Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Become a Microsoft Defender for Endpoint Ninja
Published Jul 13 2020 09:59 AM 609K Views
Microsoft

This training is currently being updated

Do you want to become a ninja for Microsoft Defender for Endpoint? We can help you get there! We collected content for two roles: “Security Operations (SecOps)” and “Security Administrator (SecAdmin)”. The content is structured into three different knowledge levels, with multiple modules: Fundamentals, Intermediate, and Expert. Some topics can be relevant for SecOps as well as for SecAdmins and are listed for both roles. We will keep updating this training on a regular basis. 

 

In addition, after each level, we offer you a knowledge check based on the training material you have just finished! Since there’s a lot of content, the goal of the knowledge checks is to help ensure understanding of the key concepts that were covered. Lastly, there’ll be a fun certificate issued at the end of the training: Disclaimer: This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content.

 

Please also check out the Ninja Show, which is based on this Ninja blog and brings you up to speed quickly on Microsoft Defender for Endpoint. In every episode, our experts guide you through the powerful features and functions of Microsoft Defender for Endpoint that help you keep your environment secure. We start with the fundamentals and dive deeper as the show continues. 

https://aka.ms/NinjaShow 

Picture1.gif

 

Table of Contents

Security Operations Fundamentals

Module 1. Technical overview

Module 2. Getting started

Module 3. Microsoft Defender Vulnerability Management

Module 4. Attack surface reduction

Module 5. Next generation protection

Module 6. Investigation – Incident

Module 7. Automated investigation and remediation

Module 8. Microsoft Defender Experts for Hunting

Module 9. Reporting

 

Security Operations Intermediate

Module 1. Architecture

Module 2. Deception & automated attack disruption

Module 3. Next generation protection.

Module 4. Advanced hunting

Module 5. Automated investigation and remediation

Module 6. Threat analytics

Module 7. Unified indicators of compromise (IOCs)

Module 8. Community (blogs, webinars, GitHub)

 

Security Operations Expert

Module 1. Responding to threats

Module 2. Alert handling

Module 3. File analysis

Module 4. Advanced hunting

Module 5. Unified indicators of compromise IOCs

Module 6. Custom reporting

Module 7. Community (blogs, webinars, GitHub)

 

Security Administrator Fundamentals

Module 1. Architecture

Module 2. Onboarding

Module 3. Grant and control access

Module 4. Security configuration

Module 5. Reporting

Module 6. SIEM Integration

 

Security Administrator Intermediate

Module 1. Microsoft Defender Vulnerability Management

Module 2. Attack surface reduction

Module 3. Next generation protection

Module 4. Advanced hunting

Module 5. Conditional access

Module 6. Microsoft Cloud App Security (MCAS)

Module 7. Community (blogs, webinars, GitHub)

Module 8. Migration

 

Security Administrator Expert

Module 1. Custom reporting (PowerBI)

Module 2.  Advanced hunting

Module 3. Custom Integrations, APIs

 

Learn about our partner integrations

 

Legend:

vid.png Product videos

webcast.png Webcast recordings

TechCommunity.png Tech Community

docs.png Docs on Microsoft

blogs.png Blogs on Microsoft

GitHub.png GitHub

⤴ External

InteractiveGuides.png Interactive guides

 

Security Operations Fundamentals

Module 1. Overview

Module 2. Getting started

Module 3. Microsoft Defender Vulnerability Management

Module 4. Attack surface reduction

Module 5. Next generation protection

Module 6. Investigation

Module 7. Automated investigation and remediation

Module 8. Microsoft Defender Experts for Hunting

Module 9. Reporting

> Ready for the Fundamentals Knowledge Check

 

Security Operations Intermediate

Module 1.Architecture

Module 2. Deception & automated attack disruption

Module 3. Next generation protection

Module 4. Advanced hunting

Module 5. Automated investigation and remediation

Module 6. Threat analytics

Module 7. Unified indicators of compromise (IOCs)

Module 8. Community (blogs, webinars, GitHub)

 

> Ready for the Intermediate Knowledge Check?

 

Security Operations Expert

Module 1. Responding to threats

Module 2. Alert handling

Module 3. File analysis

Module 4. Advanced hunting

Module 5. Unified indicators of compromise IOCs

Module 6. Custom reporting

Module 7. Community (blogs, webinars, GitHub)

> Ready for the Expert Knowledge Check? 

