Unify Threat Detection with Microsoft Defender XDR
Unified XDR across endpoints, email, identity, and cloud apps with Microsoft Defender.
About This Course
Microsoft Defender XDR unifies threat detection and response across endpoints, email, identity, and cloud applications into a single incident queue. This course covers the full platform — from understanding how alerts correlate into incidents, to investigating attack chains that span multiple workloads, to configuring automated response actions that contain threats before analysts even see them.
You will work in the unified security portal, investigating real attack scenarios that touch multiple Defender products. An identity compromise that leads to email exfiltration, a phishing attack that delivers malware to an endpoint, a cloud app credential theft that triggers impossible travel detection — these are the multi-stage attacks that XDR is designed to catch, and this course teaches you to investigate and respond to them.
Advanced hunting with KQL is a major focus. You will write cross-workload queries that join endpoint telemetry with identity events and email metadata. This is where XDR delivers value that individual products cannot — the ability to see an entire attack chain from initial access to data exfiltration in a single query.
What You'll Learn
Investigate incidents across Defender for Endpoint, Identity, Office 365, and Cloud Apps
Use advanced hunting with KQL to correlate threats across the entire XDR stack
Configure automatic attack disruption and response actions
Manage the unified security portal for multi-workload incident management
Prerequisites
- Experience with at least one Microsoft Defender product is recommended
- A Microsoft 365 tenant with Defender licensing for hands-on practice — a trial works
Who Is This Course For
This course is for security analysts and SOC professionals who use Microsoft Defender products and want to work with the unified XDR platform. If your organization runs Defender for Endpoint alongside Defender for Identity or Office 365, this course teaches you to investigate threats that span those products. Experience with at least one Defender product is recommended.
What's Inside
Defender XDR Architecture
- Unified incident queue and alert correlation
- Defender product integration and data flow
- Portal navigation and workspace configuration
- Licensing and deployment prerequisites
Incident Investigation
- Multi-workload incident analysis
- Attack chain reconstruction across endpoints, email, and identity
- Evidence collection and entity investigation
- Incident classification and response actions
Advanced Hunting
- KQL queries across Defender tables
- Cross-workload threat hunting scenarios
- Custom detection rules from hunting queries
- Threat intelligence integration
Automated Response
- Automatic attack disruption configuration
- Automated investigation and remediation
- Custom response actions and playbooks
- Alert tuning and false positive management