This chapter covers Microsoft Defender XDR, Microsoft's unified extended detection and response platform that integrates signals across endpoints, email, identities, cloud apps, and data. For the SC-900 exam, this topic appears in roughly 10-15% of questions under objective 3.3, focusing on understanding the core capabilities, the integrated incident response workflow, and how Defender XDR differs from individual Defender products. You will need to identify which signals feed into the portal and how automated investigation and response (AIR) works.
Jump to a section
Imagine a large corporate campus with multiple security teams: one watches the front gate (email), another patrols the parking lot (endpoints), a third monitors the lobby cameras (cloud apps), and a fourth checks badges at internal doors (identities). Each team has its own logbook and radio channel, but they rarely talk to each other. An intruder might tailgate through the front gate, steal a laptop from the parking lot, and use that laptop to access a secure server room. Each team sees only a fragment of the incident — the gate log shows an unauthorized entry, the parking lot log shows a missing laptop, and the server room log shows an unknown user. Individually, none of these events trigger an alarm. Microsoft Defender XDR is like a central command center with a unified radio system and a shared digital whiteboard. All security signals from every team flow into this center in real time. A correlation engine automatically links the gate breach, the laptop theft, and the server access into a single incident, determines the attacker's identity, and triggers a coordinated response — locking the stolen laptop's access, revoking the user's credentials, and alerting all teams. The command center also provides a single pane of glass for the security director to see the full attack story, investigate root cause, and orchestrate remediation. Without this unification, each team operates in a silo, missing the big picture and delaying response by hours or days.
What is Microsoft Defender XDR?
Microsoft Defender XDR (Extended Detection and Response) is a unified security operations platform that correlates alerts and signals from multiple Microsoft Defender products into a single incident view. It was formerly known as Microsoft 365 Defender and was rebranded in late 2023. The platform ingests data from:
Microsoft Defender for Endpoint (endpoint detection and response)
Microsoft Defender for Office 365 (email and collaboration security)
Microsoft Defender for Identity (on-premises Active Directory signals)
Microsoft Defender for Cloud Apps (SaaS application security)
Microsoft Defender for Cloud (cloud workload protection)
Defender XDR is not a replacement for these individual products but rather a layer above them that provides cross-domain correlation, automated investigation, and unified response actions.
Why It Exists
Traditional security operations rely on separate tools for endpoints, email, identities, and cloud apps. This creates alert fatigue, blind spots, and slow response times because analysts must manually correlate events across consoles. Defender XDR addresses this by:
Automatically linking related alerts from different domains into a single incident.
Providing a unified queue for triage and investigation.
Enabling cross-domain response actions (e.g., isolating an endpoint AND blocking the attacker's identity).
Using AI and machine learning to automate investigation and suggest remediation.
How It Works Internally
Defender XDR operates on a data fusion model. Each Defender product sends its alerts and raw signals to a common backend in Microsoft 365. The correlation engine uses a graph-based approach to connect entities (users, devices, IPs, mailboxes) and alerts based on shared attributes like:
User account names (UPN)
Device IDs
IP addresses
File hashes
Email message IDs
Tenant IDs
When a user clicks a malicious link in an email, Defender for Office 365 generates an alert. Simultaneously, Defender for Endpoint may detect the same file being downloaded on the user's device. The correlation engine sees that the email recipient and the device user share the same UPN, and the file hash matches. It then merges both alerts into a single incident with a severity score determined by the highest individual alert severity plus any additional correlation factors.
Key Components, Values, Defaults, and Timers
Incident Queue: The primary view in the Defender XDR portal (https://security.microsoft.com). Incidents are sorted by severity (Informational, Low, Medium, High, Critical). Each incident has a unique ID, a title auto-generated from the top alert, and a list of associated alerts and assets.
Alert Correlation: Alerts are correlated based on entities within a time window of up to 48 hours. The system uses machine learning to determine if alerts are part of the same attack chain.
Automated Investigation: When an incident is created, Defender XDR may automatically trigger an investigation. The default timeout for an automated investigation is 2 hours, but can be extended. Each investigation has a status (Pending, Running, Terminated, No Threats Found, Remediated, Partially Remediated, Failed).
