This article is contributed. See the original author and article here.

Microsoft 365 Defender, part of Microsoft’s XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. This Ninja blog covers the features and functions of Microsoft 365 Defender – everything that goes across the workloads, but not the individual workloads themselves. The content is structured into three different knowledge levels, with multiple modules: Fundamentals, Intermediate, and Expert.

We will keep updating this training on a regular basis and highlight new resources.

 

Table of Contents

Security Operations Fundamentals

Module 1. Technical overview

Module 2. Getting started

Module 3. Investigation – Incident

Module 4. Advanced hunting

Module 5. Self-healing

Module 6. Community (blogs, webinars, GitHub)

 

Security Operations Intermediate

Module 1. Architecture

Module 2. Investigation

Module 3. Advanced hunting

Module 4. Automated investigation and remediation

Module 6. Self-healing

Module 5. Build your own lab

Module 7. Reporting

 

Security Operations Expert

Module 1. Incidents

Module 2. Advanced hunting

Module 3. APIs, custom reports, SIEM & other integrations

 

Legend:

Product videos	Webcast recordings	Tech Community
Docs on Microsoft	Blogs on Microsoft	GitHub
⤴ External	Interactive guides

 

Security Operations Fundamentals

Module 1. Technical overview

•  Short overview “What is Microsoft 365 Defender”


•  XDR announcement blog

Module 2. Getting started

•  Quick tutorial to get you started


•  Starting the service


•  Prepare your Azure Active Directory


•  Manage access

Module 3. Investigation – Incident

•  Work with incidents


•  See how consolidated incidents improve SOC efficiency


•  Protect your organization with Microsoft 365 Defender

Module 4. Advanced hunting

•  Quick overview & a short tutorial that will get you started fast


•  Learn the query language


•  Understand the schema

Module 5. Self-healing

•  How automation works


•  Learn about the various AIR capabilities


•  The action center

Module 6. Community (blogs, webinars, GitHub)

•  Microsoft Threat Protection Blog


•  Tech Community

Security Operations Intermediate

Module 1.  Architecture

•  Microsoft Threat Protection data security and privacy

Module 2. Investigation

•  Correlating and consolidating attacks into incidents


•  Investigate incidents


•  Mapping attack chains from cloud to endpoint


•  Prioritize incidents


•  Manage incidents


•  Report false positives/negatives

Module 3. Advanced hunting

•  Advanced hunting cheat sheet


• Webinar series, episode 1: KQL fundamentals (MP4, YouTube)


•  Advanced hunting query best practices


•  Advanced hunting queries on GitHub

Module 4. Automated investigation and remediation

• Remediation actions following automated investigations


• Approve or reject pending actions

Module 6. Self-healing

•  Learn about the various AIR capabilities


•  Self-healing explained based on an example 


•  Configure automated investigation and response capabilities


•  Approve or reject pending actions


•  Report a false positive/negative to Microsoft for analysis


•  The action center

Module 5. Build your own lab

• Create a lab environment

Module 7. Reporting

•  Out of the box reports

 

Security Operations Expert

Module 1. Incidents

•  Prioritize incidents


•  Manage incidents


•  Report false positives/negatives

Module 2. Advanced hunting

•   Webinar series, episode 2: Joins (MP4, YouTube)


•   Webinar series, episode 3: Summarizing, pivoting, and visualizing Data (MP4, YouTube)


•   Webinar series, episode 4: Let’s hunt! Applying KQL to incident tracking (MP4, YouTube)


• ⤴ Plural sight KQL training

Module 3. APIs, custom reports, SIEM & other integrations

•  Microsoft 365 Defender APIs


•  Integrate ServiceNow tickets

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.