This article is contributed. See the original author and article here.

Do you want to become a ninja for Microsoft Defender ATP? We can help you get there! We collected content for two roles: “Security Operations (SecOps)” and “Security Administrator (SecAdmin)”. The content is structured into three different knowledge levels, with multiple modules: Fundamentals, Intermediate, and Expert. Some topics can be relevant for SecOps as well as for SecAdmins and are listed for both roles. We will keep updating this training on a regular basis and highlight new resources. 

 

Table of Contents

Security Operations Fundamentals

Module 1. Technical overview

Module 2. Getting started

Module 3. Threat and vulnerability management

Module 4. Attack surface reduction

Module 5. Next generation protection

Module 6. Investigation – Incident

Module 7. Alert handling

Module 8. Automated investigation and remediation

Module 9. Microsoft Threat Experts

Module 10. Reporting

Module 11. Evaluation Lab

 

Security Operations Intermediate

Module 1. Architecture

Module 2. Threat and vulnerability management

Module 3. Next generation protection.

Module 4. Advanced hunting

Module 5. Automated investigation and remediation

Module 6. Threat analytics

Module 7. Unified indicators of compromise (IOCs)

Module 8. Evaluation lab

Module 9. Community (blogs, webinars, GitHub)

 

Security Operations Expert

Module 1. Responding to threats

Module 2. Alert handling

Module 3. Deep file analysis

Module 4. Advanced hunting

Module 5. Unified indicators of compromise IOCs

Module 6. Custom reporting

Module 7. Community (blogs, webinars, GitHub)

 

Security Administrator Fundamentals

Module 1. Architecture

Module 2. Onboarding

Module 3. Grant and control access

Module 4. Security configuration

Module 5. Reporting

Module 6. SIEM Integration

 

Security Administrator Intermediate

Module 1. Threat and vulnerability management (TVM)

Module 2. Attack surface reduction

Module 3. Next generation protection

Module 4. Advanced hunting

Module 5. Conditional access

Module 6. Microsoft Cloud App Security (MCAS)

Module 7. Community (blogs, webinars, GitHub)

 

Security Administrator Expert

Module 1. Custom reporting (PowerBI)

Module 2.  Advanced hunting

Module 3. Custom Integrations, APIs

 

Learn about our partner integrations

 

Legend:

Product videos	Webcast recordings	Tech Community
Docs on Microsoft	Blogs on Microsoft	GitHub
⤴ External	Interactive guides

Security Operations Fundamentals

Module 1. Technical overview

• Short overview “What is Microsoft Defender ATP”
• End-to-end security for your endpoints

Module 2. Getting started

• Portal overview
• Use basic permissions to access the portal
• How to use RBAC

Module 3. Threat and vulnerability management

• What is threat and vulnerability management
• “Bringing IT & security together: How Microsoft is reinventing threat and vulnerability management”
•  Reduce organizational risk with threat and vulnerability management

Module 4. Attack surface reduction

• Learn about all the features to help you reduce the attack surface  
•  Understand attack surface reduction rules

Module 5. Next generation protection

• Microsoft Defender Antivirus: Your next generation protection

Module 6. Investigation – Incident

• Learn about the rich investigation experience
• Work with incidents

•  Investigate and remediate threats with Microsoft Defender ATP

Module 7. Alert handling

• Get the most out of an alert page
• Working with alerts
• Alert categories aligned with MITRE ATT&CK
• How alerts are enhanced to include MITRE ATT&CK technique information

Module 8. Automated investigation and remediation

• How automation works
• Defining metrics for successful security operations

Module 9. Microsoft Threat Experts

• What is Microsoft Threat Experts
• Getting started with Microsoft Threat Experts

Module 10. Reporting

• Out of the box reports

Module 11. Evaluation Lab

•  Get started with the evaluation lab
• Short walk-through the evaluation lab

 

Security Operations Intermediate

Module 1.Architecture

• Understand the architecture of the service

Module 2. Threat and vulnerability management

• Discovery and remediation
•  Reduce organizational risk with threat and vulnerability management

Module 3. Next generation protection

• Learn about our approach to fileless threats
• Stopping attacks in their tracks through behavioral blocking and containment
• Firmware level protection with a new Unified Extensible Firmware Interface (UEFI) scanner

