Start using Defender Experts for XDR preview service

Applies to:


Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Run initial Defender readiness checks

Apart from onboarding service delivery, our expertise on the Microsoft 365 Defender product suite enables Defender Experts for XDR to run an initial readiness engagement to help you get the most out of your Microsoft security products. This engagement will be based on your Microsoft Secure Score and Defender Experts' policy recommendations. Our experts will help prioritizing and customizing our recommendations to fit your environment. They'll request your engagement to get those configurations implemented.

Managed detection and response

Through a combination of automation and human expertise, our service triages Microsoft 365 Defender incidents, prioritizes them on your behalf, filters out the noise, carries out detailed investigations, and provides detailed guided response to your security operations center (SOC) teams. Alternatively, our analysts can take a response step on your behalf.

You'll receive detailed response playbooks via emails. You'll also be able to filter the Microsoft 365 Defender portal incident view using the Defender Experts tag to see the current state of the incidents Defender Experts are actively investigating, or the incidents that require your action. Our analysts will also add relevant comments in Microsoft 365 Defender portal's Comments & history section so you and your SOC analysts can track the investigation progress.

Response recommendations include, but aren't limited to:

  • Collect investigation package
  • Run antivirus scan
  • Trigger and prioritize action in an automatic investigation
  • Stop and quarantine file
  • Delete email
  • Block designated OAuth cloud apps

These recommendations also appear in the Comments & history section of each related incident in the Microsoft 365 Defender portal so you can view them at your convenience.

Get real-time visibility with Defender Experts for XDR reports

Defender Experts for XDR will include an interactive, on-demand report that provides a clear summary of the work our expert analysts are doing on your behalf, aggregate information about your incident landscape, and granular details about specific incidents. Your service delivery manager (SDM) will also use the report to provide you with more context regarding your XDR Experts service during a monthly business review.

Collaborate with a trusted advisor

The service delivery manager (SDM) is responsible for managing the overall relationship for your organization with the Defender Experts for XDR service. They are your trusted advisor working along with XDR experts' team to help you protect your organization.

The SDM provides the following services:

  • Service readiness support

    • Educate customers about the end-to-end service experience, from signup to regular operations and escalation process.
    • Help establish a service-ready security posture, including guidance on required controls and policy updates.
  • Service operations support

    • Provide unique service delivery content and reporting, including periodic business reviews.
    • Serve as a single point of contact for feedback and escalations related to Defender Experts Service.

Proactive managed hunting

Defender Experts for XDR also includes proactive threat hunting offered by Microsoft Defender Experts for Hunting. Defender Experts for Hunting was created for customers who have a robust security operations center but want Microsoft to help them proactively hunt threats using Microsoft Defender data. This proactive threat hunting service goes beyond the endpoint to hunt across endpoints, Office 365, cloud applications, and identity. Our experts investigate anything they find, then hand off the contextual alert information along with remediation instructions, so you can quickly respond.

Request advanced threat expertise on demand

Select Ask Defender Experts directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat questions. Experts can provide insights to better understand the complex threats your organization may face. Consult an expert to:

  • Gather additional information on alerts and incidents, including root causes and scope
  • Gain clarity into suspicious devices, alerts, or incidents and get the next steps if faced with an advanced attacker
  • Determine risks and available protections related to threat actors, campaigns, or emerging attacker techniques


Ask Defender Experts is not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the Premier Services Hub.

The option to Ask Defender Experts is available in the incidents and alerts pages for you to ask contextual questions about a specific incident or alert:

  • Alerts page flyout menu:

    Screenshot of the Ask Defender Experts menu option in the Alerts page flyout menu in the Microsoft 365 Defender portal.

  • Incidents page actions menu:

    Screenshot of the Ask Defender Experts menu option in the Incidents page actions menu in the Microsoft 365 Defender portal.

Opt out of preview

Consult your service delivery manager (SDM) to opt out of the preview.

See also

Read through frequently asked questions and answers