Are you ready to become a Microsoft Defender for Office 365 ninja? We can help you get there!
If you've already completed the training, you can focus on the latest updates (June 2022 update).
Do you want to become a Microsoft Defender for Office 365 ninja? We can help you get there! We collected content for two roles: “Security Operations (SecOps)” and “Email Security" teams. The content is structured into three different knowledge levels (Fundamentals, Intermediate, and Advanced) with multiple modules per level. Some of the topics are relevant for SecOps as well as for Email Security teams. This training will be updated on a regular basis to ensure you have access to the most current information available.
-
Microsoft 365 Defender (previously Microsoft Threat Protection)
-
Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection)
-
Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection)
-
Microsoft Defender for Identity (previously Azure Advanced Threat Protection)
- Microsoft Defender for Cloud Apps (previously Microsoft Cloud Apps Security)
Please let us know what you think about this training here: https://aka.ms/MDONinjasurvey
P.S. I wanted to give my colleague, HeikeRitter a big thank you for laying the groundwork for Ninja Training and for all of her help, along with Giulian Garruba & Bruno Nowak! Thank you!
_____________________________________________________________________________________
Table of Contents
Email Security - Fundamentals
(Deployment / Migration)
Module 1. Technical overview
Module 2. Getting started
(Prevention & Detection)
Module 3. Configuration (Part I)
Module 4. Protection Feature
(Awareness)
Module5. General Awareness
Email Security - Intermediate
(Prevention & Detection)
Module 1. Configuration (Part II)
Module 2. Alert Management
Module 3. Mail flow
Module 4. Zero Hour Auto-Purge (ZAP)
(Investigation & Hunting)
Module 5. Investigating Alerts
Module 6. Advanced hunting (overview)
Module 7. Automated Investigation and Remediation (AIR)
Module 8. Threat Insights
(Response & Remediation)
Module 9. Alert Handling
Module 10. Manage Quarantined Messages
(Reporting)
Module 11. Reporting
Security Operations - Advanced
(SOC Flows)
Module 1. SIEM Integration & APIs
Module 2. False Positive/False Negative Management Flows
Module 3. Automation
Module 4. Migration
(Investigation & Hunting)
Module 5. Advanced hunting (Kusto training)
(Training)
Module 6. Attack Simulation Training
(Awareness)
Module 7. Security Operations
Module 8. Other Advance Topics
(Supplemental)
Supplemental Content (Tech Community links)
Legend:
DOCS: Docs on Microsoft |
BLOG: Blogs on Microsoft |
VIDEO: Product videos |
WEBC: Webcast recordings |
MTC: Microsoft Tech Community |
IG: Interactive guides |
EXT: External |
GIT: GitHub |
Email Security - Fundamentals
(Deployment / Migration)
Module 1. Technical overview
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-365-security-center-mdo?view=o365wt.mc_id=SecNinja_mdoninja-worldwide?wt.mc_id=SecNinja_mdoninjawt.mc_id=SecNinja_md
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/defender-for-office-365?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
DOCShttps://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwidehttps://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/mtp/overview-security-center?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
IGhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FSafeguardwithMSDO.InteractiveGuide&data=04%7C01%7CGiulian.Garruba%40microsoft.com%7C845401ac4c73420a158e08d8f3ba8586%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637527329725584716%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=kiPsB%2FiGhulmpb1vQjM0OiVGRWAKNYZNxjK6c%2BWhKKU%3D&reserved=0 ?wt.mc_id=SecNinja_mdoni
-
BLOG Get the most out of Office 365 ATP (Microsoft Defender for Office 365) in the shift to remote work
Module 2. Getting started
-
DOCShttps://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-evaluation?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
GIT https://www.powershellgallery.com/packages/ORCAhttps://www.powershellgallery.com/packages/ORCA/
- EXT https://www.linkedin.com/pulse/reviewing-your-office-atp-configuration-cam-murray/?trackingId=NS%2FVe18RUBaJ90zW3LdCvA%3D%3D
-
BLOG Enhanced Filtering for Connectors: Supporting hybrid mail routing configurations in Office 365
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
BLOG Evaluate Defender for Office 365 in your environment! [New!]
