EDR, XDR, SIEM — what each one is for
EDR watches the endpoint. SIEM watches everything but only what you've configured. XDR is the middle ground — a vendor-stitched platform that correlates signals across endpoint, identity, email and cloud apps automatically. Microsoft Defender XDR pulls signals from Defender for Endpoint, Defender for Identity, Defender for Office 365 and Defender for Cloud Apps into one investigation graph. The pitch is speed: XDR shows the full attack chain across surfaces without an analyst writing the correlation themselves.
Where Defender XDR sits in the Australian market
Defender XDR is included with Microsoft 365 E5 (or as separate Defender SKUs at E3 + add-ons). For Australian mid-market tenants standardising on Microsoft 365, Defender XDR is typically a stronger fit than third-party XDR (SentinelOne Singularity XDR, Palo Alto Cortex, CrowdStrike Falcon XDR) because the signals are native — no third-party connector latency, no extra licensing on top of the M365 stack. The cost lever is the E3-to-E5 upgrade, which usually pays back inside 18 months once standalone Defender, MCAS, Sentinel-connector and identity-protection costs are netted out.