Domain 3 · 30–35% — heaviest domain

Manage security and threats using Microsoft Defender XDR

The integrated extended detection & response suite. Know which Defender product covers which attack surface, how incidents correlate alerts, and the day-to-day policies for email, endpoint and cloud-app protection.

Defender XDR is the umbrella over four workload products:

flowchart TD XDR[Microsoft Defender XDR
security.microsoft.com] --> O[Defender for Office 365
email & collaboration] XDR --> E[Defender for Endpoint
devices] XDR --> I[Defender for Identity
on-prem AD signals] XDR --> CA[Defender for Cloud Apps
SaaS / shadow IT] O --> INC[Unified Incidents] E --> INC I --> INC CA --> INC

Defender product	Protects	Key signals / sensors
Defender for Office 365	Email, Teams, SharePoint, OneDrive	Mail flow, URLs, attachments, impersonation
Defender for Endpoint	Workstations & servers (EDR)	Process/file/network events, vulnerabilities
Defender for Identity	On-prem AD DS / AD FS	Domain-controller sensors, lateral movement, recon
Defender for Cloud Apps	SaaS & cloud apps (CASB)	App activity, shadow IT, OAuth apps

One portal, one correlated incident queue

All four products surface in security.microsoft.com and feed a single incident queue — Defender XDR automatically correlates alerts across email, endpoint, identity and cloud apps into one attack story. Permissions can be managed by Defender XDR Unified RBAC (custom roles built from granular data sources & permission levels) which can supersede the individual product role models.

Caveat — Defender XDR vs Defender for Cloud

Microsoft Defender XDR (security.microsoft.com) protects M365 workloads / endpoints / identities. Microsoft Defender for Cloud (Azure portal) is a separate CSPM/CWPP product for Azure/AWS/GCP resources. The exam offers both as options — choose XDR for Microsoft 365 scenarios.

3.1 Review & respond to security reports and alerts

Exposure Management & Microsoft Secure Score

Microsoft Secure Score measures security posture as a percentage = points achieved ÷ points achievable. Improvement actions are grouped by product: Identity (Entra), Devices (Defender for Endpoint), Apps (O365 / Cloud Apps), and Data. A higher score means stronger posture.

Action status	Points awarded?	Meaning
To address	❌ No	Not yet actioned (default state)
Planned	❌ No	On the roadmap but not yet done
Risk accepted	❌ No	You knowingly accept the risk — sacrifices the points
Resolved through third party	✅ Yes	Mitigated by a non-Microsoft product
Resolved through alternate mitigation	✅ Yes	Mitigated by another internal control

Actions can award partial points proportional to coverage (e.g. MFA registered for 60% of users = 60% of that action's points).
Each action lists user impact and implementation effort; score data refreshes roughly every 24 hours.
Metrics & trends shows score history and benchmarks against organisations of similar size, your industry, and globally.
Security Exposure Management extends Secure Score with attack-surface mapping, attack paths to critical assets, critical asset management, and security initiatives that bundle recommendations by program (e.g. ransomware protection).

Caveat — Secure Score ≠ Compliance / Identity Secure Score

Microsoft Secure Score (security posture) is different from Compliance Manager / Compliance score (Purview) and from the legacy "Identity Secure Score". Remember: Risk accepted = no points, but Resolved through third party / alternate mitigation = full points.

Incidents & alerts

An alert is a single detection; an incident is the aggregation of all related alerts + affected assets (devices, users, mailboxes, apps) into one attack story. Defender XDR correlates automatically across products, so one click shows the full kill chain. Manage in security.microsoft.com → Incidents & alerts.

flowchart LR A1[Alert: phishing email
Defender for O365] --> INC((Incident)) A2[Alert: malicious file run
Defender for Endpoint] --> INC A3[Alert: suspicious sign-in
Entra / Identity] --> INC A4[Alert: mass download
Defender for Cloud Apps] --> INC INC --> ASSETS[Assets: user · device · mailbox] INC --> STORY[Attack story & graph] INC --> RESP[Respond: assign · classify · remediate]

Correlation: alerts from multiple products roll up into one incident with a shared attack story.

