This Ninja blog covers the features and functions of Microsoft Defender XDR – everything that goes across the workloads, but not the individual workloads themselves. The content is structured into three different knowledge levels, with multiple modules: Fundamentals, Intermediate, and Expert.
Our unified security operations platform is combining the full power of Microsoft Sentinel with Microsoft Defender XDR into a single portal enhanced with more comprehensive features, AI, automation, guided experiences, and curated threat intelligence. This Ninja training also includes learning resources for the unified security operations platform.
In addition, after each level, we offer you a knowledge check based on the training material you have just finished! Since there’s a lot of content, the goal of the knowledge checks is to help ensure understanding of the key concepts that were covered. Lastly, there’ll be a fun certificate issued at the end of the training: Disclaimer: This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content.
As the product keeps evolving, please check out our "Monthly Defender News" to keep up to date.
Table of Contents
Security Operations Fundamentals
Module 3. Investigation – Incident
Module 6. Automated investigation and response
Module 7. Automated attack disruption
Module 8. Community (blogs, webinars, GitHub)
Security Operations Intermediate
Module 4. Automated investigation and remediation
Module 5. Automated attack disruption
Module 6. Defender Experts for XDR
Module 3. APIs, custom reports, SIEM & other integrations
Security Operations Fundamentals
Module 1. Technical overview
- Short overview “What is Microsoft Defender XDR" (4:08 mins)
- Microsoft’s unified security operations platform announcement blog
- Unifying SIEM & XDR: a new era in SecOps (18:22 mins)
- Defender XDR, Copilot for Security & Microsoft Sentinel now in one portal (10:11 mins)
- Learn: What is Microsoft Defender XDR
- Unified Security Operations Platform - Technical FAQ
- What's new
Module 2. Getting started
- Turn on Microsoft Defender XDR
- Connect Microsoft Sentinel to Microsoft Defender XDR
- Microsoft Defender portal
- Explore Microsoft Sentinel features in the Defender portal
- Manage access
- Unified RBAC (Role based access control) (33:10 mins)
- Defender XDR preview features
Module 3. Investigation – Incident
- Work with incidents
- Managing alert
- Classification of incidents & alerts
- Attack story view
-
Responding to your first incident, a tutorial and walkthrough for new-to-role analysts
- Automatic attack disruption
- Get email notifications on new incidents
- Investigate and respond with Copilot for Security
Module 4. Threat Intelligence
- Threat analytics
- Overview of Threat Analytics (4:25 mins)
- Defender Threat Intelligence in Defender XDR
Module 5. Advanced hunting
- Quick overview & a short tutorial that will get you started fast
- Guided hunting
- Learn the query language
- Understand the schema
Module 6. Automated investigation and response
- How automation works
- Automated investigation and response
- The action center
- Automation with the unified security operations platform
Module 7. Automated attack disruption
- Overview
- Prerequisites for automatic attack disruption
- Details and results of an automatic attack disruption action
Module 8. Community (blogs, webinars, GitHub)
- Microsoft Defender XDR Blog
- Tech Community Discussion space
- Unified Microsoft SIEM & XDR GitHub repository
Module 9. Partner
> Ready for the Fundamentals Knowledge Check?
Security Operations Intermediate
Module 1. Architecture
Module 2. Investigation
- Investigate incidents
- Manage the deception capability
- Prioritize incidents
- Manage incidents
- Report false positives/negatives
- Investigate URLs and domains
- Investigating a Ransomware Incident Pt 1 (33:20 mins)
- Investigating a Ransomware Incident Pt 2 (31:24 mins)
- Copilot for Security for SOC analysts (38:37 mins)
Module 3. Advanced hunting
- Quickly hunt for entity or event information with go hunt
- Take action on advanced hunting query results
- Advanced Hunting in portal Schema Reference
- Built-in functions in advanced hunting
- Webinar series, episode 1: KQL fundamentals (MP4, YouTube)
- Advanced hunting query best practices
Module 4. Automated investigation and remediation
- Remediation actions
- Configure automated investigation and response capabilities
- Report a false positive/negative to Microsoft for analysis
Module 5. Attack disruption
- Attack disruption walkthrough (21:08 mins)
- Answering Your Questions: Attack Disruption Explained (16:14 mins)
- The next evolution of automatic attack disruption (24 mins)
Module 6. Defender Experts for XDR
> Ready for the Intermediate Knowledge Check?
Security Operations Expert
Module 1. Incidents
- Prioritize incidents
- Manage incidents
- Classify alerts or incidents
- Report false positives/negatives
- Deep-dive attack playbooks from the DART team for seasoned analysts
- Incident response overview
Module 2. Advanced hunting
- Webinar series, episode 2: Joins (MP4, YouTube)
- Webinar series, episode 3: Summarizing, pivoting, and visualizing Data (MP4, YouTube)
- Webinar series, episode 4: Let’s hunt! Applying KQL to incident tracking (MP4, YouTube)
- Plural sight KQL training
Module 3. APIs, custom reports, SIEM & other integrations
- Access the Defender XDR APIs
- Streaming API
- Overview of the Streaming API
- Incidents API
- Configure Event hub
- Integrate your SIEM with Defender XDR
- Create custom Defender XDR reports
> Ready for the Expert Knowledge Check?
Once you’ve finished the training and the knowledge checks, please click here to request your certificate (you'll see it in your inbox within 3-5 business days.
Microsoft
