MicrosoftThanks for gathering these resources together. I completed the training and this is useful in getting started with Microsoft 365 Defender. Just a few remarks below. HeikeRitter
I noticed the link for "Module 6. Self-healing" / "Report a false positive/negative to Microsoft for analysis" is pointing to the same page as the item just above it in the list ("Approve or reject pending actions") It is currently pointing to page https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-autoir-actions?view=o365-worldwide whereas I suspect the link it was supposed to be is this one: https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-autoir-report-false-positives-negatives?view=o365-worldwide
In the Expert knowledge check, there's a question "Which of the following attributes do you need to include in a query to create a custom detection rule from it?" and we are given a multiple choice with the following possible answers:
Could it be these possible answers are not 100% correct? (In other words, that none of these answers is accurate). In the resources, I found the below information which is related to that question and seems to indicate that at least 3 attributes need to be included. The third option might match best but given the fact that there also needs to be a third attribute, I found the question to be somewhat ambiguous.
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide
Required columns in the query results
To create a custom detection rule, the query must return the following columns:
Kind regards.
Joeri