Incident management workflow:

Triage by severity (High / Medium / Low / Informational), assign ownership, set status (Active → In progress → Resolved), add tags and comments.
Classify when resolving: True positive (with a threat determination — malware, phishing, compromised account, etc.), False positive, or Benign positive (real but expected, e.g. a pen-test).
Merge related incidents and link alerts; you can tune an alert / create a suppression rule to reduce noise from known-good activity.

Automated Investigation & Response (AIR) & the Action center

AIR automatically investigates alerts, gathers evidence (files, processes, emails), determines verdicts, and proposes or takes remediation actions.
Automation level (Defender for Endpoint device groups): Full = remediate automatically; Semi = require approval (several variants by folder/location); No automated response.
Action center has two tabs — Pending (awaiting approval — approve/reject) and History (completed actions, with undo for reversible ones).

Advanced hunting (KQL)

Advanced hunting proactively queries up to 30 days of raw event data using KQL (Kusto Query Language). Two modes: Guided (visual query builder, no KQL needed) and Advanced (write KQL directly).

Schema table	Contains
`DeviceEvents`, `DeviceProcessEvents`, `DeviceNetworkEvents`	Endpoint process, file & network telemetry
`EmailEvents`, `EmailAttachmentInfo`, `EmailUrlInfo`	Defender for Office 365 mail flow & payloads
`IdentityLogonEvents`, `IdentityInfo`	Sign-ins & identity (Entra + Defender for Identity)
`CloudAppEvents`	Defender for Cloud Apps activity
`AlertInfo`, `AlertEvidence`	Alerts & their linked entities

// KQL: emails that delivered a malicious attachment in last 7 days
EmailAttachmentInfo
| where Timestamp > ago(7d)
| where MalwareFilterVerdict == "Malware"
| join EmailEvents on NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, FileName, Subject

// KQL: devices that ran a specific suspicious process
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine has "-enc"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp desc

Custom detection rules

Save a hunting query as a custom detection rule to generate alerts automatically. You set the frequency (every 24h / 12h / 6h / 3h / continuous (NRT)), the impacted entities columns, severity, and response actions (isolate device, run AV scan, block file, etc.). The query must return Timestamp and a device/user/mailbox ID column.

Defender XDR reports

Know which report answers which question:

Report	Shows
Threat protection status	Malware/phish detections, ZAP actions, detection technology trends
Mailflow status / Top senders & recipients	Mail volume, blocked vs delivered, spoof
URL protection	Safe Links click verdicts (allowed / blocked)
Device health / Vulnerable devices	Sensor health, OS & AV status, exposure
Compromised users	Accounts flagged suspicious or restricted

Threat analytics & Defender Threat Intelligence

Threat analytics is the in-product threat-intelligence dashboard written by Microsoft security researchers. Each threat analytics report covers an active campaign, technique or actor and ties it to your tenant:

Overview / Analyst report — narrative, TTPs and detection details.
Related incidents — incidents in your tenant attributed to this threat.
Impacted assets — your devices/mailboxes affected.
Exposure & mitigations — which recommended configurations you're missing and secure-score-style actions to close the gap.

Microsoft Defender Threat Intelligence (MDTI) goes deeper: searchable threat-actor profiles, IOCs (indicators of compromise — IPs, domains, hashes), and intelligence articles you can pivot from into hunting.

Caveat — Threat analytics vs Secure Score

Both surface "recommendations," but Threat analytics mitigations are threat-specific (close gaps for an active campaign), whereas Secure Score actions improve overall posture. For "respond to a specific named threat," choose Threat analytics.

3.2 Email & collaboration protection — Defender for Office 365

Builds on Exchange Online Protection (EOP) — the always-on anti-malware/anti-spam baseline for all Exchange Online mailboxes. Defender for Office 365 adds advanced protection in two plans:

Layer	Provides
EOP (all EXO)	Anti-malware, anti-spam, anti-phishing (spoof), connection & mail-flow filtering
Defender for O365 Plan 1	Safe Attachments, Safe Links, advanced anti-phishing (impersonation), real-time detections
Defender for O365 Plan 2	Plan 1 + Threat Explorer, Attack Simulation Training, Automated Investigation & Response (AIR), proactive threat hunting

flowchart LR M[Inbound email] --> C[Connection filter
IP allow/block] C --> MAL[Anti-malware
+ Safe Attachments] MAL --> SPF[Anti-spoof /
anti-phishing] SPF --> SPAM[Anti-spam
content filter] SPAM --> RULE[Mail flow rules
transport rules] RULE --> D{Verdict} D --> INBOX[Inbox] D --> JUNK[Junk] D --> QUAR[Quarantine]

Simplified EOP / Defender for Office 365 inbound filtering order. Safe Links rewrites URLs at time-of-click after delivery.

