Become a Microsoft 365 Defender Ninja

Last updated: August 2022

Microsoft 365 Defender, part of Microsoft’s XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. This Ninja blog covers the features and functions of Microsoft 365 Defender – everything that goes across the workloads, but not the individual workloads themselves. The content is structured into three different knowledge levels, with multiple modules: Fundamentals, Intermediate, and Expert.

In addition, after each level, we offer you a knowledge check based on the training material you have just finished! Since there’s a lot of content, the goal of the knowledge checks is to help ensure understanding of the key concepts that were covered. Lastly, there’ll be a fun certificate issued at the end of the training: Disclaimer: This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content.

We will keep updating this training on a regular basis and highlight new resources.

Table of Contents

Security Operations Fundamentals

Module 1. Technical overview

Module 2. Getting started

Module 3. Investigation – Incident

Module 4. Threat analytics

Module 5. Advanced hunting

Module 6. Self-healing

Module 7. Community (blogs, webinars, GitHub)

Module 8. Partners

Security Operations Intermediate

Module 1. Architecture

Module 2. Investigation

Module 3. Advanced hunting

Module 4. Automated investigation and remediation

Module 6. Self-healing

Module 5. Build your own lab

Module 7. Reporting

Module 8. Microsoft Threat Experts

Security Operations Expert

Module 1. Incidents

Module 2. Advanced hunting

Module 3. APIs, custom reports, SIEM & other integrations

Legend:

Security Operations Fundamentals

Module 1. Technical overview

•  Short overview “What is Microsoft 365 Defender"
•  Unified experiences across endpoint and email
•  Defender for Cloud Apps experiences as part of Microsoft 365 Defender 
•  New value for ​Defender for Identity
•  New value for Defender for Office 365
•  Protect printers, cameras and the rest of your IoT devices
•  XDR announcement blog

Module 2. Getting started

•  Quick tutorial to get you started
•  Starting the service
•  Prepare your Azure Active Directory
•  Manage access
•  Provide your feedback

Module 3. Investigation – Incident

•  Work with incidents
•  Get email notifications on new incidents
•  Improved incident queue
•  Classification of incidents & alerts
•  See how consolidated incidents improve SOC efficiency
•  Protect your organization with Microsoft 365 Defender
•  Incidents trend graph view

•  Responding to my first incident, a tutorial and walkthrough for new-to-role analysts

•  Alert page for incident detections  

•  Email Entity page

Module 4. Threat Analytics

•  Threat analytics
•  Overview of Threat Analytics

Module 5. Advanced hunting

•  Quick overview & a short tutorial that will get you started fast
•  Learn the query language
•  Understand the schema

Module 6. Self-healing

•  How automation works
•  Learn about the various AIR capabilities
•  The action center

Module 7. Community (blogs, webinars, GitHub)

•  Microsoft 365 Defender Blog
•  Tech Community
•  Unified Microsoft SIEM & XDR GitHub repository

Module 8. Partner

•  Professional security services catalog 

> Ready for the Fundamentals Knowledge Check? 

Security Operations Intermediate

Module 1.  Architecture

•  Microsoft Threat Protection data security and privacy

Module 2. Investigation

•  Correlating and consolidating attacks into incidents
•  Investigate incidents
•  Incident graph view
•  Useful incident queue features
•  Mapping attack chains from cloud to endpoint
•  Prioritize incidents
•  Manage incidents
•  Assign incidents and alerts to someone else
•  Investigation improvements for Microsoft Defender for Office 365
•  Report false positives/negatives
• Investigate URLs and domains 

Module 3. Advanced hunting

•  Advanced hunting cheat sheet
•  Limitless Advanced Hunting with Azure Data Explorer (ADX)
•  Take action on advanced hunting query results
•  Advanced Hunting in portal Schema Reference 
• DeviceFromIP() function in advanced hunting
• Webinar series, episode 1: KQL fundamentals (MP4, YouTube)
•  Advanced hunting query best practices
•  Hunt across cloud app activities
•  Hunt for cloud app activities in non-Microsoft apps
•  Use additional email data in your hunting queries
•  Use Azure Active Directory audit log data in advanced hunting
•  Hunt for Azure Active Directory sign-in events
•  Advanced hunting queries on GitHub

Module 4. Automated investigation and remediation

• Remediation actions following automated investigations
• Approve or reject pending actions

Module 6. Self-healing

•  Learn about the various AIR capabilities
•  Self-healing explained based on an example 
•  Configure automated investigation and response capabilities
•  Approve or reject pending actions
•  Report a false positive/negative to Microsoft for analysis
•  The action center

Module 5. Build your own lab

• Create a lab environment

Module 7. Reporting

•  Out of the box reports

Module 8. Microsoft Threat Experts

•  Microsoft Threat Experts

> Ready for the Intermediate Knowledge Check? 

Security Operations Expert

Module 1. Incidents

•  Prioritize incidents
•  Manage incidents
•  Classify alerts or incidents
•  Report false positives/negatives
•  Deep-dive attack playbooks from the DART team for seasoned analysts
•  Incident response overview

Module 2. Advanced hunting

•   Webinar series, episode 2: Joins (MP4, YouTube)
•   Webinar series, episode 3: Summarizing, pivoting, and visualizing Data (MP4, YouTube)
•   Webinar series, episode 4: Let’s hunt! Applying KQL to incident tracking (MP4, YouTube)
• ⤴ Plural sight KQL training

Module 3. APIs, custom reports, SIEM & other integrations

•  Microsoft 365 Defender APIs
•  Best practices for leveraging API's - Episode Two
•  Streaming API Announcement blog
•  Overview of the Streaming API
•  Stream Microsoft 365 Defender events
•  Azure Sentinel and Microsoft 365 Defender incident integration
•  Overview Microsoft Sentinel integration
•  Microsoft Sentinel integration
•  Splunk Add-on for Microsoft Security

> Ready for the Expert Knowledge Check? 

Once you’ve finished the training and the knowledge checks, please click here to request your certificate (you'll see it in your inbox within 3-5 business days.