based on threat intelligence and business impact
- Integrates with Defender for Endpoint for device-level visibility
Defender Threat Intelligence (Defender TI)
Provides threat intelligence β information about known attackers, their methods, and indicators of compromise (IOCs). Security teams use this to understand who is attacking them and what techniques they use.
Scenario: Defender XDR correlates a multi-stage attack on SecureBank
Hereβs how Defender XDR connects signals from multiple products into one incident:
- Defender for Office 365 detects a phishing email sent to a SecureBank employee β Sarah in the finance team. The email contains a link to a credential-harvesting page.
- Defender for Endpoint sees that Sarah clicked the link on her laptop and entered her password on the fake page.
- Defender for Identity detects that Sarahβs stolen credentials are used to perform LDAP queries against Active Directory β the attacker is mapping the environment (reconnaissance).
- Defender for Cloud Apps detects that the compromised account accesses a sanctioned SaaS app and begins downloading financial reports.
Without XDR: Each product generates a separate alert. The SOC sees four unrelated alerts across different dashboards. It takes hours to connect them manually.
With XDR: Defender XDR automatically correlates all four signals into a single incident: βPhishing-driven credential theft leading to data exfiltration.β Alex sees the full story in one view, and automated investigation has already isolated Sarahβs device and blocked the compromised account.
The Microsoft Defender portal
The Microsoft Defender portal (security.microsoft.com) is the unified interface for managing security across all Defender XDR products. Key areas:
| Portal section | What it shows |
|---|---|
| Incidents | Correlated groups of alerts from multiple Defender products β one incident tells the full attack story |
| Alerts | Individual detections from each Defender product |
| Hunting | Advanced hunting using KQL to search raw security data across all connected products |
| Secure Score | A single score showing the security posture across identity, devices, apps, and data |
| Threat Analytics | Reports on active threat campaigns with guidance on whether your environment is exposed |
| Action Center | Pending and completed remediation actions (automated and manual) |
Unified incident view
The most important feature of the Defender portal is the unified incident view. A single incident can contain:
- An email alert from Defender for Office 365
- A device alert from Defender for Endpoint
- An identity alert from Defender for Identity
- A cloud app alert from Defender for Cloud Apps
All correlated into one timeline showing the full attack chain. This saves analysts hours of manual correlation work.
Exam tip: Defender portal questions
When the exam asks about a βunified portal for managing incidents across endpoints, email, identity, and cloud appsβ β the answer is the Microsoft Defender portal at security.microsoft.com.
When it asks about βcorrelated incidents from multiple Defender productsβ β the answer is the unified incident view in the Defender portal.
When it asks about βproactive threat searching using KQL across Defender dataβ β the answer is Advanced Hunting in the Defender portal.
π¬ Video walkthrough
Flashcards
Knowledge check
SecureBank receives a phishing email targeting the finance team. One employee clicks the link and enters their password. The attacker then uses the stolen credentials to access a cloud file-sharing app and download financial data. Which Defender XDR capability ensures Alex sees the full attack chain β from phishing email to data exfiltration β in a single view?
Director Reyes asks: 'We already use Sentinel for our SIEM. Why do we also need Defender XDR?' Which response best explains the difference?
James notices that employees at SecureBank are using several cloud applications that the IT department never approved β file sharing tools, project management apps, and AI assistants. Which Defender XDR product should Alex use to discover and govern these unsanctioned applications?