2.2.3. Microsoft Defender XDR

💡 First Principle: Microsoft Defender XDR (Extended Detection and Response) is a unified threat protection platform that correlates signals across endpoints, email, identity, and cloud apps to detect and respond to attacks that individual point solutions would miss. It's the difference between having five separate smoke detectors and having a fire alarm system that knows which rooms are connected.

A single security product watching only email might catch a phishing email. But if the same attacker also compromises a device, moves laterally, and exfiltrates data through a cloud app — and those are three separate products with no visibility into each other — the attack succeeds. XDR correlates those signals into one incident.

Microsoft Defender XDR is made up of several integrated products:

All of these feed into the unified Microsoft Defender portal at security.microsoft.com, where security teams investigate incidents, run threat hunting queries, and manage automated response actions.

💡 Key Point: For AB-900, you don't need deep technical knowledge of each Defender product. You need to know what each one protects — matching a threat scenario to the right Defender product is the typical question format.

⚠️ Exam Trap: Defender for Office 365 protects email content and links — it is not the same as Exchange Online. Exchange manages mailbox objects; Defender for Office 365 scans the content flowing through those mailboxes for threats.

Reflection Question: A user clicks a malicious link in an email that downloads malware to their laptop, which then tries to log into your on-premises Active Directory with stolen credentials. Which two Defender products are most relevant to detecting and responding to this attack?