AIR (Automated Investigation and Response): This feature runs playbooks that include actions like:
- Quarantining a file - Isolating a device - Disabling a user account - Blocking a URL or IP - Soft-deleting an email Each action is either taken automatically (if the confidence level is high) or pending approval. - Incident Triage: Incidents can be assigned to analysts, classified (True positive, False positive, Informational), and determination (e.g., Malware, Phishing, Unwanted software). - Advanced Hunting: A Kusto Query Language (KQL)-based query interface that allows searching across all raw data from all Defender products. Data retention is 30 days by default, extendable to 1 year with additional licensing. - Microsoft Graph Security API: Enables integration with third-party SIEMs like Sentinel or Splunk. The API exposes incidents and alerts.
Configuration and Verification Commands
While SC-900 does not require hands-on configuration, you should be familiar with the portal navigation. Key settings are found under: - Settings > Microsoft 365 Defender > General: Toggle AIR on/off, set approval modes. - Settings > Microsoft 365 Defender > Email & collaboration: Configure Defender for Office 365 policies. - Settings > Endpoints: Manage Defender for Endpoint onboarding.
To verify the integration status of each Defender product, navigate to Settings > Microsoft 365 Defender > General > Connected services. Here you can see whether Defender for Identity, Cloud Apps, etc., are connected.
How It Interacts with Related Technologies
Microsoft Sentinel: Sentinel is a SIEM that can ingest alerts from Defender XDR via the Graph API. While Defender XDR provides unified incident management for Microsoft security products, Sentinel aggregates data from any source (including third-party). In many enterprises, Sentinel is the single pane of glass, and Defender XDR feeds into it.
Microsoft Intune: Defender for Endpoint can share device risk scores with Intune for Conditional Access. Defender XDR incidents may trigger device compliance policies.
Azure AD Identity Protection: Identity Protection provides risk scores for users and sign-ins. Defender XDR can use these signals to correlate identity-based attacks.
Microsoft Purview Compliance Portal: While Purview focuses on data governance and compliance, Defender XDR can surface alerts related to data exfiltration (e.g., via Defender for Cloud Apps).
Exam-Relevant Details
Defender XDR is licensed per user (Microsoft 365 E5, Microsoft 365 E5 Security, or standalone Defender XDR license).
The portal URL is https://security.microsoft.com.
Incidents are the primary entity; alerts are grouped into incidents.
Automated investigation can be set to run automatically or require approval for remediation actions.
Advanced Hunting uses KQL.
Defender XDR does NOT replace Microsoft Sentinel; it complements it.
The integration between Defender products is seamless because they all share the same backend and entity schema.
Step-by-Step Incident Flow
Signal Ingestion: Individual Defender products generate alerts based on their detection rules. Example: Defender for Office 365 detects a phishing email with a malicious URL.
Correlation: The Defender XDR backend analyzes the alert and links it to other alerts from the same user, device, or IP within the past 48 hours. If a device also downloaded a file from that URL, Defender for Endpoint's alert is merged.
Incident Creation: A new incident is created with a severity based on the highest alert severity. The incident includes a timeline of all related events.
Automated Investigation: If enabled, an investigation begins. The investigation runs playbooks that check for other affected entities and may take automatic remediation actions.
Triage and Response: Analysts review the incident in the queue, classify it, assign it, and either approve pending actions or take additional manual steps.
Post-Incident: The incident is resolved with a determination and classification. Data remains available for advanced hunting for 30 days.
Bullet Points for Key Facts
Defender XDR correlates alerts from: Endpoint, Office 365, Identity, Cloud Apps, and Defender for Cloud.
The correlation window is up to 48 hours.
Automated investigation timeout default: 2 hours.
Advanced Hunting data retention: 30 days default.
Portal: security.microsoft.com.
Licensing: M365 E5, M365 E5 Security, or standalone.
Incidents group multiple alerts; severity is inherited from the highest alert.
AIR can be fully automatic or require approval.
KQL is used for advanced hunting.
Defender XDR feeds into Microsoft Sentinel via Graph API.
