Table of Contents
Introduction
Lesson 1: Configure Settings in Microsoft Defender XDR
1.1 Configure a connection from Defender XDR to a Sentinel workspace
1.2 Configure alert and vulnerability notification rules
1.3 Configure Microsoft Defender for Endpoint Advanced Features
1.4 Configure endpoint rules settings, including indicators and web content filtering
1.5 Manage automated investigation and response capabilities in Microsoft Defender XDR
1.6 Configure automatic attack disruption in Microsoft Defender XDR
Lesson 2: Manage Assets and Environments
2.1 Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
2.2 Identify and remediate unmanaged devices in Microsoft Defender for Endpoint
2.3 Manage resources by using Azure Arc
2.4 Connect environments to Microsoft Defender for Cloud (by using multi-cloud account management)
2.5 Discover and remediate unprotected resources by using Defender for Cloud
2.6 Identify and remediate devices at risk by using Microsoft Defender Vulnerability Management
Lesson 3: Design and Configure a Microsoft Sentinel Workspace
3.1 Plan a Microsoft Sentinel workspace
3.2 Configure Microsoft Sentinel roles
3.3 Specify Azure RBAC roles for Microsoft Sentinel configuration
3.4 Design and configure Microsoft Sentinel data storage, including log types and log retention
3.5 Manage multiple workspaces by using Workspace Manager and Azure Lighthouse
Lesson 4: Ingest Data Sources in Microsoft Sentinel
4.1 Identify data sources to be ingested for Microsoft Sentinel
4.2 Configure and use Microsoft connectors for Azure resources, including Azure Policy and diagnostic settings
4.3 Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender XDR
4.4 Configure bidirectional synchronization between Microsoft Sentinel to Microsoft Defender for Cloud
4.5 Plan and configure Syslog and Common Event Format (CEF) event collections
4.6 Plan and configure collection of Windows Security events by using data collection rules, including Windows Event Forwarding (WEF)
4.7 Configure threat intelligence connectors, including platform, TAXII, upload indicators API, and MISP
4.8 Create custom log tables in the workspace to store ingested data
Lesson 5: Configure Protections in Microsoft Defender Security Technologies
5.1 Configure policies for Microsoft Defender for Cloud Apps
5.2 Configure policies for Microsoft Defender for Office
5.3 Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules
5.4 Configure cloud workload protections in Microsoft Defender for Cloud
Lesson 6: Configure Detection in Microsoft Defender XDR
6.1 Configure and manage custom detections
6.2 Configure alert tuning
6.3 Configure deception rules in Microsoft Defender XDR
Lesson 7: Configure Detections in Microsoft Sentinel
7.1 Classify and analyze data by using entities
7.2 Configure scheduled query rules, including KQL
7.3 Configure near-real-time (NRT) query rules, including KQL
7.4 Manage analytics rules from Content hub
7.5 Configure anomaly detection analytics rules
7.6 Configure the Fusion rule
7.7 Query Microsoft Sentinel data by using ASIM parsers
7.8 Manage and use threat indicators
Lesson 8: Respond to Alerts and Incidents in Microsoft Defender XDR
8.1 Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive
8.2 Investigate and remediate threats in email by using Microsoft Defender for Office
8.3 Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption
8.4 Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies
8.5 Investigate and remediate threats identified by Microsoft Purview insider risk policies
8.6 Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud
8.7 Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
8.8 Investigate and remediate compromised identities in Microsoft Entra ID
8.9 Investigate and remediate security alerts from Microsoft Defender for Identity
8.10 Manage actions and submissions in the Microsoft Defender portal
Lesson 9: Respond to Alerts and Incidents Identified by Microsoft Defender for Endpoint
9.1 Investigate timeline of compromised devices
9.2 Perform actions on the device, including live response and collecting investigation packages
9.3 Perform evidence and entity investigation
Lesson 10: Enrich Investigations by Using Other Microsoft Tools
10.1 Investigate threats by using unified audit log
10.2 Investigate threats by using Content Search
10.3 Perform threat hunting by using Microsoft Graph activity logs
Lesson 11: Manage Incidents in Microsoft Sentinel
11.1 Triage incidents in Microsoft Sentinel
11.2 Investigate incidents in Microsoft Sentinel
11.3 Respond to incidents in Microsoft Sentinel
Lesson 12: Configure Security Orchestration, Automation, and Response (SOAR) in Microsoft Sentinel
12.1 Create and configure automation rules
12.2 Create and configure Microsoft Sentinel playbooks
12.3 Configure analytic rules to trigger automation
12.4 Trigger playbooks manually from alerts and incidents
12.5 Run playbooks on On-premises resources
Lesson 13: Hunt for Threats by Using KQL
13.1 Identify threats by using Kusto Query Language (KQL)
13.2 Interpret threat analytics in the Microsoft Defender portal
13.3 Create custom hunting queries by using KQL
Lesson 14: Hunt for Threats by Using Microsoft Sentinel
14.1 Analyze attack vector coverage by using the MITRE ATT&CK in Microsoft Sentinel
14.2 Customize content gallery hunting queries
14.3 Use hunting bookmarks for data investigations
14.4 Monitor hunting queries by using Livestream
14.5 Retrieve and manage archived log data
14.6 Create and manage search jobs
Lesson 15: Analyze and Interpret Data by Using Workbooks
15.1 Activate and customize Microsoft Sentinel workbook templates
15.2 Create custom workbooks that include KQL
15.3 Configure visualizations
Summary