1. Microsoft Defender XDR Signal Correlation Architecture

Microsoft Defender XDR acts as a unified “brain” that correlates raw signals from individual workloads into a cohesive security narrative.

  • The Signal Sources: Isolated alerts and telemetry are gathered from Defender for Endpoint (MDE), Defender for Office 365 (MDO), Defender for Identity (MDI), and Defender for Cloud Apps (MDA).
  • The Correlation Engine: These signals are fed into a central engine that uses AI and machine learning to group related alerts into a single Incident.
  • Incident Storytelling: This process transforms hundreds of individual alerts into a chronological “story” of an attack, such as a phishing email (MDO) leading to a compromised user (MDI) who then performs lateral movement (MDE) and data exfiltration (MDA).
  • Signal Sharing: Enabling XDR integration allows different products to share risk levels; for instance, a “High Risk” device identified by MDE can automatically trigger a block in Entra ID via Conditional Access.

2. Defender for Identity (MDI) & On-Premises Security

  • The Sensor: Installed directly on Domain Controllers and AD FS servers to parse network traffic (RPC, LDAP, Kerberos) and Windows Events.
  • Detection Categories:
    • Reconnaissance: Enumeration of users/groups and DNS or SMB sessions.
    • Lateral Movement: Pass-the-Ticket, Pass-the-Hash, and malicious service creation.
    • Domain Dominance: Skeleton Key, Golden Ticket, and Malicious Data Protection API (DPAPI) requests.
  • Identity Security Posture (ISPM): Integrated into Microsoft Secure Score to identify vulnerabilities like NTLMv1, unsecure account attributes, and clear-text password exposures.

3. Automated Investigation and Response (AIR)

  • Cross-Product Playbooks: When an incident triggers, AIR executes playbooks that can simultaneously quarantine an email, isolate a device, and disable a compromised user.
  • Evidence & Entity Center: Provides a unified list of files, processes, URLs, and accounts involved, allowing for “one-click” remediation across the environment.
  • Action Center: The single pane of glass used to approve or audit all automated remediation actions.

4. Advanced Hunting (KQL)

  • The Schema: Use Kusto Query Language (KQL) to query raw data across all workloads.
    • IdentityLogonEvents: Tracks all authentication attempts across on-prem and cloud.
    • IdentityDirectoryEvents: Tracks changes to AD objects like group memberships or password resets.
  • Proactive Hunting: Used to search for “Indicators of Attack” (IoA) that have not yet triggered a formal alert.

5. Microsoft Sentinel Integration

  • SIEM/SOAR Connection: Sentinel provide the broad view across the entire enterprise, including firewalls and multi-vendor logs.
  • Defender XDR Connector: A bi-directional sync ensuring that closing an incident in Sentinel also closes it in the Defender portal, and vice versa.

6. Essential PowerShell & Diagnostic Tools

  • MDI Sensor Management: Test-MdiSensorApiConnection.ps1 (bundled with the sensor) validates connectivity from the DC to the MDI cloud service.
  • KQL Query Example:
    // Find users who had a failed logon followed by a successful one from a different IP
IdentityLogonEvents
| where ActionType == "LogonFailed"
| join kind=inner (IdentityLogonEvents | where ActionType == "LogonSuccess") on AccountObjectId
| where IPAddress != IPAddress1
  • Health Monitoring: Monitor the portal for “Packet fragmentation” or “Dropped events” which indicate a DC is overloaded or the sensor is misconfigured.