02
Detection architecture
Defender XDR Integration Model
Four Defender workloads feed into a single unified investigation model. Incidents are correlated across endpoint, email, identity, and cloud app signals — eliminating the fragmented alert view that comes from each product operating independently.
MDE — endpoint detection, ASR rules, attack surface coverage
MDO Plan 2 — email threat protection, attack simulation training
MDI — identity threat detection, lateral movement visibility
MDCA — cloud app governance, OAuth control, session monitoring
Sentinel integration — centralised SIEM with XDR bidirectional sync
Minimum: E3 + Defender add-ons, or E5
Defender XDR service →