Microsoft Defender for Endpoint in Microsoft Defender XDR


Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Applies to:

Quick reference

The image and the table below lists the changes in navigation between the Microsoft Defender Security Center and Microsoft Defender XDR.

Microsoft Defender Security Center Microsoft Defender XDR
  • Security Operations
  • Threat Analytics
  • Threat analytics
Incidents Incidents & alerts
Device inventory Device inventory
Alerts queue Incidents & alerts
Automated investigations Action center
Advanced hunting Hunting
Reports Reports
Partners & APIs Partners & APIs
Microsoft Defender Vulnerability Management Vulnerability management
Evaluation and tutorials Evaluation & tutorials
Configuration management Configuration management
Settings Settings

The improved Microsoft Defender XDR at combines security capabilities that protect, detect, investigate, and respond to email, collaboration, identity, and device threats. This brings together functionality from existing Microsoft security portals, including Microsoft Defender Security Center and the Office 365 Security & Compliance center.

If you're familiar with the Microsoft Defender Security Center, this article helps describe some of the changes and improvements in Microsoft Defender XDR. However there are some new and updated elements to be aware of.

Historically, the Microsoft Defender Security Center has been the home for Microsoft Defender for Endpoint. Enterprise security teams have used it to monitor and help responding to alerts of potential advanced persistent threat activity or data breaches. To help reduce the number of portals, Microsoft Defender XDR will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure.

Microsoft Defender for Endpoint in Microsoft Defender XDR supports granting access to managed security service providers (MSSPs) in the same way access is granted in the Microsoft Defender Security Center.


What you see in Microsoft Defender XDR depends on your current subscriptions. For example, if you don't have a license for Microsoft Defender for Office 365, then the Email & Collaboration section will not be shown.


Microsoft Defender XDR is not fully available for:

Take a look in Microsoft Defender XDR at

Learn more about the benefits: Overview of Microsoft Defender XDR

What's changed

This table is a quick reference of the changes between the Microsoft Defender Security Center and Microsoft Defender XDR.

Alerts and actions

Area Description of change
Incidents & alerts In Microsoft Defender XDR, you can manage incidents and alerts across all of your endpoints, email, and identities. We've converged the experience to help you find related events more easily. For more information, see Incidents Overview.
Hunting Modifying custom detection rules created in Microsoft Defender for Endpoint to include identity and email tables automatically moves them to Microsoft Defender XDR. Their corresponding alerts will also appear in Microsoft Defender XDR. For more details about these changes, read Migrate custom detection rules.

The DeviceAlertEvents table for advanced hunting isn't available in Microsoft Defender XDR. To query device-specific alert information in Microsoft Defender XDR, you can use the AlertInfo and AlertEvidence tables to accommodate even more information from a diverse set of sources. Craft your next device-related query by following Write queries without DeviceAlertEvents.
Action center Lists pending and completed actions that were taken following automated investigations and remediation actions. Formerly, the Action center in the Microsoft Defender Security Center listed pending and completed actions for remediation actions taken on devices only, while Automated investigations listed alerts and status. In the improved Microsoft Defender XDR, the Action center brings together remediation actions and investigations across email, devices, and users—all in one location.
Threat analytics Moved to the top of the navigation bar for easier discovery and use. Now includes threat information for both endpoints and email and collaboration.


Area Description of change
Search The search bar is located at the top of the page. Suggestions are provided as you type. You can search across the following entities in Defender for Endpoint and Defender for Identity:

- Devices - supported for both Defender for Endpoint and Defender for Identity. You can even use search operators, for example, you can use "contains" to search for part of a host name.

- Users - supported for both Defender for Endpoint and Defender for Identity.

- Files, IPs, and URLs - same capabilities as in Defender for Endpoint.
NOTE: *IP and URL searches are exact match and don't appear in the search results page – they lead directly to the entity page.

- MDVM - same capabilities as in Defender for Endpoint (vulnerabilities, software, and recommendations).

The enhanced search results page centralizes the results from all entities.
Dashboard This is your security operations dashboard. See an overview of how many active alerts were triggered, which devices are at risk, which users are at risk, and severity level for alerts, devices, and users. You can also see if any devices have sensor issues, your overall service health, and how any unresolved alerts were detected.
Device inventory No changes.
Vulnerability management Name was shortened to fit in the navigation pane. It's the same as the Microsoft Defender Vulnerability Management section, with all the pages underneath.
Partners and APIs No changes.
Evaluations & tutorials New testing and learning capabilities.
Configuration management No changes.


Automatic investigation and remediation is now a part of incidents. You can see Automated investigation and remediation events in the Incident > Investigation tab.


Device search is done from Endpoints > Search.

Access and reporting

Area Description of change
Reports See reports for endpoints and email & collaboration, including Threat protection, Device health and compliance, and Vulnerable devices.
Health Currently links out to the "Service health" page in the Microsoft 365 admin center.
Settings Manage your settings for Microsoft Defender XDR, Endpoints, Email & collaboration, Identities, and Device discovery.

Microsoft 365 security navigation and capabilities

The left navigation, or quick launch bar, will look familiar. However, there are some new and updated elements in Microsoft Defender portal.

Incidents and alerts

Brings together incident and alert management across your email, devices, and identities. The alert page provides full context to the alert by combining attack signals to construct a detailed story. A new, unified experience now brings together a consistent view of alerts across workloads. You can quickly triage, investigate, and take effective action.

The Alerts and Actions quick launch bar in the Microsoft Defender portal


Proactively search for threats, malware, and malicious activity across your endpoints, Office 365 mailboxes, and more by using advanced hunting queries. These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats.

Custom detection rules can be built from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices.

Action center

Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in Microsoft Defender XDR can help security teams by automatically responding to specific events.

Learn more about the Action center.

Threat Analytics

Get threat intelligence from expert Microsoft security researchers. Threat Analytics helps security teams be more efficient when facing emerging threats. Threat Analytics includes:

  • Email-related detections and mitigations from Microsoft Defender for Office 365. This is in addition to the endpoint data already available from Microsoft Defender for Endpoint.
  • Incidents view related to the threats.
  • Enhanced experience for quickly identifying and using actionable information in the reports.

You can access threat analytics either from the upper left navigation bar in Microsoft Defender XDR, or from a dedicated dashboard card that shows the top threats for your organization.

Learn more about how to track and respond to emerging threats with threat analytics.

Endpoints section

View and manage the security of endpoints in your organization. If you've used the Microsoft Defender Security Center, it will look familiar.

The Endpoints quick launch bar in the Microsoft Defender portal

Access and reports

View reports, change your settings, and modify user roles.

The Access and Reporting quicklaunch bar in the Microsoft Defender portal

SIEM API connections

If you use the Defender for Endpoint SIEM API, you can continue to do so. We've added new links on the API payload that point to the alert page or the incident page in the Microsoft 365 security portal. New API fields include LinkToMTP and IncidentLinkToMTP. For more information, see Redirecting accounts from Microsoft Defender for Endpoint to Microsoft Defender XDR.

Email alerts

You can continue to use email alerts for Defender for Endpoint. We've added new links in the emails that point to the alert page or the incident page in Microsoft Defender XDR. For more information, see Redirecting accounts from Microsoft Defender for Endpoint to Microsoft Defender XDR.

Managed Security Service Providers (MSSP)

Logging in to multiple tenants simultaneously in the same browsing session is currently not supported in the unified portal. You can opt out of the automatic redirection by reverting to the former Microsoft Defender for Endpoint portal, to maintain this functionality until the issue is resolved.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.