Signal Ingestion from Defender Products
Each Microsoft Defender product (Endpoint, Office 365, Identity, Cloud Apps, Cloud) continuously monitors its domain and generates alerts when suspicious activity is detected. For example, Defender for Office 365 scans email attachments and URLs in real time. When a user clicks a malicious link, it triggers an alert containing the user's UPN, device IP, and the URL. Defender for Endpoint on the same device may detect a file download from that URL and generate a separate alert with the device ID and file hash. Both alerts are sent to the Defender XDR backend via secure API calls within seconds.
Correlation and Incident Creation
The Defender XDR correlation engine receives all alerts and uses entity matching to group related alerts. It compares fields like user UPN, device ID, IP address, file hash, and email message ID. If two alerts share the same UPN and occur within 48 hours, they are considered part of the same attack. The engine then creates an incident with a unique ID and sets its severity to the highest severity among the correlated alerts. The incident title is auto-generated from the most significant alert. For example, 'Investigation initiated by automated investigation' or 'Malware detected on endpoint and email.'
Automated Investigation and Response
If automated investigation is enabled, the incident triggers a playbook. The investigation runs actions such as collecting additional data (e.g., file reputation, user sign-in logs) and determining if the threat is confirmed. Based on the confidence level, the system may automatically take remediation actions like isolating the device, quarantining the file, or disabling the user account. The default timeout for an investigation is 2 hours. If the investigation cannot complete within that time, it is terminated and the incident is escalated for manual review. Each action taken is logged in the incident timeline.
Triage and Classification in Incident Queue
Security analysts monitor the incident queue in the Defender XDR portal. Incidents are displayed with severity, status, and number of alerts. Analysts can assign incidents to themselves or others, add comments, and change the status (Active, In Progress, Resolved). They must classify each incident as True positive, False positive, or Informational, and provide a determination (e.g., Malware, Phishing, Unwanted software). This classification helps improve future correlation and reporting. Analysts can also manually add or remove alerts from an incident if the correlation was incorrect.
Remediation and Resolution
After analysis, the analyst takes any remaining remediation actions. This may include approving pending automated actions, running additional manual actions (e.g., deleting emails from all inboxes, resetting user passwords), or using advanced hunting to find other affected entities. Once all actions are complete, the incident is set to Resolved. The incident remains in the queue for 30 days for reference. The entire incident lifecycle is recorded for audit and reporting purposes.
Enterprise Scenario 1: Phishing Attack Leading to Endpoint Compromise
A large enterprise with 10,000 employees uses Microsoft 365 E5, including Defender for Office 365 and Defender for Endpoint. An attacker sends a spear-phishing email with a malicious macro-enabled document to a finance manager. Defender for Office 365's safe attachments feature detonates the document in a sandbox and blocks it for all users. However, the finance manager clicks a link in the email body that leads to a credential harvesting site. Defender for Office 365 generates an alert for 'Malicious URL click.' The attacker then uses the stolen credentials to log into the corporate VPN from a suspicious IP. Defender for Identity detects the anomalous sign-in and generates an alert. The attacker then downloads a payload to the finance manager's laptop, which Defender for Endpoint detects as 'TrojanDownloader:MSIL/Adload.' All three alerts are correlated by Defender XDR into a single incident. The automated investigation isolates the laptop, resets the user's password, and blocks the IP. The SOC analyst reviews the incident, classifies it as true positive (Phishing), and resolves it. Without Defender XDR, these alerts would be scattered across three consoles, and the SOC might take hours to connect them.
Enterprise Scenario 2: Insider Data Exfiltration via Cloud App
A disgruntled employee uses their corporate credentials to access a sensitive SharePoint site and downloads hundreds of files to a personal OneDrive account. Defender for Cloud Apps detects the unusual download volume and generates an alert for 'Mass download by user.' Simultaneously, Defender for Identity detects that the user's sign-in occurred from an unfamiliar location (their home IP after hours). Defender XDR correlates these alerts into an incident. The automated investigation flags the user as high risk and suggests disabling the account. The SOC analyst approves the action, and the user's access is revoked. The incident is classified as true positive (Data exfiltration). This scenario highlights how cross-domain correlation catches insider threats that would be missed by endpoint-only detection.