Threat policies & rules

Policy	What it does	Caveat
Safe Attachments	Detonates attachments in a sandbox before delivery	Actions: Off / Monitor / Block / Replace / Dynamic Delivery (body delivered, attachment scanned)
Safe Links	Time-of-click URL rewriting & scanning in mail, Teams, Office apps	Protects against URLs that go bad after delivery
Anti-phishing	Impersonation & spoof intelligence, mailbox intelligence	P1+ adds user/domain impersonation protection
Anti-malware	Malware filter + Common Attachments Filter	Zero-hour Auto Purge (ZAP) removes mail post-delivery
Anti-spam	Inbound/outbound spam & bulk thresholds	Outbound spam policy can restrict compromised senders

Preset security policies & Configuration Analyzer

Standard and Strict preset policies apply Microsoft's recommended settings automatically. The Configuration Analyzer compares your custom policies to Standard/Strict and recommends improvements. Policy precedence: Strict > Standard > custom (by priority) > Built-in protection.

Caveat — Tenant Allow/Block List vs transport rules

Use the Tenant Allow/Block List (Defender portal) to allow/block specific senders, domains, URLs, files. Overrides hierarchy matters: explicit block in the allow/block list, then policies. Don't confuse with Exchange mail flow (transport) rules, which are broader mail routing logic.

Safe Attachments — actions

Action	Behaviour
Off	No scanning
Monitor	Deliver, but track detonation verdict
Block	Block the message + attachment (current/future) recommended
Dynamic Delivery	Deliver the body immediately, attach the file once scanning clears (no delay to the email)

Safe Attachments for SharePoint, OneDrive & Teams is a separate global toggle that detonates files already stored in those services.
Global settings include "Turn on Safe Attachments for SharePoint/OneDrive/Teams" and the Safe Documents (Office) option (E5).

Safe Links — key settings

Rewrites URLs and checks them at time of click (not just delivery) for email, Teams, and Office apps — protects against URLs weaponised after delivery.
Settings: apply to email / Teams / Office apps, scan/wait for URL verdict before delivery, do not track / do not rewrite lists, block specific URLs, and don't let users click through to the original URL.
The Tenant Allow/Block List URL entries override Safe Links verdicts.

Anti-phishing detail

Spoof intelligence — detects forged senders of your own / external domains; review in the spoof intelligence insight and allow legitimate spoofers.
Impersonation protection (P1+) — protect specific users (e.g. CEO), domains (your own + custom), and mailbox intelligence (learns each user's normal contacts).
Advanced phishing thresholds: 1 Standard → 2 Aggressive → 3 More aggressive → 4 Most aggressive (higher = more mail treated as phish).
Actions on detection: move to Junk, Quarantine, redirect, add safety tips / first-contact safety tip, unauthenticated-sender (?) indicator.

Anti-spam & anti-malware internals

Concept	Meaning
SCL (Spam Confidence Level)	−1 (allow) to 9; higher = more likely spam
BCL (Bulk Complaint Level)	1–9 rating of bulk/grey mail; threshold configurable
ASF (Advanced Spam Filter)	Optional aggressive content rules (mostly legacy)
Common Attachments Filter	Anti-malware blocks risky file types by extension (e.g. .exe, .js)
ZAP	Zero-hour Auto Purge retro-removes delivered spam/phish/malware when verdicts change
Outbound spam policy	Limits/automatically restricts senders that exceed sending thresholds (compromise signal)

Alert policies

Alert policies (Defender/Purview portal) trigger alerts on activities — e.g. malware campaign detected, unusual external file sharing, a user exceeding sending limits. Many default alert policies ship enabled. Each has a severity and can email recipients.

