Unify Threat Detection with Microsoft Defender XDR

Microsoft Defender XDR unifies threat detection and response across endpoints, email, identity, and cloud applications into a single incident queue. This course covers the full platform — from understanding how alerts correlate into incidents, to investigating attack chains that span multiple workloads, to configuring automated response actions that contain threats before analysts even see them.

You will work in the unified security portal, investigating real attack scenarios that touch multiple Defender products. An identity compromise that leads to email exfiltration, a phishing attack that delivers malware to an endpoint, a cloud app credential theft that triggers impossible travel detection — these are the multi-stage attacks that XDR is designed to catch, and this course teaches you to investigate and respond to them.

Advanced hunting with KQL is a major focus. You will write cross-workload queries that join endpoint telemetry with identity events and email metadata. This is where XDR delivers value that individual products cannot — the ability to see an entire attack chain from initial access to data exfiltration in a single query.

Curriculum

Defender XDR Architecture

• Unified incident queue and alert correlation
• Defender product integration and data flow
• Portal navigation and workspace configuration
• Licensing and deployment prerequisites

Incident Investigation

• Multi-workload incident analysis
• Attack chain reconstruction across endpoints, email, and identity
• Evidence collection and entity investigation
• Incident classification and response actions

Advanced Hunting

• KQL queries across Defender tables
• Cross-workload threat hunting scenarios
• Custom detection rules from hunting queries
• Threat intelligence integration

Automated Response

• Automatic attack disruption configuration
• Automated investigation and remediation
• Custom response actions and playbooks
• Alert tuning and false positive management

Who Is This For

This course is for security analysts and SOC professionals who use Microsoft Defender products and want to work with the unified XDR platform. If your organization runs Defender for Endpoint alongside Defender for Identity or Office 365, this course teaches you to investigate threats that span those products. Experience with at least one Defender product is recommended.