- EXT https://go.microsoft.com/fwlink/?linkid=2189652 (licensed partners access only) [New]
(Prevention & Detection)
Module 3. Configuration (Part I)
-
VIDEO https://youtu.be/vivvTmWJ_3c
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365-atp?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/protect-against-threats?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft?view=o365-worldwide ?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/user-submission?view=o365-worldwide ?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide ?wt.mc_id=SecNinja_mdoninja
-
BLOG Configurable impersonation protection and scope for Preset Security policies [New!]
Module 4. Protection Feature
-
VIDEO https://www.youtube.com/watch?v=vhIJ1Veq36Y
-
BLOG Introducing differentiated protection for priority accounts in Microsoft Defender for Office 365 [New!]
(Awareness)
Module 5. General Awareness
-
BLOG https://www.microsoft.com/security/blog/2020/03/20/protecting-against-coronavirus-themed-phishing-attacks/?wt.mc_id=SecNinja_mdoninja
-
BLOG New Threat analytics report shares the latest intelligence on recent nation-state cyber attacks
>Ready for the https://forms.office.com/r/bF7TRGNYHw
____________________________________________________________________________________________
Email Security - Intermediate
(Prevention & Detection)
Module 1. Configuration (Part II)
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/email-validation-and-authentication?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
- DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365?wt.mc_id=SecNinja_mdoninja
-
BLOG Improving “Defense in Depth” with Trusted ARC Sealers for Microsoft Defender for Office 365 [New!]
Module 2. Alert Management
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
VIDEO https://youtu.be/evicp4UrITo
-
BLOG Announcing Priority Account Protection in Defender for Office 365
-
VIDEO https://youtu.be/tqnj0TlzQcI
Module 3. Mail flow
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-controls?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mail-flow-insights-v2?view=o365-worldwide ?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mail-flow-rules-transport-rules-0?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/message-trace-scc?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
Module 4. Zero-Hour Auto Purge
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide#how-zap-works
-
VIDEO https://youtu.be/kOefhx5vB1s
(Investigation & Hunting)
Module 5. Investigating Alerts
-
VIDEO https://youtu.be/Tdz6KfruDGo
-
BLOG Investigating alerts
-
VIDEO https://www.youtube.com/watch?v=sZiM7CBgTKs
-
BLOG Microsoft Defender for Office 365 investigation improvements coming soon
-
BLOG https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
Module 6. Advanced Hunting (overview)
-
VIDEOhttps://youtu.be/UoVzN0lYbfY
Module 7. Automated Investigation and Remediation
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-air?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/automated-investigation-response-office?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/air-view-investigation-results?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
Module 8. Threat Insights
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
VIDEO https://youtu.be/8Kn31h9HwIQ
(Response & Remediation)
Module 9. Alert handling
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/air-remediation-actions?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
VIDEO https://youtu.be/DvqzzYKu7cQ
- BLOG Announcing Campaign Views and Compromised User Detection and Response
-
VIDEO https://youtu.be/Pc7y3a-wdR0
-
BLOG Email remediation actions now available in unified Action Center [New!]
Module 10. Manage quarantined messages
-
DOCShttps://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files?view=o365-worldwidehttps://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
VIDEO https://youtu.be/s-vozLO43rI
-
VIDEO https://youtu.be/vnar4HowfpY
-
BLOG Simplifying the Quarantine Experience - Part One [New!]
-
BLOG Simplifying the Quarantine Experience - Part Two [New!]
(Reporting)
Module 11. Reports / Custom Reporting
-
DOCShttps://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/view-reports-for-atp?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
BLOG Reporting an email in Microsoft Defender for Office 365 [New!]