Investigate & respond to email/collab threats

Threat Explorer (P2) / Real-time detections (P1): hunt across email by sender, URL, file, campaign; view detection technology and delivery location; take action — soft/hard delete, move to junk/inbox/deleted items, submit to Microsoft, trigger investigation.
Email entity page: full detail on one message — headers, detonation results, URLs, all delivery/post-delivery events.
Submissions portal: report false positives/negatives to Microsoft; admin submissions can auto-create Tenant Allow/Block List entries.
Zero-hour Auto Purge (ZAP) retroactively moves already-delivered mail to junk/quarantine once a verdict changes.
Campaign views (P2): group coordinated phishing/malware attacks and see the full message set + targeted users.

Quarantine & quarantine policies

Quarantine holds blocked messages. Quarantine policies control what end-users can do with their own quarantined items and whether they get notified:

End-user capability	Typical use
No access	High-risk verdicts (malware, high-confidence phish) — admin only
Limited access (request release)	User can preview & request release; admin approves
Full access (release)	User can release themselves (e.g. bulk/spam)

Caveat — what users can release

By default, malware and high-confidence phishing are quarantined with admin-only release — end-users cannot release them even with a permissive policy. Quarantine notifications (formerly end-user spam notifications) are enabled per quarantine policy.

Attack simulation training

Attack Simulation Training (Defender for O365 Plan 2) runs benign phishing campaigns to train users. Technique types: Credential Harvest, Malware Attachment, Link in Attachment, Link to Malware, Drive-by URL, OAuth Consent Grant.

Assign training automatically to users who fall for the simulation; track a repeat-offender and predicted compromise rate.
Review the simulation report — click rates, credential submission, training completion.

Restricted entities & blocked users

When a user is detected sending too much spam (likely compromised), they are added to Restricted entities and blocked from sending email. The admin investigates, secures the account (reset password, revoke sessions), then removes them from the restricted list to restore sending.

3.3 Endpoint protection — Defender for Endpoint

Onboarding devices

Microsoft Defender for Endpoint (MDE) is the EDR for devices. Onboarding methods depend on OS/management:

Scenario	Onboarding method
Intune-managed devices	Intune connector (Endpoint security) — recommended for cloud
Windows (manual / small scale)	Local onboarding script from the portal
On-prem / domain-joined at scale	Group Policy or Configuration Manager (SCCM/MECM)
Servers	MDE plan / Defender for Servers (Azure Arc / Defender for Cloud)
macOS / Linux / mobile	Platform-specific packages / MDM

Onboarding & offboarding details

Devices appear in the Device inventory. Use Run a detection test to confirm onboarding. Set data retention, RBAC / device groups and device tags in Settings → Endpoints. Offboarding uses a separate script whose package expires after ~30 days — don't reuse old packages, and never deploy the offboarding script as your onboarding policy.

Caveat — onboarding method by management state

Cloud/Intune-managed → Intune EDR connector (Endpoint security → EDR). Domain-joined at scale → Group Policy or Configuration Manager. Standalone/small → local script. Down-level servers may need the MMA/unified agent or Defender for Cloud (Azure Arc).

Configure endpoint settings & reduce attack surface

Advanced features (Settings → Endpoints): toggles for Defender for Cloud Apps integration, Intune connection, automated investigation, "allow or block file", web content filtering, Tamper Protection, and Live Response.
Attack Surface Reduction (ASR) rules — block common malware techniques (e.g. block Office apps creating child processes, block credential stealing from LSASS, block executable content from email/USB). Deploy via Intune/GPO and run in Audit before Block.
Network protection (blocks malicious domains/IPs), Controlled folder access (anti-ransomware folder guard), Web content filtering, and EDR in block mode (remediates even when a third-party AV is primary).
Device groups set RBAC scope + automation level + analyst visibility; tamper protection stops attackers/local admins disabling Defender.