 

Security Administrator Fundamentals

Module 1. Architecture

Module 2. Onboarding

Module 3. Grant and control access

Module 4. Security configuration

Module 5. Reporting

Module 6. SIEM Integration

 

> Ready for the Fundamentals Knowledge Check

 

Security Administrator Intermediate

Module 1. Microsoft Defender Vulnerability Management

Module 2. Attack surface reduction

Module 3. Next generation protection

Module 4. Advanced hunting

Module 5. Conditional access

Module 6. Microsoft Defender for Cloud Apps

Module 7. Community (blogs, webinars, GitHub)

Module 8. Migration

 

> Ready for the Intermediate Knowledge Check

 

Security Administrator Expert

Module 1. Custom reporting (PowerBI)

Module 2. Advanced hunting

Module 3. Custom Integrations, APIs

Learn about our partner integrations

 

> Ready for the Expert Knowledge Check? 

 

Once you’ve finished the training and the knowledge checks, please click here to request your certificate (you'll see it in your inbox within 3-5 business days.)

 
80 Comments
Copper Contributor

This is amazing resourse.. Where can how can we find other NINJA guides ?

 

Microsoft

@samcool80 - I am only aware of this other one, which is for Azure Sentinel

Copper Contributor

This is fabulous work, putting all content together. This is what was exactly looking for. Big thank you. Is there any MS Exam for these 2 roles (SecOps & SecAdmin?

Microsoft

@Rvchandraa there isn't (yet). Would you like to see a SecOps & SecAdmin exam for MDATP only, or general for these roles and include other security products too? 

Copper Contributor

Well done on putting this together. Learning is core to the team! thx

Brass Contributor

@Heike Ritter @Rvchandraa 

 

Wel there is the MS-500 Exam: Microsoft 365 Security Administration (https://docs.microsoft.com/en-us/learn/certifications/exams/ms-500

 

But more in depth and specialized exams/roles on security would be nice. 

 

Maybe pull it trough to the Azure stack as well. (AZ-500 exam covers most options there currently) 

 

Copper Contributor

Thanks @ShellBlazer I'm currently preparing for AZ-500 exam, I haven't reached to the section. Yes it does cover Security Center, Sentinel Intro & defender.

Thanks @Heike Ritter Actually like to see general for these roles. Hoping MS should come up L-400 Sentinel Exam as it's getting popular.

Brass Contributor

This guide is very useful, Thanks.
It would be interesting to include Web content filtering.

Microsoft

Wow. Great job, Heike and team, this is an invaluable resource, thank you so much! 

Microsoft

@Jonathan valid point! Will add this to the next update (August update)

Copper Contributor

How can I get certificate of completion on this?

Brass Contributor

I've signed up for the Defender ATP trial license...how long does it usually take to get approved?

Microsoft

@Steve Ens it usually takes a couple of business days. Make sure you use your company email address, as others are not being approved. 

Brass Contributor

@Heike Ritter  Odd..I must've signed up a few times over the last two months...still waiting.   (I don't want to renew my Trend Micro).

Microsoft

@Steve Ens please send me a private message with the email address you used during the sign up and I will follow up internally. 

Silver Contributor

How do MDATP roles interact with Azure AD PIM?

Microsoft

@Dean Gross If I read this documentation right, you can use PIM - I never tried. Give it a shot and let us know :)

Silver Contributor

@Heike Ritter as a Privileged Role Admin, i cannot find any way to assign MD ATP roles to an account.

 

In the Defender Security Center, I see the MD ATP Administrator role, this does not show up in PIM.  I have the ability to create new custom roles and they don't show up in PIM either. It would be good if they did.

Microsoft

@Dean Gross great feedback, I will pass it to the team. Thank you Dean

Steel Contributor

Great collection. Will use it to built up a security response team.

Would be great if there would be an instructor led training some day.

 

Silver Contributor

The link to Custom Reports in GitHub is broken, this points to a similar location https://github.com/microsoft/MicrosoftDefenderATP-PowerBI

Microsoft

Thanks @Dean Gross I don't know why they have to move these all the time :unamused:

Silver Contributor

Many of the PowerBI templates were created using an old schema and they no longer work. What is the best way to get them updated ? https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/b...

