Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Defender XDR and attack-surface management

How Microsoft Defender XDR unifies Defender for Office, Endpoint, Identity, and Cloud Apps into a single SOC workflow.

Microsoft Defender XDR (Extended Detection and Response) is the unified portal and engine that ties Microsoft's Defender products together: Defender for Office 365 (email), Defender for Endpoint (devices), Defender for Identity (AD/Entra), Defender for Cloud Apps (SaaS), and — through integration — Defender for Cloud (Azure workloads) and Microsoft Sentinel (SIEM).

Why XDR matters

A modern attack rarely touches only one workload. A phishing email leads to credential theft, which leads to a sign-in from a new device, which leads to lateral movement on AD, which leads to data exfiltration via a sanctioned SaaS app. Each of those events is detected by a different product, but to a human analyst they're one incident.

XDR's core trick is correlation: it groups related alerts from different products into a single incident, with the full timeline, affected entities, and recommended response actions.

The XDR portal

The Defender XDR portal at security.microsoft.com is one place for:

  • Incidents and alerts — correlated, prioritised, with full attack timelines.
  • Advanced hunting — Kusto Query Language (KQL) across all Defender telemetry.
  • Automated investigation and response (AIR) — playbooks that triage and remediate automatically.
  • Threat analytics — Microsoft Threat Intelligence reports with tenant-specific exposure.
  • Attack surface management — discovery of internet-facing assets and weaknesses.
  • Email and collaboration — quarantine, submissions, message trace.
  • Endpoints — device inventory, vulnerability management, response actions.
  • Identities — account-centric view of risk and detections.
  • Cloud apps — connected app inventory and SSPM findings.

Microsoft Sentinel integration

Sentinel is Microsoft's full SIEM/SOAR. It now lives inside the Defender XDR portal as a unified surface: Defender XDR for first-party signals, Sentinel for broader log ingestion (third-party firewalls, network gear, custom apps) and longer retention. The same KQL hunts work across both.

Microsoft Security Copilot

Microsoft Security Copilot is a paid AI assistant for SOC analysts, embedded in Defender XDR. It can summarise an incident in plain English, suggest hunting queries, write KQL from natural-language descriptions, and draft incident reports. It's an add-on to Defender XDR, billed per Security Compute Unit (SCU) per hour.

Operational model

XDR works best when the SOC organises around it:

  • A small team of analysts triage incidents in the portal, escalating from low to high priority.
  • AIR playbooks handle the routine cases (clear phishing, common malware).
  • Advanced hunting and threat-intel-driven proactive hunts catch what detections miss.
  • Lessons feed back into Conditional Access, ASR rules, and Purview policies — closing the loop.

For Microsoft 365 customers on E5, XDR is the centrepiece of the security stack. It's where the investment pays off.