Topics
Skill: Manage a Security Operations Environment
Part 1: Configure Settings in Microsoft Defender XDR
Session 1: Alert and Vulnerability Notifications
- Configure alert and vulnerability notification rules
- Manage automated investigation and response capabilities
Session 2: Advanced Features and Attack Disruption
- Configure Microsoft Defender for Endpoint advanced features
Configure endpoint rules and automatic attack disruption
Part 2: Manage Assets and Environments
Session 3: Device and Resource Management
- Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
- Identify unmanaged devices in Microsoft Defender for Endpoint
- Discover unprotected resources using Defender for Cloud
Session 4: Risk Mitigation and Exposure Management
- Identify and remediate devices at risk using Microsoft Defender Vulnerability Management
Mitigate risk using Exposure Management in Microsoft Defender XDR
Skill: Configure Protections and Detections
Part 1: Protections in Microsoft Defender
Session 5: Policy Configuration
- Configure policies for Microsoft Defender for Cloud Apps
- Configure policies for Microsoft Defender for Office 365
- Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules
- Configure cloud workload protections in Microsoft Defender for Cloud
Part 2: Detections in Defender XDR and Sentinel
Session 6: Detection Rules and Alerts
- Configure and manage custom detection rules in Microsoft Defender XDR
- Manage alerts, including tuning, suppression, and correlation
- Configure deception rules in Microsoft Defender XDR
Session 7: Analytics and Behavioral Detection
- Classify and analyze data using entities in Microsoft Sentinel
- Configure and manage analytics rules
- Query Microsoft Sentinel data using ASIM parsers
Implement behavioral analytics
Skill: Manage Incident Response
Part 1: Incident Management in Microsoft Defender
Session 8: Responding to Alerts
- Investigate and remediate threats using Microsoft Defender portals
- Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption
- Investigate compromised entities identified by Microsoft Purview DLP and insider risk policies
Session 9: Investigating Devices and Activities
- Investigate device timelines in Microsoft Defender for Endpoint
- Perform actions on devices, including live response and collecting investigation packages
- Investigate Microsoft 365 activities using unified audit logs, Content Search, and Graph activity logs
Part 2: Incident Management in Microsoft Sentinel
Session 10: Sentinel Incident Management
- Investigate and remediate incidents in Microsoft Sentinel
- Create and configure automation rules and playbooks
- Run playbooks on on-premises resources
Part 3: Implement and Use Copilot for Security
Session 11: Configuring and Managing Copilot
- Create and manage promptbooks
- Manage sources for Copilot for Security, including plugins and files
- Integrate Copilot for Security by implementing connectors
- Monitor Copilot for Security capacity and cost
Session 12: Incident Management with Copilot
- Identify threats and risks using Copilot for Security
- Investigate incidents and manage permissions using Copilot
Skill: Manage Security Threats
Part 1: Threat Hunting with Microsoft Defender XDR
Session 13: Threat Hunting
- Hunt for threats using KQL and threat analytics
Create custom hunting queries in KQL
Part 2: Threat Hunting with Microsoft Sentinel
Session 14: Sentinel Threat Management
- Analyze attack vector coverage using the MITRE ATT&CK matrix
- Manage and use threat indicators
- Create and manage hunts and hunting queries
- Use hunting bookmarks and retrieve archived log data
Part 3: Sentinel Workbooks
Session 15: Workbook Configuration
- Activate and customize workbook templates
- Create custom workbooks that include KQL
- Configure visualizations for insights and investigations