>Ready for the https://forms.office.com/r/4niXNvujJB
____________________________________________________________________________________________
Security Operations - Advanced
(SOC Flows)
Module 1. SIEM Integration & APIs
-
BLOG Best practices for leveraging Microsoft 365 Defender API's - Episode One
-
BLOG Best practices for leveraging Microsoft 365 Defender API's - Episode Two
-
BLOG Improve the Effectiveness of your SOC with Office 365 ATP and the O365 Management API
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/air-custom-reporting?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
Module 2. False Positive / False Negative Management Flows
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft?view=o365-worldwide&viewFallbackFrom=o365-worldwide%3Fwt.mc_id%3DSecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/air-report-false-positives-negatives?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
Module 3. Automation
-
VIDEO https://medius.studios.ms/video/asset/HIGHMP4/IG19-BRK3153
Module 4. Migration
-
BLOG Introducing the Microsoft Defender for Office 365 Migration Guide
-
VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWRwfH?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365?view=o365-worldwide&viewFallbackFrom=o365-worldwide%3Fwt.mc_id%3DSecNinja_mdoninja
(Investigation & Hunting)
Module 5. Advanced Hunting (Kusto training)
-
VIDEO https://youtu.be/EDCBLULjtCM?t=360
-
VIDEO https://youtu.be/YKD_OFLMpf8?t=334
-
VIDEOhttps://youtu.be/jN1Cz0JcLYU?t=472
- EXT https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch
(Training)
Module 6. Attack Simulation Training
-
BLOG Attack simulation training in Microsoft Defender for Office 365 now Generally Available
-
VIDEO https://www.youtube.com/watch?v=zB_O-6bwZbc&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=16https://www.youtube.com/watch?v=zB_O-6bwZbc&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=16
-
DOCS https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide?wt.mc_id=SecNinja_mdoninja
-
BLOG Announcing Attack Simulation Training Read APIs - Now in Beta! [New!]
-
BLOG End user email notifications are now customizable [New!]
-
BLOG Attack Simulation Training: User tags based targeting in simulations - now live [New!]
-
BLOG End user email notifications are now customizable - Part 2 [New!]
-
BLOG Introducing Additional Dynamic Tags in Attack Simulation [New!]
-
BLOG Customize login pages in Attack Simulation Training [New!]
(Awareness)
Module 7. Security Operations
-
VIDEO https://www.youtube.com/watch?v=LQwsn1AcDPY&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=18https://www.youtube.com/watch?v=LQwsn1AcDPY&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=18
-
VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWRwfx?wt.mc_id=SecNinja_mdoninja
-
DOCS https://docs.microsoft.com/en-gb/microsoft-365/security/office-365-security/mdo-sec-ops-guide?view=o365-worldwide
-
DOCS https://docs.microsoft.com/en-gb/microsoft-365/security/office-365-security/mdo-sec-ops-manage-incidents-and-alerts?view=o365-worldwide
Module 8. Other Advance Topics
- DOCS https://review.docs.microsoft.com/en-us/microsoft-365/security/office-365-security/step-by-step-guides/connect-microsoft-defender-for-office-365-to-microsoft-sentinel?view=o365-21vianet&branch=tracy_tempGuides[New!]
>Ready for the https://forms.office.com/r/LaMNhvYrCs
____________________________________________________________________________________________
Supplemental Content
-
MTC Microsoft Defender for Office 365 - Microsoft Tech Community
-
MTC Microsoft Security and Compliance - Microsoft Tech Community
-
MTC https://www.microsoft.com/en-us/microsoft-365/security/office-365-defender?wt.mc_id=SecNinja_mdoninja
Once you’ve finished the training and the knowledge checks, please https://forms.office.com/r/9vy4TnNAMh to request your certificate. You'll see it in your inbox within 3-5 business days.
Please let us know what you think about this training here: https://aka.ms/MDONinjasurvey
Interested in other ninja trainings? There are also ninja trainings for:
Microsoft Defender for Endpoint (MDE) - http://aka.ms/mdeninja
Microsoft Defender for Cloud Apps (MDCA) - http://aka.ms/MCASNinja
Microsoft Defender for Identity (MDI) - https://aka.ms/MDINinja
Follow us on LinkedIn as #DefenderForOffice365. Bookmark the https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F&data=04%7C01%7CSarahzin.Chowdhury%40microsoft.com%7Cd32eea560a154850520a08d8dcde1fc0%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637502193856227782%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QyGbxqgVmMLXQw4zofCAywOBg8oJdXoTGLoPew0N6b8%3D&reserved=0 to keep up with expert coverage on security matters. Also, follow https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2F%40MSFTSecurity&data=04%7C01%7CSarahzin.Chowdhury%40microsoft.com%7Cd32eea560a154850520a08d8dcde1fc0%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637502193856227782%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=bZz38HU0P7z4qbSrL3dA1L8pHyhxVUJvr4cg8hQq7RQ%3D&reserved=0 on Twitter and https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F&data=04%7C01%7CSarahzin.Chowdhury%40microsoft.com%7Cd32eea560a154850520a08d8dcde1fc0%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637502193856237739%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=UdzMs5GkMJtPUG5E6MnftcrjbDHP0mmKtTxNwvQbCds%3D&reserved=0 on LinkedIn for the latest news and updates on cybersecurity.