Learn to implement Microsoft Defender for Endpoint to detect, investigate, and respond to sophisticated threats. You will explore how to deploy and configure the environment, onboard devices, enhance security on Windows 10, conduct investigations, automate responses, and leverage Threat and Vulnerability Management for proactive defense.

Lessons

• Protect against threats with Microsoft Defender for Endpoint

• Deploy the Defender for Endpoint environment

• Implement Windows 10 security enhancements (e.g., Attack Surface Reduction rules)

• Manage alerts and incidents in Defender for Endpoint

• Perform device investigations and actions using remote capabilities

• Conduct evidence and entities investigations to assess impact

• Configure alerts, detections, and automation workflows

• Utilize Threat and Vulnerability Management to identify and prioritize risks

Lab : Mitigate threats using Microsoft Defender for Endpoint

• Deploy Microsoft Defender for Endpoint

• Mitigate attacks using Defender for Endpoint

After completing this module, students will be able to:

• Define the core capabilities of Microsoft Defender for Endpoint

• Configure the Defender for Endpoint environment, including security settings and onboarding devices

• Implement Attack Surface Reduction (ASR) rules to reduce exposure on Windows 10 devices

• Investigate alerts, user accounts, domains/IPs, and devices

• Manage automation settings and threat indicators effectively

• Understand and use device forensics data collected by Defender for Endpoint

• Apply Threat and Vulnerability Management to identify environment weaknesses and prioritize remediation efforts

Gain the skills to leverage Microsoft 365 Defender for comprehensive, multi-domain threat protection. In this module, you ll explore how to detect and remediate threats using orchestration and automation, safeguard identities, secure cloud applications, and manage insider risk—all within the integrated Defender ecosystem.

Lessons

• Introduction to threat protection with Microsoft 365 Defender

• Mitigate incidents using Microsoft 365 Defender

• Protect your identities with Azure AD Identity Protection

• Remediate risks using Microsoft Defender for Office 365

• Safeguard your environment with Microsoft Defender for Identity

• Secure your cloud apps and services with Microsoft Cloud App Security

• Respond to data loss prevention (DLP) alerts

• Manage insider risk in Microsoft 365

Lab : Mitigate threats using Microsoft 365 Defender

• Practical exercise focused on detecting and remediating attacks using the Defender suite

After completing this module, students will be able to:

• Explain how the threat landscape is rapidly evolving and its implications for organizational security

• Detect, investigate, and manage security incidents across Microsoft 365 Defender

• Conduct advanced threat hunting using Microsoft 365 Defender tools and queries

• Understand and apply the investigative and remediation capabilities of Azure AD Identity Protection

• Define the capabilities of Microsoft Defender for Endpoint and explain how it helps remediate environmental risks

• Describe the Cloud App Security framework and how Cloud Discovery enhances visibility into organizational cloud usage

In this module, you will learn to implement Microsoft Defender for Cloud—formerly known as Azure Defender—integrated with Azure Security Center to protect workloads across Azure, hybrid cloud, and on-premises environments. You’ll understand how to enable the solution, explore its protection and detection capabilities, and extend its reach into hybrid infrastructures for comprehensive security posture management.

Lessons

• Plan for cloud workload protections using Microsoft Defender for Cloud

• Explain cloud workload protections by service and workload type

• Connect Azure assets to Defender for Cloud

• Connect non-Azure resources (including on-premises and other cloud services)

• Remediate security alerts and recommendations using Defender for Cloud

Lab : Mitigate threats using Microsoft Defender for Cloud

• Deploy Microsoft Defender for Cloud

• Mitigate attacks with Defender for Cloud

After completing this module, students will be able to:

• Describe the features and value proposition of Microsoft Defender for Cloud and its relationship to Azure Security Center

• Identify which workload types (e.g., servers, storage, databases, containers, Key Vault) are supported and secured by Defender for Cloud

• Enable protection via both auto-provisioning and manual deployment of Defender across Azure workloads

• Connect and apply Defender protections to hybrid and non-Azure environments

• Interpret and respond to alerts generated by Defender for Cloud and configure automated response actions where applicable

Develop the ability to write and use KQL statements to query log data for threat detection, analysis, and reporting within Azure Sentinel. Learn foundational KQL operators and query structure that support building complex analytics, workbooks, and hunting queries. This module also covers summarizing and visualizing security data, and manipulating string data for more effective threat insights.

Lessons

• Construct KQL statements for Azure Sentinel

• Analyze query results using KQL

• Build multi-table statements using KQL

• Work with string data in Azure Sentinel using KQL

Lab : Create queries for Azure Sentinel using KQL

• Construct basic KQL statements

• Analyze query results

• Build multi-table statements

• Work with string data in queries

After completing this module, students will be able to:

• Construct, refine, and apply KQL statements tailored for security event analysis

• Search log files for security events using filters like event time, severity, and domain

• Summarize and visualize data through KQL statements, and use these to build detections

• Extract data from both structured and unstructured string fields

• Create reusable KQL functions to improve query efficiency and clarity

In this module, you’ll master the foundational setup of Azure Sentinel. You’ll learn how to architect, deploy, and manage Sentinel workspaces so they effectively meet your organization’s security operations needs. You’ll also discover how to query data, leverage watchlists, and integrate threat intelligence for a comprehensive analytics and alerting capability.

Lessons

• Introduction to Azure Sentinel

• Create and manage Azure Sentinel workspaces

• Query logs in Azure Sentinel

• Use watchlists in Azure Sentinel

• Utilize threat intelligence in Azure Sentinel

Lab : Configure your Azure Sentinel environment

• Create an Azure Sentinel workspace

• Create a Watchlist

• Create a Threat Indicator

After completing this module, students will be able to:

• Identify the key components and functionality of Azure Sentinel and understand its use cases

• Describe Azure Sentinel workspace architecture and deploy a workspace effectively

• Manage and configure Sentinel workspaces to align with security operation requirements

• Create and query watchlists using KQL to enhance threat detection capabilities

• Manage threat indicators and integrate threat intelligence into Sentinel to enrich investigation and alerting contexts

In this module, you ll learn how to ingest log data at scale into Azure Sentinel from diverse environments—cloud, on-premises, and hybrid. You ll explore Azure Sentinel’s data connectors for Microsoft services, operating systems, and threat intelligence feeds. The focus is on configuring connectors to ensure comprehensive telemetry coverage and enabling Sentinel to generate automated insights and alerts.

Lessons

• Connect data to Azure Sentinel using data connectors

• Connect Microsoft services (e.g., Microsoft 365 Defender, Azure services) to Azure Sentinel

• Connect Microsoft 365 Defender specifically to Azure Sentinel

• Connect Windows hosts to Azure Sentinel

• Connect Common Event Format (CEF) logs to Azure Sentinel

• Connect Syslog data sources (Linux and network devices) to Azure Sentinel

• Connect threat intelligence indicators to Azure Sentinel

Lab : Connect logs to Azure Sentinel

• Configure and enable data connector for Microsoft services

• Connect Windows hosts to Sentinel using Windows Event or Sysmon logs via Log Analytics agent

• Connect Linux or other Syslog sources to Sentinel

• Connect threat intelligence feeds into Azure Sentinel for enrichment

After completing this module, students will be able to:

• Explain the purpose and benefits of data connectors in Azure Sentinel

• Differentiate between Common Event Format (CEF) and Syslog connectors

• Connect Microsoft services and automatically generate incidents from incoming data

• Enable the Microsoft 365 Defender data connector to integrate alerts and signals

• Onboard Azure Windows VMs and non-Azure Windows hosts via Log Analytics agents (e.g., collecting Sysmon events)

• Configure deployment options for CEF connectors across your environment

• Set up and use the TAXII connector for ingesting threat intelligence

• View and manage threat indicators in Azure Sentinel for enriched detection capabilities

This module teaches you how to leverage Azure Sentinel’s analytics and automation capabilities to detect and investigate security threats. You’ll explore how to build detection rules, create automated response playbooks, manage incidents, apply behavioral analytics, and visualize security insights using workbooks.

Lessons

• Threat detection with Azure Sentinel analytics

• Automation in Azure Sentinel

• Threat response with Sentinel playbooks (SOAR)

• Security incident management in Sentinel

• Identify threats with behavioral analytics

• Query, visualize, and monitor data in Sentinel

• Manage content in Sentinel

Lab : Create detections and perform investigations using Azure Sentinel

• Modify a security rule

• Create a playbook for automated response

• Create a scheduled query using the analytics wizard

• Explore entity behavior analytics (behavioral insights)

• Simulate attacks to test detections

• Create detections and investigate resulting incidents

• Create and customize workbooks for data visualization

• Use content repositories to manage Sentinel configurations

After completing this module, students will be able to:

• Explain the role and significance of Azure Sentinel analytics in identifying threats

• Develop detection rules using templates and the analytics rule wizard

• Understand and apply Sentinel’s automation features, including SOAR capabilities via playbooks

• Investigate and manage security incidents, including evidence and entity analysis

• Leverage behavioral analytics to discover anomalous behaviors and threats

• Use Kusto Query Language (KQL) to query, visualize, and monitor security data using workbooks

• Manage and deploy security content via content repositories for efficient configuration and sharing across Sentinel instances

This module focuses on teaching proactive threat hunting techniques using Microsoft Sentinel. You will learn how to formulate hypothesis-driven queries, utilize livestream capabilities to monitor threats in real time, use bookmarks to preserve findings, and conduct advanced hunting using notebooks for deeper data exploration.

Lessons

• Explain threat hunting concepts in Microsoft Sentinel

• Threat hunting with Azure Sentinel

• Hunt for threats using notebooks in Azure Sentinel

Lab : Threat hunting in Azure Sentinel

• Perform threat hunting using Sentinel queries

• Execute advanced hunting scenarios using notebooks

After completing this module, students will be able to:

• Describe the fundamentals of threat hunting and its relevance in security operations

• Define and test threat-hunting hypotheses to guide investigative searches

• Use KQL queries to proactively hunt for threats across your data

• Observe threat behaviors over time using livestream monitoring features

• Leverage Sentinel’s API libraries and notebooks for advanced, in-depth threat hunting