Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Become a Microsoft 365 Defender Ninja
Published Oct 19 2020 08:53 AM 223K Views
Microsoft

Last updated: August 2022

 

Microsoft 365 Defender, part of Microsoft’s XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. This Ninja blog covers the features and functions of Microsoft 365 Defender – everything that goes across the workloads, but not the individual workloads themselves. The content is structured into three different knowledge levels, with multiple modules: Fundamentals, Intermediate, and Expert.

 

In addition, after each level, we offer you a knowledge check based on the training material you have just finished! Since there’s a lot of content, the goal of the knowledge checks is to help ensure understanding of the key concepts that were covered. Lastly, there’ll be a fun certificate issued at the end of the training: Disclaimer: This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content.

 

We will keep updating this training on a regular basis and highlight new resources.

 

Table of Contents

Security Operations Fundamentals

Module 1. Technical overview

Module 2. Getting started

Module 3. Investigation – Incident

Module 4. Threat analytics

Module 5. Advanced hunting

Module 6. Self-healing

Module 7. Community (blogs, webinars, GitHub)

Module 8. Partners

 

Security Operations Intermediate

Module 1. Architecture

Module 2. Investigation

Module 3. Advanced hunting

Module 4. Automated investigation and remediation

Module 6. Self-healing

Module 5. Build your own lab

Module 7. Reporting

Module 8. Microsoft Threat Experts

 

Security Operations Expert

Module 1. Incidents

Module 2. Advanced hunting

Module 3. APIs, custom reports, SIEM & other integrations

 

Legend:

vid.png Product videos

webcast.png Webcast recordings

TechCommunity.png Tech Community

docs.png Docs on Microsoft

blogs.png Blogs on Microsoft

GitHub.png GitHub

⤴ External

InteractiveGuides.png Interactive guides

 

 

Security Operations Fundamentals

Module 1. Technical overview

Module 2. Getting started

Module 3. Investigation – Incident

Module 4. Threat Analytics

Module 5. Advanced hunting

Module 6. Self-healing

Module 7. Community (blogs, webinars, GitHub)

Module 8. Partner

 

> Ready for the Fundamentals Knowledge Check

 

Security Operations Intermediate

Module 1.  Architecture

Module 2. Investigation

Module 3. Advanced hunting

Module 4. Automated investigation and remediation

Module 6. Self-healing

Module 5. Build your own lab

Module 7. Reporting

Module 8. Microsoft Threat Experts

 

> Ready for the Intermediate Knowledge Check

 

Security Operations Expert

Module 1. Incidents

Module 2. Advanced hunting

Module 3. APIs, custom reports, SIEM & other integrations

 

> Ready for the Expert Knowledge Check

 

Once you’ve finished the training and the knowledge checks, please click here to request your certificate (you'll see it in your inbox within 3-5 business days.

37 Comments
Bronze Contributor

Thank you for sharing, for the top part when there are Modules, when click on the link it will open new tab. If possible please make it like navigate inside this page (instead of opening new tab), while for other links opening new tab is fine because it is new website.

Microsoft

@Reza_Ameri-Archived  weird, it should open in the same page. Thanks for the info, I will check again

Silver Contributor

Thanks! And @Reza_Ameri-Archived it open in the same page for me.

Microsoft

@Kam & @Reza_Ameri-Archived  I just fixed it quickly :) Thanks again!! 

Bronze Contributor

@Heike Ritter 

Please consider add these contents in Microsoft Learn platform too.

Microsoft

Great work @Heike Ritter !

Brass Contributor

I cannot wait to go through the security modules. Awesome job!

Microsoft

Hi Heike,
great Learning Stuff for my customers and an excellent detailed overview!!
thanks

Awesome post. put it on my ToDo learn list.

Iron Contributor

Thans for this great post @Heike Ritter !

Copper Contributor

Great resource!  Thanks for sharing.

Thanks @Heike Ritter for sharing your knowledge with us. Great stuff and well-detailed.:smile:

Great blog post, lots of useful information, bookmarking this page for future reference :)

Copper Contributor

Great resource!  Thanks for sharing too.:clapping_hands:

Iron Contributor

awesome resources @Heike Ritter 

Microsoft

I am a new starter and this is great! 