Common Misconfigurations and Pitfalls
Licensing Gaps: If only some users have E5 licenses, Defender XDR will only correlate alerts for those licensed users. Partial deployment leads to blind spots.
Disconnected Products: If Defender for Identity or Cloud Apps is not fully configured, their alerts won't feed into Defender XDR, breaking correlation.
Over-reliance on Automation: Some organizations enable full automatic remediation without testing, leading to false positives causing business disruption (e.g., isolating a CEO's laptop due to a false positive). Best practice is to start with approval mode.
Ignoring Advanced Hunting: Many SOCs rely only on the incident queue and miss the deeper investigative power of KQL queries. Advanced hunting can uncover dormant threats and IOCs that didn't trigger alerts.
What SC-900 Tests on Defender XDR (Objective 3.3)
The SC-900 exam focuses on conceptual understanding and feature recognition. You will NOT be asked to write KQL queries or configure policies. Instead, expect questions that:
Identify the primary purpose of Defender XDR (unified incident management across domains).
Differentiate Defender XDR from individual Defender products.
Recognize which signals feed into Defender XDR (Endpoint, Office 365, Identity, Cloud Apps, Cloud).
Understand the incident lifecycle: alert correlation -> incident -> automated investigation -> remediation.
Know the portal URL (security.microsoft.com).
Know that Advanced Hunting uses KQL.
Know that automated investigation can be automatic or require approval.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong answer: 'Microsoft Defender XDR replaces Microsoft Sentinel.' Why chosen: Both are security platforms, and candidates confuse correlation with SIEM. Reality: Defender XDR is a unified incident management tool for Microsoft security products, while Sentinel is a cloud-native SIEM that ingests data from many sources. They complement each other.
2. Wrong answer: 'Defender XDR only works with Defender for Endpoint.' Why chosen: Candidates focus on endpoint security and forget the other products. Reality: Defender XDR integrates five Defender products.
3. Wrong answer: 'Automated investigation always takes remediation actions without human approval.' Why chosen: The term 'automated' implies full automation. Reality: Automation can be configured to require approval for actions.
4. Wrong answer: 'Defender XDR is a SIEM tool.' Why chosen: Candidates see 'detection and response' and assume SIEM functionality. Reality: It is an XDR tool, not a SIEM. It does not ingest third-party logs natively.
Specific Numbers and Terms on the Exam
Correlation window: 48 hours.
Investigation timeout: 2 hours.
Advanced Hunting data retention: 30 days.
Portal: security.microsoft.com.
Licensing: Microsoft 365 E5, Microsoft 365 E5 Security, or standalone.
Incident severity levels: Informational, Low, Medium, High, Critical.
Edge Cases and Exceptions
If a user is not licensed for Defender XDR, their alerts will still appear in their respective Defender product consoles but will NOT be correlated into Defender XDR incidents.
Automated investigation can be paused or stopped manually.
Some alerts may be 'informational' and not trigger an incident unless they correlate with other alerts.
Defender for Cloud (workload protection) integration is newer and may not be fully covered in older exam versions, but it is in the current blueprint.
How to Eliminate Wrong Answers
If an answer mentions correlation of signals from different domains, it is likely about Defender XDR.
If an answer mentions a single domain (e.g., only endpoints), it is likely about a specific Defender product.
If an answer mentions 'SIEM' or 'third-party log ingestion,' it is likely about Sentinel, not Defender XDR.
If an answer mentions 'automated investigation without approval,' check if the question specifies 'by default' — the default is approval mode, but it can be changed.
Microsoft Defender XDR correlates alerts from Defender for Endpoint, Office 365, Identity, Cloud Apps, and Cloud into unified incidents.
The correlation window for linking alerts is 48 hours.
Automated investigation and response (AIR) can be set to automatic or require approval for remediation actions.
The Defender XDR portal is located at https://security.microsoft.com.
Advanced Hunting uses Kusto Query Language (KQL) and retains data for 30 days by default.
Defender XDR requires Microsoft 365 E5, Microsoft 365 E5 Security, or a standalone license.
Incidents are the primary entity; alerts are grouped into incidents.
Defender XDR complements Microsoft Sentinel; it does not replace it.
