This training is currently being updated

Do you want to become a ninja for Microsoft Defender for Endpoint? We can help you get there! We collected content for two roles: “Security Operations (SecOps)” and “Security Administrator (SecAdmin)”. The content is structured into three different knowledge levels, with multiple modules: Fundamentals, Intermediate, and Expert. Some topics can be relevant for SecOps as well as for SecAdmins and are listed for both roles. We will keep updating this training on a regular basis. 

 

In addition, after each level, we offer you a knowledge check based on the training material you have just finished! Since there’s a lot of content, the goal of the knowledge checks is to help ensure understanding of the key concepts that were covered. Lastly, there’ll be a fun certificate issued at the end of the training: Disclaimer: This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content.

 

Please also check out the Ninja Show, which is based on this Ninja blog and brings you up to speed quickly on Microsoft Defender for Endpoint. In every episode, our experts guide you through the powerful features and functions of Microsoft Defender for Endpoint that help you keep your environment secure. We start with the fundamentals and dive deeper as the show continues.  > https://aka.ms/NinjaShow

 

Table of Contents

Security Operations Fundamentals

Module 1. Technical overview

Module 2. Getting started

Module 3. Microsoft Defender Vulnerability Management

Module 4. Attack surface reduction

Module 5. Next generation protection

Module 6. Investigation – Incident

Module 7. Alert handling

Module 8. Automated investigation and remediation

Module 9. Microsoft Defender Experts for Hunting

Module 10. Reporting

Module 11. Evaluation Lab

 

Security Operations Intermediate

Module 1. Architecture

Module 2. Microsoft Defender Vulnerability Management

Module 3. Next generation protection.

Module 4. Advanced hunting

Module 5. Automated investigation and remediation

Module 6. Threat analytics

Module 7. Unified indicators of compromise (IOCs)

Module 8. Evaluation lab

Module 9. Community (blogs, webinars, GitHub)

 

Security Operations Expert

Module 1. Responding to threats

Module 2. Alert handling

Module 3. File analysis

Module 4. Advanced hunting

Module 5. Unified indicators of compromise IOCs

Module 6. Custom reporting

Module 7. Community (blogs, webinars, GitHub)

 

Security Administrator Fundamentals

Module 1. Architecture

Module 2. Onboarding

Module 3. Grant and control access

Module 4. Security configuration

Module 5. Reporting

Module 6. SIEM Integration

 

Security Administrator Intermediate

Module 1. Microsoft Defender Vulnerability Management

Module 2. Attack surface reduction

Module 3. Next generation protection

Module 4. Advanced hunting

Module 5. Conditional access

Module 6. Microsoft Cloud App Security (MCAS)

Module 7. Community (blogs, webinars, GitHub)

Module 8. Migration

 

Security Administrator Expert

Module 1. Custom reporting (PowerBI)

Module 2.  Advanced hunting

Module 3. Custom Integrations, APIs

 

Learn about our partner integrations

 

Legend:

Product videos	Webcast recordings	Tech Community
Docs on Microsoft	Blogs on Microsoft	GitHub
⤴ External	Interactive guides

Security Operations Fundamentals

Module 1. Technical overview

• Short overview “What is Microsoft Defender for Endpoint"

Module 2. Getting started

• Portal overview
• Use basic permissions to access the portal
• Unified RBAC (Role based access control)
•  Device Inventory

Module 3. Microsoft Defender Vulnerability Management

• What is Microsoft Defender Vulnerability Management

Module 4. Attack surface reduction

• Learn about all the features to help you reduce the attack surface  
•  Understand attack surface reduction rules
•  Track and regulate access to websites with web content filtering

Module 5. Next generation protection

• Microsoft Defender Antivirus: Your next generation protection

Module 6. Investigation – Incident

• The attack story view
• Work with incidents
•  MITRE ATT&CK Techniques available in the device timeline

Module 7. Alert handling

•  The alert queue
•  View and organize alerts
•  Alert classification playbooks

Module 8. Automated investigation and remediation

• How automation works
• Defining metrics for successful security operations

Module 9. Microsoft Defender Experts for Hunting

•  What is Microsoft Defender Experts for Hunting
• Getting started with Microsoft Defender Experts for Hunting

Module 10. Reporting

• Out of the box reports

Module 11. Evaluation Lab

•  Get started with the evaluation lab
• Short walk-through the evaluation lab
  
  

> Ready for the Fundamentals Knowledge Check? 

 

Security Operations Intermediate

Module 1.Architecture

• Understand the architecture of the service

Module 2. Microsoft Defender Vulnerability Management

•  Device discovery
•  Hardware and firmware assessment
•  Securing IoT devices
•  Tag your high value assets for better prioritization 

Module 3. Next generation protection

• Learn about our approach to fileless threats
•  Stopping attacks in their tracks through behavioral blocking and containment
•  Feedback-loop blocking
•  Manage exclusions
•  Manage Tamper protection 

Module 4. Advanced hunting

• Quick overview & a short tutorial that will get you started fast
•  Guided hunting - use advanced hunting without KQL knowledge

Module 5. Automated investigation and remediation

• Configure automated investigation and remediation capabilities
•  Automation levels in automated investigation and remediation capabilities
• Manage automation file uploads
• Manage automation folder exclusions

Module 6. Threat analytics

• Get familiar with threat analytics
•  Understand the analyst report section in threat analytics
•  Track and respond to emerging threats

Module 7. Unified indicators of compromise (IOCs)

• Working with IOCs

Module 8. Evaluation lab

• Short walk-through the evaluation lab
•  Breach & attack simulators for the evaluation lab
•  Request more devices 

Module 9. Community (blogs, webinars, GitHub)

•  Various repositories

 

> Ready for the Intermediate Knowledge Check?

