In this section
Module Summary
What you learned in this module
Module 1 taught you how Defender XDR operates as a unified threat protection platform and how you use it to detect, investigate, and respond to threats that span email, identity, endpoints, and cloud applications.
The unified platform replaced four separate consoles (Section 1.1). Defender XDR brings Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps into a single portal at security.microsoft.com. Each product protects a specific domain and has specific blind spots. The correlation engine connects alerts from different products into unified incidents by matching shared entities. Automatic attack disruption can contain compromised accounts and isolate devices before an analyst opens the incident, cutting mean-time-to-contain from hours to minutes.
The incident queue is the starting point for every investigation (Section 1.2). Defender XDR correlates individual alerts into incidents based on shared entities. The 5-minute triage framework classifies every incident as True Positive, False Positive, Benign True Positive, or Unknown. The four-level investigation workflow (automated triage, analyst triage, deep investigation, advanced hunting) scales analyst effort to incident complexity. The containment sequence follows a strict order: collect evidence before you isolate, because isolation cuts off remote forensic access to volatile data.
The email protection stack works in layers (Section 1.3). Exchange Online Protection handles bulk filtering, Defender for Office 365 adds Safe Links and Safe Attachments, and ZAP retroactively removes threats discovered after delivery. Threat Explorer provides campaign-level visibility into phishing delivery, URL clicks, and attachment execution. AIR for email operates differently depending on Plan 1 versus Plan 2 licensing, with Plan 2 enabling automated remediation that Plan 1 restricts to recommendations.
Endpoint investigation follows process trees and response action sequences (Section 1.4). The device page aggregates alerts, timeline events, software inventory, and vulnerabilities for a single endpoint. Process trees show parent-child execution chains that reveal how malicious code ran. Response actions follow a specific order: collect investigation package, then isolate, then restrict app execution if needed. Entity investigation across files, IPs, URLs, and users determines the blast radius of an endpoint compromise.
Identity detection monitors on-premises AD and cloud authentication (Section 1.5). Defender for Identity sensors on domain controllers detect reconnaissance (LDAP enumeration), credential theft (Kerberoasting, DCSync), lateral movement (pass-the-hash, pass-the-ticket), and domain dominance (golden ticket, skeleton key). Lateral Movement Paths visualize how an attacker can traverse credential-sharing relationships between devices and accounts. Hybrid environments produce identity telemetry from both on-premises AD and Entra ID, with different detection capabilities in each.
Cloud app security covers discovery, governance, and session control (Section 1.6). Cloud Discovery identifies shadow IT through log analysis. App connectors provide deep SaaS visibility. Anomaly detection policies use behavioral baselines. OAuth app governance detects consent phishing by monitoring permission requests. Conditional Access App Control enforces real-time session policies. Post-compromise investigation focuses on CloudAppEvents for inbox rules, file downloads, and OAuth consent grants.
The daily SOC workflow is a structured routine, not reactive queue-watching (Section 1.7). The five-step shift start routine (queue scan, handover review, pipeline health check, threat analytics, Action Center) takes 15 minutes and provides situational awareness before you work the queue. ML-based incident prioritization surfaces rare signals over common noise. Documentation standards enable investigation continuity across shifts. The shift handover covers open incidents, pending actions, and environmental issues. Alert fatigue management through systematic false positive reduction directly improves detection effectiveness.
Cross-product correlation connects what the automation missed (Section 1.8). The Advanced Hunting schema maps specific tables to specific Defender products. Entity pivoting (user, IP, device, file hash) connects events across products that the correlation engine did not link. Cross-product union queries normalize different field names into consistent timelines. Four correlation patterns cover the most common multi-stage attacks. Automated correlation fails when attackers use different accounts at different stages, pause for days between actions, or when third-party data sources are involved.
What's next
Module 2 expands on Section 1.4. Where this module taught you to investigate endpoint alerts in the XDR context, Module 2 teaches you to deploy, configure, and operationally manage Defender for Endpoint: onboarding, sensor configuration, ASR rules, EDR in block mode, device groups, and Threat and Vulnerability Management. The investigation skills from Module 1 become the operational context for every configuration decision in Module 2.
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.