The default timeout for an automated investigation is 2 hours.
Incident severity levels range from Informational to Critical.
Defender XDR does not ingest third-party logs natively; that is Sentinel's role.
Analysts classify incidents as True positive, False positive, or Informational with a determination.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Defender XDR
Unified incident management for Microsoft security products only.
No native third-party log ingestion.
Data retention: 30 days for Advanced Hunting.
Built-in automated investigation and response (AIR) with playbooks.
Licensed per user (E5 or standalone).
Microsoft Sentinel
Cloud-native SIEM that ingests logs from any source (including third-party).
Supports custom log sources via API or connectors.
Data retention: configurable up to 2 years (or more with hot/cold tiers).
Automation via Logic Apps playbooks (more customizable).
Licensed per GB of data ingested (pay-as-you-go).
Defender XDR Incident Correlation
Automatic correlation based on entity matching (UPN, device ID, IP, etc.).
Correlation window: up to 48 hours.
Reduces alert fatigue by grouping related alerts.
Faster detection of multi-stage attacks.
Requires proper licensing and product configuration.
Manual Correlation by SOC Analysts
Analysts manually correlate alerts across consoles.
No time window limit but slow and error-prone.
High risk of missing connections between alerts.
Delayed response (hours to days).
No additional licensing cost but high operational overhead.
Mistake
Defender XDR is a SIEM tool that replaces Microsoft Sentinel.
Correct
Defender XDR is an XDR (extended detection and response) platform that correlates alerts from Microsoft security products. It is not a SIEM; it does not ingest third-party logs or provide long-term retention. Sentinel is the SIEM that can ingest data from Defender XDR and other sources.
Mistake
Defender XDR automatically remediates all threats without human intervention.
Correct
Automated investigation and response (AIR) can be configured to require approval for remediation actions. By default, suspicious actions are pending approval. Full automation is possible but must be explicitly enabled.
Mistake
Defender XDR only works with Defender for Endpoint.
Correct
Defender XDR integrates with five Defender products: Endpoint, Office 365, Identity, Cloud Apps, and Cloud. It correlates alerts across all of them.
Mistake
All Microsoft 365 subscribers have access to Defender XDR.
Correct
Defender XDR requires Microsoft 365 E5, Microsoft 365 E5 Security, or a standalone license. Basic E3 or E1 licenses do not include it.
Mistake
Advanced Hunting in Defender XDR uses SQL.
Correct
Advanced Hunting uses Kusto Query Language (KQL), not SQL. KQL is optimized for large-scale data exploration and is distinct from SQL syntax.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Microsoft Defender XDR is the new name for Microsoft 365 Defender, rebranded in late 2023. They are the same product. The exam may still use the old name in older question banks, but the current official name is Microsoft Defender XDR.
Yes, Defender XDR requires either Microsoft 365 E5, Microsoft 365 E5 Security, or a standalone Defender XDR license. Individual Defender products like Defender for Endpoint Plan 1 or 2 may be licensed separately, but to use the unified portal and correlation, you need the XDR license.
No, Defender XDR does not natively ingest third-party logs. It only correlates alerts from Microsoft Defender products. To bring in third-party data, you would use Microsoft Sentinel, which can ingest from many sources and then integrate with Defender XDR via the Graph API.
Alerts typically appear within minutes of detection. The correlation engine runs continuously, so incidents are created shortly after related alerts are generated. The exact time depends on the product and the complexity of the event.
By default, automated investigation runs automatically when an incident is created, but remediation actions (like isolating a device) require approval from a security analyst. You can change this setting to fully automatic or disable automated investigation entirely.
Yes, Defender XDR is a standalone product. Many organizations use it as their primary incident management tool for Microsoft security products. Sentinel is optional and typically added when there is a need to aggregate data from non-Microsoft sources.
Advanced Hunting is a query-based tool that allows you to search raw data from all Defender products using KQL. It is used for deep investigations, threat hunting, and creating custom detections. The incident queue shows only correlated alerts that triggered incidents, while Advanced Hunting gives access to all telemetry, including events that didn't trigger alerts.
You've just covered Microsoft Defender XDR — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?