 

Security Operations Expert

Module 1. Responding to threats

•  Investigate entities on devices using live response
• Response actions on machines
• Response actions on a file

Module 2. Alert handling

• Manage alert suppression rules

Module 3. File analysis

•  Submit items to Microsoft for review

Module 4. Advanced hunting

• Learn the query language
• Advanced hunting schema reference
• The following webinar series shows the old portal and refers to old product names, but it is too good to remove:
•  Webinar series, episode 1: KQL fundamentals (MP4, YouTube)
•  Webinar series, episode 2: Joins (MP4, YouTube)
•  Webinar series, episode 3: Summarizing, pivoting, and visualizing Data (MP4, YouTube)
•  Webinar series, episode 4: Let’s hunt! Applying KQL to incident tracking (MP4, YouTube)
• ⤴ Plural sight KQL training

Module 5. Unified indicators of compromise IOCs

• Create custom IOCs
•  Manage indicators

Module 6. Custom reporting

• Create custom reports using Power BI

Module 7. Community (blogs, webinars, GitHub)

• Microsoft Defender for Endpoint Blog
• Tech Community

> Ready for the Expert Knowledge Check? 

 

Security Administrator Fundamentals

Module 1. Architecture

• Understand the architecture of the service

Module 2. Onboarding

•  Device Inventory
•  Onboard to the Microsoft Defender for Endpoint service
•  Deploy Microsoft Defender for Endpoint in rings
•  Onboarding and servicing non-persistent VDI machines
•  Configuring Microsoft Defender Antivirus for non-persistent VDI machines

Module 3. Grant and control access

• Use basic permissions to access the portal
• Unified RBAC (Role based access control)
•  Create and manage device tags
•  Multi-tenant access for Managed Security Service Providers 
•  Step-by-step: Multi-tenant access for Managed Security Service Providers 

   

Module 4. Security configuration

• Use Microsoft Endpoint Manager to manage security configuration
•  Security Settings Management in Microsoft Defender for Endpoint
•  Tamper protection
•  Troubleshooting mode for Microsoft Defender for Endpoint
•  Microsoft Secure Score for Devices

Module 5. Reporting

• Out of the box reports
•  Vulnerable devices report

Module 6. SIEM Integration

• Management APIs

 

> Ready for the Fundamentals Knowledge Check? 

 

Security Administrator Intermediate

Module 1. Microsoft Defender Vulnerability Management

•  Device discovery
•  Supported operating systems, platforms and capabilities
•  Software Usage Insights, Application Blocking and Firmware Vulnerability Assessment
•  Export Hardware and firmware assessment inventory per device
•  Premium capabilities
•  Compare plans and capabilities 
•  Use APIs to create reports, automate, integrate
  

Module 2. Attack surface reduction

• Learn about all the features to help you reduce the attack surface  
•  Learn about attack surface reduction rules
•  Track and regulate access to websites with web content filtering
•  Understand attack surface reduction rules
•  Test attack surface reduction rules
•  Add exclusions
•  How to report and troubleshoot Microsoft Defender for Endpoint ASR Rules
•  Device control for MacOS
•  Migrate from a 3rd party HIPS solution into ASR rules

Module 3. Next generation protection

•  Microsoft Defender Antivirus compatibility
•  Configuring Microsoft Defender Antivirus for non-persistent VDI machines
• Learn about our approach to fileless threats
•  Enhanced antimalware engine capabilities for Linux and macOS
• Enhanced Antimalware Protection for Android 
•  Personal profile support for Android Enterprise

Module 4. Advanced hunting

• Quick overview & a short tutorial that will get you started fast
•  Guided hunting - use advanced hunting without KQL knowledge

Module 5. Conditional access

•  Enable Conditional Access to better protect users, devices, and data

Module 6. Microsoft Defender for Cloud Apps

•  Learn about the integration with Defender for Cloud Apps
•  Investigate apps discovered by Microsoft Defender for Endpoint

Module 7. Community (blogs, webinars, GitHub)

•  Advanced hunting queries on GitHub

Module 8. Migration

•  Migrate to Microsoft Defender for Endpoint from non-Microsoft endpoint protection

 

> Ready for the Intermediate Knowledge Check? 

 

Security Administrator Expert

Module 1. Custom reporting (PowerBI)

• Create custom reports using Power BI

Module 2. Advanced hunting

• Learn the query language
• Advanced hunting schema reference

• ⤴ Plural sight KQL training

Module 3. Custom Integrations, APIs

• API integration in Microsoft 365 Defender
• Available APIs
•  API Explorer
• Use the Power Automate Connector
•  Raw Data Streaming API
• Streaming API
•  Vulnerability management API collection Export Assessment API
•  Vulnerability management API collection Remediation Activity

Learn about our partner integrations

•  Blog posts about various partner integrations
•  List of our partner integrations

 

> Ready for the Expert Knowledge Check? 

 

Once you’ve finished the training and the knowledge checks, please click here to request your certificate (you'll see it in your inbox within 3-5 business days.)