Why Should I Upgrade to Windows 10?
Device Health Attestation (DHA)
Advanced Threat Protection (ATP)
Similar to an airline flight recorder, every action that happens on a workstation and every relationship between them are completely mapped out so you can see in real-time in detail what is happening on that workstation. That data is sent up to the cloud which consumes the data in your tenant and then machine learning will use all sorts of heuristics to detect malicious anomalous behaviour.
This machine learning is constantly being improved on every day with new indicators of compromises that get baked into the engine.
The Microsoft Security team analyse adversary groups to track their behaviour and tactics to build indicator models which trigger alerts if your organisation have experienced very sophisticated, targeted breach probably using a zero-day vulnerability assuming your patching your environment regularly.