Module 4. Advanced hunting

• Quick overview & a short tutorial that will get you started fast

Module 5. Automated investigation and remediation

• Automate the boring for your SOC with automatic investigation and remediation!
• Configure automated investigation and remediation capabilities
• Manage automation file uploads
• Manage automation folder exclusions

Module 6. Threat analytics

• Get familiar with threat analytics

Module 7. Unified indicators of compromise (IOCs)

• Working with IOCs

Module 8. Evaluation lab

• Short walk-through the evaluation lab
• Breach & attack simulators for the evaluation lab

Module 9. Community (blogs, webinars, GitHub)

•  Various repositories

 

Security Operations Expert

Module 1. Responding to threats

•  Overview of live response
• Response actions on machines
• Response actions on a file

Module 2. Alert handling

• Manage alert suppression rules

Module 3. Deep file analysis

• Use the built-in sandbox to detonate files

Module 4. Advanced hunting

• Learn the query language
• Advanced hunting schema reference
• Hunting for reconnaissance activities using LDAP search filters

• ⤴ Plural sight KQL training

Module 5. Unified indicators of compromise IOCs

• Custom IOCs for URLs, IP addresses, and domains
•  Manage indicators

Module 6. Custom reporting

• Create custom reports using Power BI

•  Custom reports on GitHub

Module 7. Community (blogs, webinars, GitHub)

• Microsoft Defender ATP Blog
• Tech Community

•  Custom PowerBI reports on GitHub

 

 

Security Administrator Fundamentals

Module 1. Architecture

• Understand the architecture of the service

Module 2. Onboarding

• Onboarding machines  
• Deploy Microsoft Defender ATP for Mac in just a few clicks
• Onboarding and servicing non-persistent VDI machines
•  Configuring Microsoft Defender Antivirus for non-persistent VDI machines

Module 3. Grant and control access

• Use basic permissions to access the portal
• How to use RBAC

Module 4. Security configuration

• Use Microsoft Endpoint Manager to manage security configuration
• Manage Microsoft Defender Firewall with Microsoft Defender ATP and Microsoft Intune
• Turn on tamper protection

Module 5. Reporting

• Out of the box reports
• Visibility into web threats

Module 6. SIEM Integration

• Management APIs

 

Security Administrator Intermediate

Module 1. Threat and vulnerability management (TVM)

• Discovery and remediation

•  Custom TVM reports on GitHub

• Customized views with APIs

Module 2. Attack surface reduction

• Learn about all the features to help you reduce the attack surface  
• Learn more about Application control
• Get a better understanding of Network protection
•  Understand attack surface reduction rules
•  How to configure attack surface reduction rules and how to use exclusions
•  How to report and troubleshoot Microsoft Defender ATP ASR Rules
•  Migrate from a 3rd party HIPS solution into ASR rules
• Reputation analysis – Microsoft Defender SmartScreen

Module 3. Next generation protection

•  Configuring Microsoft Defender Antivirus for non-persistent VDI machines
• Learn about our approach to fileless threats
• Firmware level protection with a new Unified Extensible Firmware Interface (UEFI) scanner

Module 4. Advanced hunting

• Quick overview & a short tutorial that will get you started fast

Module 5. Conditional access

• How to configure conditional access

Module 6. Microsoft Cloud App Security (MCAS)

• Learn about the integration with MCAS
•  Block access to unsanctioned apps using Microsoft Defender ATP & Microsoft Cloud App Security

Module 7. Community (blogs, webinars, GitHub)

•  Advanced hunting queries on GitHub

 

Security Administrator Expert

Module 1. Custom reporting (PowerBI)

• Create custom reports using APIs and Power BI
• Create custom reports using Power BI
• Connect the dots using a device network overview Power BI report

•  Custom reports on GitHub

Module 2. Advanced hunting

• Learn the query language
• Advanced hunting schema reference

• ⤴ Plural sight KQL training

Module 3. Custom Integrations, APIs

• Use Microsoft Defender ATP APIs
• Available APIs
• API Explorer and Connected applications
• Microsoft Defender ATP API Explorer
• Customized views with APIs
• Use the official Flow Connector
• Raw data export
• Streaming API

 

Learn about our partner integrations

•  Links to our various partner integrations

 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.