Steel Contributor

Very interesting and useful.
Thank you @Heike Ritter

Copper Contributor

Thanks for the training, I have successfully passed the evaluation, I share my certificate: DM365 Defender.PNG

Microsoft

Very good . Thank you

Completed, I'm a Ninja in Microsoft 365 Defender.

Copper Contributor

Hi,

Do we have an estimation of the time requested to complete this training ?

Thanks in advance

Copper Contributor

I found this wonderful learning content on MSLearn SC-200 Microsoft Defender for Endpoints. I understood the features of Microsoft Defender. I'll recommend this Ninja contents to my colleagues. Thanks,

Brass Contributor

Thanks for providing this great ninja training resource @Heike Ritter 

 

The last section "Security Operations Expert" provides links to the same documentation for "Prioritze incidents", "Manage incidents" and "Report false positives/negatives" that is already coverd in the "Security Operations Intermediate" section (see screenshot below).

I am not sure if this was intentional but I guess it doesn't hurt to read about it twice :D

 

ms-defender-ninja.jpg

Copper Contributor

There are some overlapping materials along the learning journey.

Microsoft

Thank you @Heike Ritter for such great content in 1 place! I'm just prepping up diving into each of these, and out of curiosity, was wondering why Module 6 is listed before Module 5 in the Security Operations Fundamentals?

Microsoft

@AvaniPatel oupsy, no - this is a mistake, and with the next update I will fix it :) Thank you!

Copper Contributor

I think the first question in the Intermediate Knowledge check needs updating?

 

https://docs.microsoft.com/en-us/microsoft-365/security/defender/incident-queue?view=o365-worldwide#...

 

"The default list of incidents is for those that occurred in the last

Spoiler
six months

"

Iron Contributor

awesome and educational 

Copper Contributor

Thank you, this has taken longer than expected but enjoyed the journey.

Copper Contributor

Thanks for the training it does not include the training materials it also has a technical session that shows how to work 
Amazing @Heike Ritter  

Copper Contributor

السلام عليكم مبدعون

Copper Contributor

Thank you, this has taken longer than expected but enjoyed the journey

 

Copper Contributor

1) How can i find  percentage of devices patched  for a specific region in defender  portal .

2) How to check operating system expired date  for all devices in specific region in defender portal.

 

 

Thank you @Heike Ritter for the great learning resource

Copper Contributor

Hello together,

 

Are these topics still current in terms of content ?

 

Kind regards

Giuseppe

Brass Contributor

Great learning resources, thank you @Heike Ritter! It would be even nicer if we could turn the certificate of completion into a credly cert.

Copper Contributor

Thanks for gathering these resources together. I completed the training and this is useful in getting started with Microsoft 365 Defender. Just a few remarks below. @Heike Ritter 

I noticed the link for "Module 6. Self-healing" / "Report a false positive/negative to Microsoft for analysis" is pointing to the same page as the item just above it in the list ("Approve or reject pending actions") It is currently pointing to page https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-autoir-actions?view=o365-worldwide whereas I suspect the link it was supposed to be is this one: https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-autoir-report-false-positive...

 

In the Expert knowledge check, there's a question "Which of the following attributes do you need to include in a query to create a custom detection rule from it?" and we are given a multiple choice with the following possible answers:

  • Timestamp, DeviceId
  • ReportId, DeviceId
  • Timestamp, ReportId

Could it be these possible answers are not 100% correct? (In other words, that none of these answers is accurate). In the resources, I found the below information which is related to that question and seems to indicate that at least 3 attributes need to be included. The third option might match best but given the fact that there also needs to be a third attribute, I found the question to be somewhat ambiguous.

 

https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-w...

 

Required columns in the query results
To create a custom detection rule, the query must return the following columns:

  • Timestamp—used to set the timestamp for generated alerts
  • ReportId—enables lookups for the original records
  • One of the following columns that identify specific devices, users, or mailboxes:
    DeviceId
    DeviceName
    RemoteDeviceName
    RecipientEmailAddress
    SenderFromAddress (envelope sender or Return-Path address)
    SenderMailFromAddress (sender address displayed by email client)
    RecipientObjectId
    AccountObjectId
    AccountSid
    AccountUpn
    InitiatingProcessAccountSid
    InitiatingProcessAccountUpn
    InitiatingProcessAccountObjectId

Kind regards.

 

Joeri

Co-Authors
Version history
Last update:
‎Aug 01 2022 05:02 PM
Updated by: