Become a Microsoft Defender for Endpoint Ninja

Published 07-13-2020 09:59 AM 157K Views
Microsoft

Do you want to become a ninja for Microsoft Defender for Endpoint? We can help you get there! We collected content for two roles: “Security Operations (SecOps)” and “Security Administrator (SecAdmin)”. The content is structured into three different knowledge levels, with multiple modules: Fundamentals, Intermediate, and Expert. Some topics can be relevant for SecOps as well as for SecAdmins and are listed for both roles. We will keep updating this training on a regular basis and highlight new resources. 

 

In addition, after each level, we offer you a knowledge check based on the training material you have just finished! Since there’s a lot of content, the goal of the knowledge checks is to help ensure understanding of the key concepts that were covered. Lastly, there’ll be a fun certificate issued at the end of the training: Disclaimer: This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content.

 

I want to give kudos to my colleagues: @Sarahzin for letting me copy from her MCAS Ninja training, @DanEdwards for helping me automate the certificate distribution and Brian & my CxE colleagues for helping with the questions! Thank you!

 

If you already did the training, you can focus on the latest updates (February 2021 update)

 

Table of Contents

Security Operations Fundamentals

Module 1. Technical overview

Module 2. Getting started

Module 3. Threat and vulnerability management

Module 4. Attack surface reduction

Module 5. Next generation protection

Module 6. Investigation – Incident

Module 7. Alert handling

Module 8. Automated investigation and remediation

Module 9. Microsoft Threat Experts

Module 10. Reporting

Module 11. Evaluation Lab

 

Security Operations Intermediate

Module 1. Architecture

Module 2. Threat and vulnerability management

Module 3. Next generation protection.

Module 4. Advanced hunting

Module 5. Automated investigation and remediation

Module 6. Threat analytics

Module 7. Unified indicators of compromise (IOCs)

Module 8. Evaluation lab

Module 9. Community (blogs, webinars, GitHub)

 

Security Operations Expert

Module 1. Responding to threats

Module 2. Alert handling

Module 3. Deep file analysis

Module 4. Advanced hunting

Module 5. Unified indicators of compromise IOCs

Module 6. Custom reporting

Module 7. Community (blogs, webinars, GitHub)

 

Security Administrator Fundamentals

Module 1. Architecture

Module 2. Onboarding

Module 3. Grant and control access

Module 4. Security configuration

Module 5. Reporting

Module 6. SIEM Integration

 

Security Administrator Intermediate

Module 1. Threat and vulnerability management (TVM)

Module 2. Attack surface reduction

Module 3. Next generation protection

Module 4. Advanced hunting

Module 5. Conditional access

Module 6. Microsoft Cloud App Security (MCAS)

Module 7. Community (blogs, webinars, GitHub)

Module 8. Migration

 

Security Administrator Expert

Module 1. Custom reporting (PowerBI)

Module 2.  Advanced hunting

Module 3. Custom Integrations, APIs

 

Learn about our partner integrations

 

Legend:

vid.png Product videos

webcast.png Webcast recordings

TechCommunity.png Tech Community

docs.png Docs on Microsoft

blogs.png Blogs on Microsoft

GitHub.png GitHub

⤴ External

InteractiveGuides.png Interactive guides

 

Security Operations Fundamentals

Module 1. Technical overview

Module 2. Getting started

Module 3. Threat and vulnerability management

Module 4. Attack surface reduction

Module 5. Next generation protection

Module 6. Investigation – Incident

Module 7. Alert handling

Module 8. Automated investigation and remediation

Module 9. Microsoft Threat Experts

Module 10. Reporting

Module 11. Evaluation Lab

 

> Ready for the Fundamentals Knowledge Check

 

Security Operations Intermediate

Module 1.Architecture

Module 2. Threat and vulnerability management

Module 3. Next generation protection

Module 4. Advanced hunting

Module 5. Automated investigation and remediation

Module 6. Threat analytics

Module 7. Unified indicators of compromise (IOCs)

Module 8. Evaluation lab

Module 9. Community (blogs, webinars, GitHub)

 

> Ready for the Intermediate Knowledge Check?

 

Security Operations Expert

Module 1. Responding to threats

Module 2. Alert handling

Module 3. Deep file analysis

Module 4. Advanced hunting

Module 5. Unified indicators of compromise IOCs

Module 6. Custom reporting

Module 7. Community (blogs, webinars, GitHub)

 

> Ready for the Expert Knowledge Check? 

 

Security Administrator Fundamentals

Module 1. Architecture

Module 2. Onboarding

Module 3. Grant and control access

Module 4. Security configuration

Module 5. Reporting

Module 6. SIEM Integration

 

> Ready for the Fundamentals Knowledge Check

 

Security Administrator Intermediate

Module 1. Threat and vulnerability management (TVM)

Module 2. Attack surface reduction

Module 3. Next generation protection

Module 4. Advanced hunting

Module 5. Conditional access

Module 6. Microsoft Cloud App Security (MCAS)

Module 7. Community (blogs, webinars, GitHub)

Module 8. Migration

 

> Ready for the Intermediate Knowledge Check

 

Security Administrator Expert

Module 1. Custom reporting (PowerBI)

Module 2. Advanced hunting

Module 3. Custom Integrations, APIs

 

Learn about our partner integrations

 

> Ready for the Expert Knowledge Check? 

 

Once you’ve finished the training and the knowledge checks, please click here to request your certificate (you'll see it in your inbox within 3-5 business days.)

 
45 Comments
Visitor

This is amazing resourse.. Where can how can we find other NINJA guides ?

 

Microsoft

@samcool80 - I am only aware of this other one, which is for Azure Sentinel

Occasional Visitor

This is fabulous work, putting all content together. This is what was exactly looking for. Big thank you. Is there any MS Exam for these 2 roles (SecOps & SecAdmin?

Microsoft

@Rvchandraa there isn't (yet). Would you like to see a SecOps & SecAdmin exam for MDATP only, or general for these roles and include other security products too? 

Senior Member

Well done on putting this together. Learning is core to the team! thx

Occasional Contributor

@Heike Ritter @Rvchandraa 

 

Wel there is the MS-500 Exam: Microsoft 365 Security Administration (https://docs.microsoft.com/en-us/learn/certifications/exams/ms-500

 

But more in depth and specialized exams/roles on security would be nice. 

 

Maybe pull it trough to the Azure stack as well. (AZ-500 exam covers most options there currently) 

 

Occasional Visitor

Thanks @ShellBlazer I'm currently preparing for AZ-500 exam, I haven't reached to the section. Yes it does cover Security Center, Sentinel Intro & defender.

Thanks @Heike Ritter Actually like to see general for these roles. Hoping MS should come up L-400 Sentinel Exam as it's getting popular.

Senior Member

This guide is very useful, Thanks.
It would be interesting to include Web content filtering.

Microsoft

Wow. Great job, Heike and team, this is an invaluable resource, thank you so much! 

Microsoft

@Jonathan Santos valid point! Will add this to the next update (August update)

Occasional Visitor

How can I get certificate of completion on this?

Occasional Contributor

I've signed up for the Defender ATP trial license...how long does it usually take to get approved?

Microsoft

@Steve Ens it usually takes a couple of business days. Make sure you use your company email address, as others are not being approved. 

Occasional Contributor

@Heike Ritter  Odd..I must've signed up a few times over the last two months...still waiting.   (I don't want to renew my Trend Micro).

Microsoft

@Steve Ens please send me a private message with the email address you used during the sign up and I will follow up internally. 

Respected Contributor

How do MDATP roles interact with Azure AD PIM?

Microsoft

@Dean Gross If I read this documentation right, you can use PIM - I never tried. Give it a shot and let us know :)

Respected Contributor

@Heike Ritter as a Privileged Role Admin, i cannot find any way to assign MD ATP roles to an account.

 

In the Defender Security Center, I see the MD ATP Administrator role, this does not show up in PIM.  I have the ability to create new custom roles and they don't show up in PIM either. It would be good if they did.

Microsoft

@Dean Gross great feedback, I will pass it to the team. Thank you Dean

Frequent Contributor

Great collection. Will use it to built up a security response team.

Would be great if there would be an instructor led training some day.

 

Respected Contributor

The link to Custom Reports in GitHub is broken, this points to a similar location https://github.com/microsoft/MicrosoftDefenderATP-PowerBI

Microsoft

Thanks @Dean Gross I don't know why they have to move these all the time :unamused:

Respected Contributor

Many of the PowerBI templates were created using an old schema and they no longer work. What is the best way to get them updated ? https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/b...

Microsoft

@Dean Gross do you mean the templates on our GitHub are using an old schema?

Respected Contributor

@Heike Ritter yes, that is correct, I have added an issue to the repo. 

New Contributor

Link broken or bad.

 

Thank you for this awesome list of resources. Unfortunately, at least one link is broken or incorrect.

 

Security Operations Fundamentals -> Module 8. Automated investigation and remediation ->  How automation works has this link:  https:// microsofteur-my.sharepoint.com/personal/barakkl_microsoft_com/Documents/Documents/How%20Automation%20works

 

After clicking the link I have to login and after that I get the error '"user not found in microsofteur-my.sharepoint.com"'. Can you please repair the link?

Microsoft

Thanks @_Richardkfor reporting the broken link, I immediately fixed it! Sorry about that

Microsoft

@Dean Gross thanks for reporting, I'll forward it to the folks who uploaded their reports there and see if they can modify them. 

Occasional Contributor

Fantastic material, thanks a lot for the effort. Really enjoy the short but informative videos, they are great.

Feedback: SecOps Intermediate has some empty repositories it seems? I guess they aren't populated with content yet but they will in the future?

 Various repositories

Microsoft

@Simon Håkansson Yes, looks like only Live Response has some content as of today. I am checking with the team what the plan is. Thanks!

Occasional Contributor

Great Job, Thanks

Frequent Contributor

Can  you exchange the link for  "Bringing IT & security together: How Microsoft is reinventing threat and vulnerability management" with the link https://myignite.techcommunity.microsoft.com/sessions/79812

For the Sans link you will need to register to view the webcast.

--

Edit: Is another video .. but i am curious why SANS needs to know my shoe size to show it to me ;)

Occasional Visitor

Awesome collection!

Microsoft

A list of other Ninja Training resources that I have accumulated.

A huge thank you to those who worked so hard to put this Ninja resource together. It is super awesome! I noticed some asks above regarding what else is out there:

Ninja Resources:

All the best,
Scotty

Regular Visitor

Might I suggest a section for Defender for Servers?

There's a lot of confusion around this topic eg:
- How does installing MMA gets you defender for server? i.e. what's the difference between MMA and defender for server?

- How important is ASR on servers?

- Do I need to also install Microsoft Defender for Identity on my domain controllers (yes!)

- Since Endpoint Manager can't manage servers, what's the best way to create a baseline policy for servers?

 

Microsoft

Hi @Heike Ritter, forecast Knowledge Check?

Microsoft

@Heike Ritter Do we have certification as well for MDE Ninja ? 

Microsoft

@EltonSancho  and @Nitish_Anand - working on it, stay tuned :)

Occasional Visitor

Thanks so much, this has been so helpful. 

 

can you only manage device policies using intune?

Wow, what an amazing resource. Would it be possible to add the length of video's and recordings to the overview?

Would be nice to be able to pick one you can finish if you have some time to spare.

Hello, how can I get certificate of completion on this?

Senior Member

Thanks a lot!!! @mahajanajay92.

Microsoft

@kim oppalfens Great suggestion! Will add this to my next list of updates!

Microsoft

@Heike Ritter thanks for the amazing content!
the  Module 9. Community (blogs, webinars, GitHub) link seems to be broken, as it leads nowhere :)

Co-Authors
Version history
Last update:
‎Mar 30 2021 08:34 PM
Updated by: