SC-200T00A

Microsoft Security
Operations Analyst
Author name
Date

© Copyright Microsoft Corporation. All rights reserved.

Learning Path 3:
Mitigate threats using
Microsoft Defender for
Endpoint

© Copyright Microsoft Corporation. All rights reserved.

Agenda

• Protect against threats with Microsoft Defender for Endpoint

• Deploy the Microsoft Defender for Endpoint environment
• Implement Windows security enhancements
• Perform device investigations
• Perform actions on a device
• Perform evidence and entities investigations
• Configure and manage automation
• Configure for alerts and detections
• Utilize Threat and Vulnerability Management

© Copyright Microsoft Corporation. All rights reserved.

Protect against threats
with Microsoft Defender
for Endpoint

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Define the capabilities of Microsoft Defender for Endpoint

2 Describe how to hunt threats within your network.

3 Explain how Microsoft Defender for Endpoint can remediate risks in your environment

© Copyright Microsoft Corporation. All rights reserved.

Microsoft Defender for
Endpoint explained*
Microsoft Defender for Endpoint is a
platform designed to help enterprise
networks prevent, detect,
investigate, and respond to
advanced threats on their endpoints.

© Copyright Microsoft Corporation. All rights reserved.

Microsoft Defender for Endpoint detects a malicious
payload

© Copyright Microsoft Corporation. All rights reserved.

Explain security operations in Microsoft Defender for
Endpoint
• Defender for Endpoint detection and response capabilities provide advanced attack
detections that are near real-time and actionable.
• When a threat is detected, alerts are created in the system for an analyst to
investigate. Alerts with the same attack techniques or attributed to the same attacker
are aggregated into an entity called an incident. Aggregating alerts in this manner
makes it easy for analysts to investigate and respond to threats collectively.
• Inspired by the “assume breach” mindset, Defender for Endpoint continuously
collects behavioral cyber telemetry. This includes process information, network
activities, deep optics into the kernel and memory manager, user sign in activities,
registry and file system changes, and others.

© Copyright Microsoft Corporation. All rights reserved.

Deploy the Microsoft
Defender for Endpoint
environment

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Create a Microsoft Defender for Endpoint environment

2 Onboard devices to be monitored by Microsoft Defender for Endpoint

3 Configure Microsoft Defender for Endpoint environment settings

© Copyright Microsoft Corporation. All rights reserved.

Create your environment*
Microsoft Defender XDR portal https://security.microsoft.com

Data storage location: Data retention***: Enable preview features:

Determined by the geo-location Data from Microsoft Defender The default is on, can be
of the tenant during for Endpoint is retained for 180 changed later.
provisioning. You cannot days. However, in an advanced
change the location after this set hunting investigation it's
up. accessible via a query for a
period of 30 days.

From the Microsoft Defender XDR portal navigation menu, selecting any item
from the Endpoints section, or any feature, will start onboarding.

© Copyright Microsoft Corporation. All rights reserved.

Onboard devices

You’ll need to go to the

onboarding section of
the Defender for
Endpoint portal to
onboard any of the
supported devices.
Depending on the
device, you’ll be guided
with appropriate steps
and provided
management and
deployment tool options
suitable for the device.

© Copyright Microsoft Corporation. All rights reserved.

Understand compatible operating systems***

Microsoft Defender for Endpoint is available on the following Operating

1 Windows Systems:

Windows
2 macOS | Windows 7 SP1 Enterprise (Requires ESU for support.) Windows Server
2008 R2 SP1 (Requires ESU for support) and Above
Linux
3 Linux | support recent versions of the six most common Linux Server distributions:
RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS, or higher LTS, SLES 12+, Debian 9+,
and Oracle Linux 7.2.
4 Android
Android
Android 6.0 and higher
5 iOS
iOS
iOS 11.0 and higher.

macOS
© Copyright Microsoft Corporation. All rights reserved.
Manage access

Defender for Endpoint uses the Microsoft Defender XDR Unified role-based access
control (RBAC) model and is designed to give you granular control over what roles can
see, devices they can access, and actions they can take.

Control who can take specific actions: Control who can see information on a
Create custom roles and control what Defender specific device group or groups:
for Endpoint capabilities they can access with Create device groups by specific criteria such as
granularity. names, tags, domains, and others, then grant role
access to them using a specific Entra ID (Security)
user group.

© Copyright Microsoft Corporation. All rights reserved.

Role-based access control
 Create and manage roles for role-based access control

Permission options:
• View data

• Active remediation actions

• Alerts investigation

• Manage portal system

settings
• Manage security settings in
Security Center
• Live response capabilities

© Copyright Microsoft Corporation. All rights reserved.

Configure device groups

Create device groups and As part of the process of creating a

use them to: device group, you’ll:

• Limit access to related alerts and data to specific • Set the automated remediation level for
Entra ID user groups with assigned RBAC roles. that group.
• Configure different auto-remediation settings for • Specify the matching rule that determines which
different sets of devices. device group belongs to the group based on the
device name, domain, tags, and OS platform.
• Assign specific remediation levels to apply during
automated investigations. • Select the Entra ID user group that should have
access to the device group.
• In an investigation, filter the Devices list to just
specific device groups by using the Group filter. • Rank the device group relative to other groups
after it is created.

© Copyright Microsoft Corporation. All rights reserved.

Implement Windows
security enhancements

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After this completing this module, you will be able to:

1 Understand attack surface reduction in Windows

2 Enable attack surface reduction rules on Windows devices

3 Configure attack surface reduction rules on Windows devices

© Copyright Microsoft Corporation. All rights reserved.

Understand attack surface reduction(ASR) capabilities

1 Attack surface reduction rules 6 Windows Defender Firewall

2 Hardware-based isolation 7 Web protection

3 Application control 8 Controlled folder access

4 Exploit protection 9 Removable storage protection

5 Network protection

© Copyright Microsoft Corporation. All rights reserved.

Enable attack surface reduction rules***
Sample ASR Rules: Rule modes: Deployment options:
• Block executable content from • Off • Microsoft Endpoint
email client and webmail • Not configured or Disable • Configuration Manager
• Block all Office applications =0 • Group Policy
from creating child processes • Block (enable ASR rule) = 1 • PowerShell cmdlets
• Block Office applications from • Audit = 2 • Microsoft Intune
creating executable content
• Warn = 6 • Mobile Device
• Block Office applications from
Management (MDM)
injecting code into other
processes
• Block execution of potentially
obfuscated scripts
• Use advanced protection
against ransomware

© Copyright Microsoft Corporation. All rights reserved.

Perform device
investigations

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Use the device page in Microsoft Defender for Endpoint

2 Describe device forensics information collected by Microsoft Defender for Endpoint

3 Describe behavioral blocking by Microsoft Defender for Endpoint

© Copyright Microsoft Corporation. All rights reserved.

Use the device inventory list
The Device inventory page shows a list of the devices in your network where alerts were
generated. By default, the queue displays devices with alerts seen in the last 30 days.

© Copyright Microsoft Corporation. All rights reserved.

Investigate the device

© Copyright Microsoft Corporation. All rights reserved.

Use behavioral blocking
Client Behavioral blocking and containment capabilities:

© Copyright Microsoft Corporation. All rights reserved.

Demonstration – Detect devices with device discovery

Scenario:
You are a Security Operations
Analyst working at a company
that is implementing Microsoft
Defender XDR solutions. You Task 1 Discover devices
need to discover devices in
your on-premise network.

Task 2 Assess and Onboard Unmanaged Devices

© Copyright Microsoft Corporation. All rights reserved.

Perform actions on a device

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Perform actions on a device using Microsoft Defender for Endpoint

2 Conduct forensics data collection using Microsoft Defender for Endpoint

3 Access devices remotely using Microsoft Defender for Endpoint

© Copyright Microsoft Corporation. All rights reserved.

Collect investigation package from devices
As part of the investigation or response process, you can collect an investigation package from
a device that contains:
• Autoruns
• Installed programs
• Network connections
• Prefetch files
• Processes
• Scheduled tasks
• Security event log
• Services
• Windows Server Message Block (SMB) sessions
• System information
• Temp directories
• Users and groups
• WdSupportLogs

© Copyright Microsoft Corporation. All rights reserved.

Initiate live response session
Live response gives security operations teams instantaneous access to a device (also
referred to as a machine) using a remote shell connection.
Live response commands (examples)

Basic commands: Advanced commands:

• connections • analyze

• fileinfo • getfile

• persistence • run

• processes • library

• registry • putfile

• scheduledtasks • remediate

• services

© Copyright Microsoft Corporation. All rights reserved.

Perform evidence and
entities investigations

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Investigate files in Microsoft Defender for Endpoint

2 Investigate domains and IP addresses in Microsoft Defender for Endpoint

3 Investigate user accounts in Microsoft Defender for Endpoint

© Copyright Microsoft Corporation. All rights reserved.

Investigate a file

Investigate the details of

a file associated with a
specific alert, behavior, or
event to help determine
if the file exhibits
malicious activities,
identify the attack
motivation, and
understand the potential
scope of the breach.

© Copyright Microsoft Corporation. All rights reserved.

Investigate a user account

Identify user accounts with

the most active alerts
(displayed on the
dashboard as “Users at
risk”) and investigate cases
of potentially compromised
credentials, or pivot on the
associated user account
when investigating an alert
or device to identify
possible lateral movement
between devices with that
user account.

© Copyright Microsoft Corporation. All rights reserved.

Investigate an IP address

1 IP worldwide

2 Reverse DNS names

3 Alerts related to this IP

4 IP in organization

5 Prevalence

© Copyright Microsoft Corporation. All rights reserved.

Investigate domains and URLs

You can see information

from the following
sections in the URL and
domain view:
• Domain details, registrant
contact information
• Microsoft verdict
• Incidents related to this URL
or domain
• Prevalence of the URL or
domain in the organization
• Most recent observed
devices with URL or domain

© Copyright Microsoft Corporation. All rights reserved.

Configure and manage
automation

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Configure advanced features of Microsoft Defender for Endpoint

2 Manage automation settings in Microsoft Defender for Endpoint

© Copyright Microsoft Corporation. All rights reserved.

Configure advanced features (Part I)

The Advanced features

area provides many an
on/off switch for
features within the
product. The following
are settings that are
automation focused.

© Copyright Microsoft Corporation. All rights reserved.

Manage automation upload and folder settings

File Content Analysis: Memory Content Automation folder

Enable the File Content Analysis: exclusions:
Analysis capability so that Enable the Memory Content Automation folder exclusions
certain files and email Analysis capability if you would allow you to specify folders
attachments can like Microsoft Defender for that the Automated
automatically be uploaded to Endpoint to automatically investigation will skip. You can
the cloud for additional investigate memory content of control the following attributes
inspection in Automated processes. When enabled, about the folder that you’d like
investigation. memory content might be to be skipped:
uploaded to Microsoft • Folders
Defender for Endpoint during
• Extensions of the files
an Automated investigation.
• File names

© Copyright Microsoft Corporation. All rights reserved.

Configure automated investigation and remediation***
capabilities

1 Full – remediate threats automatically

2 Semi – require approval for any remediation

3 Semi – require approval for core folders remediation

4 Semi – require approval for non-temp folders remediation

5 No automated response

© Copyright Microsoft Corporation. All rights reserved.

Block at risk devices with Microsoft Endpoint Manager

1 Turn on the Microsoft Intune connection from Microsoft Defender XDR portal

2 Turn on the Defender for Endpoint integration in Endpoint Manager

3 Create the compliance policy in Endpoint Manager

4 Assign the policy

5 Create an Entra ID Conditional Access policy

© Copyright Microsoft Corporation. All rights reserved.

Configure for alerts
and detections

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Configure alert settings in Microsoft Defender for Endpoint

2 Manage indicators in Microsoft Defender for Endpoint

© Copyright Microsoft Corporation. All rights reserved.

Configure advanced features (Part II)

The Advanced features

area provides many an
on/off switch for
features within the
product. The following
are settings that are
alert and detection
focused.

© Copyright Microsoft Corporation. All rights reserved.

Configure advanced features (continued)

1 Microsoft Defender for Identity integration

2 Office 365 Threat Intelligence connection

3 Microsoft Defender for Cloud Apps

4 Microsoft Intune connection

5 Microsoft Secure Score

© Copyright Microsoft Corporation. All rights reserved.

Configure Email notifications

© Copyright Microsoft Corporation. All rights reserved.

Manage alert tuning

You can create tuning rules for specific alerts known to be innocuous, such as known
tools or processes in your organization. You can use the examples in the following table
to help you choose the context for a suppression rule:

Context Definition Example scenarios

• A security researcher is investigating a

Choose scope to malicious script that has been used to attack
Alerts with the same alert title and within a
suppress alerts other devices in your organization.
specific scope only will be suppressed. All other
for a User, Device alerts in that scope will not be suppressed. • A developer regularly creates PowerShell
or Device group
scripts for their team.

Suppress alert for

all organization Alerts with the same alert title on any device • A benign administrative tool is used by
devices (admin will be suppressed. everyone in your organization.
role required)
© Copyright Microsoft Corporation. All rights reserved.
Manage indicators

Indicator of compromise (IoC) matching is an essential feature in every endpoint

protection solution. This capability gives SecOps the ability to set a list of detection
indicators and for blocking (prevention and response).

IoC type Available actions

Files Allow, Audit, Block and remediate

IP addresses Allow, Audit, Block execution

URLs and domains Allow, Audit, Block execution

Certificates Allow, Block and remediate

© Copyright Microsoft Corporation. All rights reserved.

Utilize Microsoft Defender
Vulnerability Management

© Copyright Microsoft Corporation. All rights reserved.

Introduction
After completing this module, you will be able to:

1 Describe Vulnerability Management in Microsoft Defender for Endpoint

2 Identify vulnerabilities on your devices with Microsoft Defender for Endpoint

3 Track emerging threats in Microsoft Defender for Endpoint

© Copyright Microsoft Corporation. All rights reserved.

Explain Threat and Vulnerability Management
Defender Vulnerability Management uses built-in and agentless scanners to
continuously monitor and detect risk in your organization even when devices aren’t
connected to the corporate network.

© Copyright Microsoft Corporation. All rights reserved.

Explore vulnerabilities on your devices
Vulnerability Management Navigation pane
Area Description
Dashboard Get a high-level view of the organization exposure score, threat awareness, Microsoft Secure
Score for Devices, top security recommendations, top remediation activities, and top
exposed device data.
Recommendations See the list of security recommendations and related threat information. When you select an
item from the list, a flyout panel opens with vulnerability details, a link to open the software
page, and remediation and exception options. You can also open a ticket in Intune if your
devices are joined through Entra ID and you’ve enabled your Intune connections in Defender
for Endpoint.
Remediation See remediation activities you’ve created and recommendation exceptions.

Inventories Discover and assess all your organization’s assets in a single view.

Weaknesses See the list of common vulnerabilities and exposures (CVEs) in your organization.

Event timeline View events that may impact your organization’s risk.

Baselines assessment Monitor security baseline compliance and identify changes in real-time.
© Copyright Microsoft Corporation. All rights reserved.
Remediation steps

Select recommendation Submit request Review requests

© Copyright Microsoft Corporation. All rights reserved.

Module 3, Lab 01 – Mitigate
threats using Microsoft
Defender for Endpoint

© Copyright Microsoft Corporation. All rights reserved.

Lab Exercises for Learning Path 3

• Deploy Microsoft Defender for Endpoint

• Mitigate Attacks using Defender for Endpoint

© Copyright Microsoft Corporation. All rights reserved. © Copyright Microsoft Corporation. All rights reserved.
Learning Path Recap
In this learning path, we covered the following topics:

•Defender for Endpoint: Microsoft Defender for Endpoint is a platform designed to help
enterprise networks prevent, detect, investigate, and respond to advanced threats on their
endpoints.
•Threat Management: Defender for Endpoint provides advanced attack detections that are near
real-time and actionable.
•Device Onboarding: Devices can be onboarded to be monitored by Microsoft Defender for
Endpoint through the Defender for Endpoint portal.
•Attack Surface Reduction: Attack surface reduction rules can be enabled on Windows devices
to reduce the attack surface.
•Vulnerability Management: Defender Vulnerability Management uses built-in and agentless
scanners to continuously monitor and detect risk in your organization.
Ask me to help with something else, or for more ideas see the prompt guide below.

© Copyright Microsoft Corporation. All rights reserved.

© Copyright Microsoft Corporation. All rights reserved.