Agenda

• Introduction to Microsoft 365 threat protection
• Explore Extended Detection & Response (XDR) response use cases
• Understand Microsoft 365 Defender in a Security Operations Center (SOC)
• Explore Microsoft Security Graph
• Investigate security incident in Microsoft 365 Defender
• Mitigate incidents using Microsoft 365 Defender
• Use the Microsoft 365 Defender portal
• Manage incidents
• Investigate incidents
• Manage and investigate alerts
• Manage automated investigations
• Use the action center
• Explore advanced hunting
• Investigate Azure AD sign-in logs
• Understand Microsoft Secure Score
• Analyze threat analytics
• Analyze reports
• Configure the Microsoft 365 Defender portal
• Protect your identities with Azure AD Identity Protection
• Azure AD Identity Protection overview
• Detect risks with Azure AD Identity Protection policies
• Investigate and remediate risks detected by Azure AD Identity Protection
• Remediate risks with Microsoft Defender for Office 365
• Introduction to Microsoft Defender for Office 365
• Automate, investigate, and remediate
• Configure, protect, and detect
• Simulate attacks
• Safeguard your environment with Microsoft Defender for Identity
• Introduction to Microsoft Defender for Identity
• Configure Microsoft Defender for Identity sensors
• Review compromised accounts or data
• Integrate with other Microsoft tools
• Secure your cloud apps and services with Microsoft Defender for Cloud Apps
• Understand the Defender for Cloud Apps Framework
• Explore your cloud apps with Cloud Discovery
• Protect your data and apps with Conditional Access App Control
• Walk through discovery and access control with Microsoft Defender for Cloud Apps
• Classify and protect sensitive information
• Detect Threats
• Respond to data loss prevention alerts using Microsoft 365
• Describe data loss prevention alerts
• Investigate data loss prevention alerts in Microsoft Purview
• Investigate data loss prevention alerts in Microsoft Defender for Cloud Apps
• Manage insider risk in Microsoft Purview
• Insider risk management overview
• Introduction to managing insider risk policies
• Create and manage insider risk policies
• Knowledge check
• Investigate insider risk alerts
• Take action on insider risk alerts through cases
• Manage insider risk management forensic evidence
• Create insider risk management notice templates
• Investigate threats by using audit features in Microsoft 365 Defender and Microsoft Purview Standard
• Introduction to threat investigation with the Unified Audit Log (UAL)
• Explore Microsoft Purview Audit solutions
• Implement Microsoft Purview Audit (Standard)
• Start recording activity in the Unified Audit Log
• Search the Unified Audit Log (UAL)
• Export, configure, and view audit log records
• Use audit log searching to investigate common support issues
• Investigate threats using audit in Microsoft 365 Defender and Microsoft Purview (Premium)
• Introduction to threat investigation with Microsoft Purview Audit (Premium)
• Explore Microsoft Purview Audit (Premium)
• Implement Microsoft Purview Audit (Premium)
• Manage audit log retention policies
• Investigate compromised email accounts using Purview Audit (Premium)
• Investigate threats with Content search in Microsoft Purview
• Explore Microsoft Purview eDiscovery solutions
• Create a content search
• View the search results and statistics
• Export the search results and search report
• Configure search permissions filtering
• Search for and delete email messages
• Protect against threats with Microsoft Defender for Endpoint
• Introduction to Microsoft Defender for Endpoint
• Practice security administration
• Hunt threats within your network
• Deploy the Microsoft Defender for Endpoint environment
• Create your environment
• Understand operating systems compatibility and features
• Onboard devices
• Manage access
• Create and manage roles for role-based access control
• Configure device groups
• Configure environment advanced features
• Implement Windows security enhancements with Microsoft Defender for Endpoint
• Understand attack surface reduction
• Enable attack surface reduction rules
• Perform device investigations in Microsoft Defender for Endpoint
• Use the device inventory list
• Investigate the device
• Use behavioral blocking
• Detect devices with device discovery
• Perform actions on a device using Microsoft Defender for Endpoint
• Explain device actions
• Run Microsoft Defender antivirus scan on devices
• Collect investigation package from devices
• Initiate live response session
• Perform evidence and entities investigations using Microsoft Defender for Endpoint
• Investigate a file
• Investigate a user account
• Investigate an IP address
• Investigate a domain
• Configure and manage automation using Microsoft Defender for Endpoint
• Configure advanced features
• Manage automation upload and folder settings
• Configure automated investigation and remediation capabilities
• Block at risk devices
• Configure for alerts and detections in Microsoft Defender for Endpoint
• Configure advanced features
• Configure alert notifications
• Manage alert suppression
• Manage indicators
• Utilize Vulnerability Management in Microsoft Defender for Endpoint
• Understand vulnerability management
• Explore vulnerabilities on your devices
• Manage remediation
• Plan for cloud workload protections using Microsoft Defender for Cloud
• Explain Microsoft Defender for Cloud
• Describe Microsoft Defender for Cloud workload protections
• Exercise – Microsoft Defender for Cloud interactive guide
• Enable Microsoft Defender for Cloud
• Connect Azure assets to Microsoft Defender for Cloud
• Explore and manage your resources with asset inventory
• Configure auto provisioning
• Manual log analytics agent provisioning
• Connect non-Azure resources to Microsoft Defender for Cloud
• Protect non-Azure resources
• Connect non-Azure machines
• Connect your AWS accounts
• Connect your GCP accounts
• Manage your cloud security posture management
• Explore Secure Score
• Explore Recommendations
• Measure and enforce regulatory compliance
• Understand Workbooks
• Explain cloud workload protections in Microsoft Defender for Cloud
• Understand Microsoft Defender for servers
• Understand Microsoft Defender for App Service
• Understand Microsoft Defender for Storage
• Understand Microsoft Defender for SQL
• Understand Microsoft Defender for open-source databases
• Understand Microsoft Defender for Key Vault
• Understand Microsoft Defender for Resource Manager
• Understand Microsoft Defender for DNS
• Understand Microsoft Defender for Containers
• Understand Microsoft Defender additional protections
• Remediate security alerts using Microsoft Defender for Cloud
• Understand security alerts
• Remediate alerts and automate responses
• Suppress alerts from Defender for Cloud
• Generate threat intelligence reports
• Respond to alerts from Azure resources
• Construct KQL statements for Microsoft Sentinel
• Understand the Kusto Query Language statement structure
• Use the search operator
• Use the where operator
• Use the let statement
• Use the extend operator
• Use the order by operator
• Use the project operators
• Analyze query results using KQL
• Use the summarize operator
• Use the summarize operator to filter results
• Use the summarize operator to prepare data
• Use the render operator to create visualizations
• Build multi-table statements using KQL
• Use the union operator
• Use the join operator
• Work with data in Microsoft Sentinel using Kusto Query Language
• Introduction
• Extract data from unstructured string fields
• Extract data from structured string data
• Integrate external data
• Create parsers with functions
• Introduction to Microsoft Sentinel
• What is Microsoft Sentinel?
