What is Microsoft Defender XDR?

  • 4 minutes

Viewing a threat within the boundaries of a single security product might lead to missed attack information. And if you use multiple products, you'll need to traverse the different products, tools, and reports, which will slow down your ability to respond to an attack. You might not discover the full scope of an attack until it's too late. Microsoft Defender XDR is a unified enterprise defense solution that automatically aggregates and analyzes signal data from multiple sources, for example, anomalous behavior from Microsoft Defender for Endpoint or a suspicious sign in from Microsoft Defender for Identity. It then correlates the data into an incident that represents an attack and provides easy investigation and response across endpoints, identities, email, and applications.

To fully understand the capabilities of Microsoft Defender XDR for your organization, you'll need to check your organization's current licenses or subscriptions. See this article for more information. To maximize the scope of signal data available to Microsoft Defender XDR, you'll need to deploy the other Defender security products.

Microsoft Defender XDR features

Microsoft Defender XDR helps your organization to better identify, assess, and remediate attacks not only against your security perimeter but also your organization's assets, data, apps, and users.

Some of the key features are:

  • Unified Cross-product view - Central view of all information for detections, affected assets, automated actions taken, and related evidence in a single queue and a single portal.
  • Combined incidents queue - A central list of incidents helps your security team focus on critical items by ensuring the full attack scope, affected assets, and automated remediation actions are grouped together and surfaced promptly.
  • Self-healing for compromised devices, user identities, and mailboxes - Automatic remediation capabilities of the full Microsoft Defender XDR product suite ensures that affected assets related to an incident are automatically remediated where possible.
  • Cross-product threat hunting - Security teams can use their unique organizational knowledge to hunt for signs of compromise by creating custom queries against the raw data collected by the Defender security products.
  • Threat Analytics – Microsoft security research articles describe the latest cyber security threats and how these campaigns might affect your organization.

The Microsoft Defender portal

The Microsoft Defender portal lets you monitor and manage security across your on-premises identities, data, devices, apps, and infrastructure. Here you can easily view your organization's security health, act to configure devices, users, and apps, and get alerts for suspicious activity. The home page shows a customizable set of cards that provide summary information for a quick assessment of ongoing security threats. The set of cards displayed depends on roles assigned to the signed-in user account.

Screenshot of the welcome page in the Microsoft 3 65 Defender portal.

The Microsoft Defender portal provides access to:

  • Incidents: See the broader story of an attack through the aggregation and analysis of alerts and other threat signals.
  • Alerts: See the list of specific alerts across your Microsoft 365 environment and dive into the details for your users, emails, or devices.
  • Advanced hunting: Search for malware, suspicious files, and activities across your Microsoft 365 organization as part of an incident analysis or proactively for ongoing scanning of cyber threats.
  • Threat Analytics: Get a summary view and details on active threats in the cybersecurity community.
  • Secure score: Get an all-up summary and calculated score of the different security features and capabilities you've enabled, including recommendations for areas to improve your score.
  • Learning hub: Browse through Microsoft 365 security learning paths to quickly ramp up on Microsoft Defender XDR security products.
  • Reports: View the information needed to better protect your organization, identities, devices, apps, and infrastructure.

Note

You must be assigned an appropriate role, such as Global Administrator, Security Administrator, Security Operator, or Security Reader in Microsoft Entra ID to access Microsoft Defender XDR.