Respond to threats on a device

From a device entity page (or via Live Response / custom detection), available response actions:

Action	Effect
Isolate device	Cut network connectivity (Defender still reports in); full or selective isolation
Restrict app execution	Only Microsoft-signed apps may run
Run antivirus scan	Trigger quick/full Defender AV scan remotely
Collect investigation package	Gather forensic artefacts for analysis
Live Response	Remote shell to investigate/remediate (run scripts, pull files)
Indicators	Add file hash / IP / URL / certificate as allow, audit, or block across the org

Defender Vulnerability Management (MDVM)

Microsoft Defender Vulnerability Management surfaces a device Exposure score and prioritised security recommendations, mapping software weaknesses (CVEs) to your devices in real time.

Create a remediation request → flows to Intune as a task for the endpoint team (closes the loop between security and IT ops).
Apply exceptions with justification & expiry when a recommendation can't be actioned.
Inventories: software, browser extensions, certificates, firmware/hardware; plus security baselines assessment against CIS/STIG benchmarks.

Caveat — Exposure score vs Secure Score for Devices

In MDVM, a lower Exposure score is better (less exposed to vulnerabilities). The Secure Score for Devices (configuration posture) is the opposite — higher is better. Don't mix the directions up.

3.4 Microsoft Defender for Cloud Apps

The CASB (Cloud Access Security Broker) — visibility & control over SaaS apps, shadow IT, and data in the cloud. It works across four stages:

flowchart LR D[1 · Discover
find shadow IT] --> S[2 · Sanction / Govern
tag & connect apps] S --> P[3 · Protect
file policies · DLP · session control] P --> C[4 · Control & respond
alerts · governance actions]

Defender for Cloud Apps lifecycle: discover → sanction → protect → control.

Connection method	Gives you
App connector (vendor API)	Deep visibility + governance over sanctioned apps (activities, files, OAuth) — acts after the event
Cloud Discovery (traffic logs / MDE)	Find shadow IT & risk-score discovered apps
Conditional Access App Control (reverse proxy)	Real-time, in-session enforcement during access

App connector for Microsoft 365

App connectors use vendor APIs to connect sanctioned apps for deep visibility & governance. Connect the Microsoft 365 connector (one click, uses the same identity platform) to scan activity, files and apply governance to M365 data. App connectors give richer, ongoing control than Cloud Discovery — but they act after activity occurs (not in real time).

Conditional Access App Control (session & access policies)

Integrates with Entra Conditional Access to route sessions through Defender for Cloud Apps as a reverse proxy, enabling real-time controls:

Session policies — monitor or limit within a live session: block download, block copy/paste/print, apply a sensitivity label, block upload of sensitive files (e.g. on an unmanaged device).
Access policies — allow or block the sign-in to the app entirely based on device/user/location signals.

Caveat — real-time control needs CAAC

To block a download on an unmanaged device in real time, you need a session policy via Conditional Access App Control — an app connector alone can only act after the fact, and Cloud Discovery only gives visibility.

Policies & triggering alerts

Policy type	Detects / does
Activity policy	Single-activity rules (e.g. admin from risky IP) → alert/suspend
Anomaly detection	Impossible travel, unusual activity, mass download (UEBA-based)
File policy	Scan stored files for sensitive data / sharing; quarantine
Cloud Discovery policy	Alert on new/risky discovered apps or data volumes
App discovery / OAuth app policy	Flag risky third-party OAuth apps with broad permissions
Session policy	Real-time controls via Conditional Access App Control (block download, etc.)

Interpret the activity log

The activity log records every action (sign-ins, file ops, admin changes) ingested from connected apps. Filter by user, app, IP, location; pivot to investigate; promote a recurring pattern into an activity policy.

Cloud App Discovery & responding to findings

Cloud Discovery analyses traffic logs (from firewalls/proxies, or continuously via Defender for Endpoint integration) to reveal shadow IT — apps employees use without IT approval.
Each discovered app gets a risk score (0–10) based on ~90 risk factors (compliance, security, legal).
Respond by tagging apps Sanctioned / Unsanctioned; unsanctioning (with MDE integration) can block the app on endpoints.

Caveat — Discovery vs Connector vs Session control

Cloud Discovery = find shadow IT from logs (visibility). App connector = API-level governance of sanctioned apps (after-the-fact). Conditional Access App Control / session policies = real-time, in-session enforcement (e.g. block download on unmanaged device). Match the requirement to the right mechanism.