• How Microsoft Sentinel works
• When to use Microsoft Sentinel
• Create and manage Microsoft Sentinel workspaces
• Plan for the Microsoft Sentinel workspace
• Create a Microsoft Sentinel workspace
• Manage workspaces across tenants using Azure Lighthouse
• Understand Microsoft Sentinel permissions and roles
• Manage Microsoft Sentinel settings
• Configure logs
• Query logs in Microsoft Sentinel
• Query logs in the logs page
• Understand Microsoft Sentinel tables
• Understand common tables
• Understand Microsoft 365 Defender tables
• Use watchlists in Microsoft Sentinel
• Plan for watchlists
• Create a watchlist
• Manage watchlists
• Utilize threat intelligence in Microsoft Sentinel
• Define threat intelligence
• Manage your threat indicators
• View your threat indicators with KQL
• Connect data to Microsoft Sentinel using data connectors
• Ingest log data with data connectors
• Understand data connector providers
• View connected hosts
• Connect Microsoft services to Microsoft Sentinel
• Plan for Microsoft services connectors
• Connect the Microsoft Office 365 connector
• Connect the Azure Active Directory connector
• Connect the Azure Active Directory identity protection connector
• Connect the Azure Activity connector
• Connect Microsoft 365 Defender to Microsoft Sentinel
• Plan for Microsoft 365 Defender connectors
• Connect the Microsoft 365 Defender connector
• Connect Microsoft Defender for Cloud connector
• Connect Microsoft Defender for IoT
• Connect Microsoft Defender legacy connectors
• Connect Windows hosts to Microsoft Sentinel
• Plan for Windows hosts security events connector
• Connect using the Windows Security Events via AMA Connector
• Connect using the Security Events via Legacy Agent Connector
• Collect Sysmon event logs
• Connect Common Event Format logs to Microsoft Sentinel
• Plan for Common Event Format connector
• Connect your external solution using the Common Event Format connector
• Connect syslog data sources to Microsoft Sentinel
• Plan for syslog data collection
• Collect data from Linux-based sources using syslog
• Configure the Data Collection Rule for Syslog Data Sources
• Parse syslog data with KQL
• Connect threat indicators to Microsoft Sentinel
• Plan for threat intelligence connectors
• Connect the threat intelligence TAXII connector
• Connect the threat intelligence platforms connector
• View your threat indicators with KQL
• Threat detection with Microsoft Sentinel analytics
• What is Microsoft Sentinel Analytics?
• Types of analytics rules
• Create an analytics rule from templates
• Create an analytics rule from wizard
• Manage analytics rules
• Automation in Microsoft Sentinel
• Understand automation options
• Create automation rules
• Security incident management in Microsoft Sentinel
• Exercise - Set up the Azure environment
• Understand incidents
• Incident evidence and entities
• Incident management
• Identify threats with Behavioral Analytics
• Understand behavioral analytics
• Explore entities
• Display entity behavior information
• Use Anomaly detection analytical rule templates
• Data normalization in Microsoft Sentinel
• Understand data normalization
• Use ASIM Parsers
• Understand parameterized KQL functions
• Create an ASIM Parser
• Configure Azure Monitor Data Collection Rules
• Query, visualize, and monitor data in Microsoft Sentinel
• Exercise - Query and visualize data with Microsoft Sentinel Workbooks
• Monitor and visualize data
• Query data using Kusto Query Language
• Use default Microsoft Sentinel Workbooks
• Create a new Microsoft Sentinel Workbook
• Manage content in Microsoft Sentinel
• Use solutions from the content hub
• Use repositories for deployment
• Explain threat hunting concepts in Microsoft Sentinel
• Understand cybersecurity threat hunts
• Develop a hypothesis
• Explore MITRE ATT&CK
• Threat hunting with Microsoft Sentinel
• Exercise setup
• Explore creation and management of threat-hunting queries
• Save key findings with bookmarks
• Observe threats over time with livestream
• Use Search jobs in Microsoft Sentinel
• Hunt with a Search Job
• Restore historical data
• Hunt for threats using notebooks in Microsoft Sentinel
• Access Azure Sentinel data with external tools
• Hunt with notebooks
• Create a notebook
• Explore notebook code