Microsoft

@Dean Gross do you mean the templates on our GitHub are using an old schema?

Silver Contributor

@Heike Ritter yes, that is correct, I have added an issue to the repo. 

Copper Contributor

Link broken or bad.

 

Thank you for this awesome list of resources. Unfortunately, at least one link is broken or incorrect.

 

Security Operations Fundamentals -> Module 8. Automated investigation and remediation ->  How automation works has this link:  https:// microsofteur-my.sharepoint.com/personal/barakkl_microsoft_com/Documents/Documents/How%20Automation%20works

 

After clicking the link I have to login and after that I get the error '"user not found in microsofteur-my.sharepoint.com"'. Can you please repair the link?

Microsoft

Thanks @_Richardkfor reporting the broken link, I immediately fixed it! Sorry about that

Microsoft

@Dean Gross thanks for reporting, I'll forward it to the folks who uploaded their reports there and see if they can modify them. 

Brass Contributor

Fantastic material, thanks a lot for the effort. Really enjoy the short but informative videos, they are great.

Feedback: SecOps Intermediate has some empty repositories it seems? I guess they aren't populated with content yet but they will in the future?

 Various repositories

Microsoft

@Simon Håkansson Yes, looks like only Live Response has some content as of today. I am checking with the team what the plan is. Thanks!

Brass Contributor

Great Job, Thanks

Steel Contributor

Can  you exchange the link for  "Bringing IT & security together: How Microsoft is reinventing threat and vulnerability management" with the link https://myignite.techcommunity.microsoft.com/sessions/79812

For the Sans link you will need to register to view the webcast.

--

Edit: Is another video .. but i am curious why SANS needs to know my shoe size to show it to me ;)

Copper Contributor

Awesome collection!

Microsoft

A list of other Ninja Training resources that I have accumulated.

A huge thank you to those who worked so hard to put this Ninja resource together. It is super awesome! I noticed some asks above regarding what else is out there:

Ninja Resources:

All the best,
Scotty

Copper Contributor

Might I suggest a section for Defender for Servers?

There's a lot of confusion around this topic eg:
- How does installing MMA gets you defender for server? i.e. what's the difference between MMA and defender for server?

- How important is ASR on servers?

- Do I need to also install Microsoft Defender for Identity on my domain controllers (yes!)

- Since Endpoint Manager can't manage servers, what's the best way to create a baseline policy for servers?

 

Microsoft

Hi @Heike Ritter, forecast Knowledge Check?

Microsoft

@Heike Ritter Do we have certification as well for MDE Ninja ? 

Microsoft

@EltonSancho  and @Nitish_Anand - working on it, stay tuned :)

Copper Contributor

Thanks so much, this has been so helpful. 

 

can you only manage device policies using intune?

Wow, what an amazing resource. Would it be possible to add the length of video's and recordings to the overview?

Would be nice to be able to pick one you can finish if you have some time to spare.

Hello, how can I get certificate of completion on this?

Copper Contributor

Thanks a lot!!! @mahajanajay92.

Microsoft

@kim oppalfens Great suggestion! Will add this to my next list of updates!

Microsoft

@Heike Ritter thanks for the amazing content!
the  Module 9. Community (blogs, webinars, GitHub) link seems to be broken, as it leads nowhere :)

Copper Contributor

Hi,

Do we have an estimation of the time requested to complete this training ?

Thanks in advance

Brass Contributor

in the Expert Knowledge Check, there is an issue when entering a product name with the Microsoft prefix. The answer doesn't have this prefix and therefor it shows as incorrect.

 

Silver Contributor

@FrancoisV500 it will really depend on how many of the videos you watch, they can add a lot of time. It will also depend on if you do the Operations or Administration track, or both. There is a lot of content, I would guess that I spent well over 20 hours and I did not watch all of the videos, because I had seen some of them before. 

Copper Contributor

@Heike Ritter Do we need to complete both SecOps ans SecAdmin trainings for certification ?

Microsoft

@Vkare1 no, please pick the "job role" that suits you best :)

Co-Authors
Version history
Last update:
‎Jan 19 2024 05:23 AM
Updated by: