LU1 Mitigate threats using Microsoft Defender XDR
Topic 1 Introduction to Microsoft 365 threat protection
Explore Extended Detection & Response (XDR) response use cases
Understand Microsoft Defender XDR in a Security Operations Center (SOC)
Explore Microsoft Security Graph
Investigate security incidents in Microsoft Defender XDR
Topic 2 Mitigate incidents using Microsoft 365 Defender
Use the Microsoft Defender portal
Manage incidents
Investigate incidents
Manage and investigate alerts
Manage automated investigations
Use the action center1
Explore advanced hunting
Investigate Microsoft Entra sign-in logs
Understand Microsoft Secure Score
Topic 3 Protect your identities with Microsoft Entra ID Protection
Microsoft Entra ID Protection overview
Detect risks with Microsoft Entra ID Protection policies
Investigate and remediate risks detected by Microsoft Entra ID Protection
Topic 4 Remediate risks with Microsoft Defender for Office 365
Introduction to Microsoft Defender for Office 365
Automate, investigate, and remediate
Configure, protect, and detect
Simulate attacks
Topic 5 Safeguard your environment with Microsoft Defender for Identity
Introduction to Microsoft Defender for Identity
Configure Microsoft Defender for Identity sensors
Review compromised accounts or data
Integrate with other Microsoft tools
Topic 6 Secure your cloud apps and services with Microsoft Defender for Cloud Apps
Understand the Defender for Cloud Apps Framework
Explore your cloud apps with Cloud Discovery
Protect your data and apps with Conditional Access App Control
Walk through discovery and access control with Microsoft Defender for Cloud Apps
Classify and protect sensitive information
Detect Threats
LU2 Mitigate threats using Microsoft Purview
Topic 7 Respond to data loss prevention alerts using Microsoft 365
1. Describe data loss prevention alerts7
2. Investigate data loss prevention alerts in Microsoft Purview
3. Investigate data loss prevention alerts in Microsoft Defender for Cloud Apps
Topic 8 Manage insider risk in Microsoft Purview
Insider risk management overview
Introduction to managing insider risk policies
Create and manage insider risk policies
Knowledge check
Investigate insider risk alerts
Take action on insider risk alerts through cases
Manage insider risk management forensic evidence
Create insider risk management notice templates
Topic 9 Investigate threats by using audit features in Microsoft Defender XDR and Microsoft Purview Standard
Introduction to threat investigation with the Unified Audit Log (UAL)
Explore Microsoft Purview Audit solutions
Implement Microsoft Purview Audit (Standard)
Start recording activity in the Unified Audit Log
Search the Unified Audit Log (UAL)
Export, configure, and view audit log records
Use audit log searching to investigate common support issues
Topic 10 Investigate threats with Content search in Microsoft Purview
Explore Microsoft Purview eDiscovery solutions
Create a content search
View the search results and statistics
Export the search results and search report
Configure search permissions filtering
Search for and delete email messages
LU3 Mitigate threats using Microsoft Defender for Endpoint
Topic 11 Protect against threats with Microsoft Defender for Endpoint
Introduction to Microsoft Defender for Endpoint
Practice security administration
Hunt threats within your network
Topic 12 Deploy the Microsoft Defender for Endpoint environment
Create your environment
Understand operating systems compatibility and features
Onboard devices
Manage access
Create and manage roles for role-based access control
Configure device groups
Configure environment advanced features
Topic 13 Implement Windows security enhancements with Microsoft Defender for Endpoint
Understand attack surface reduction
Enable attack surface reduction rules
Topic 14 Perform device investigations in Microsoft Defender for Endpoint
Use the device inventory list
Investigate the device
Use behavioral blocking
Detect devices with device discovery
Topic 15 Perform actions on a device using Microsoft Defender for Endpoint
Explain device actions
Run Microsoft Defender antivirus scan on devices
Collect investigation package from devices
Initiate live response session
Topic 16 Perform evidence and entities investigations using Microsoft Defender for Endpoint
Investigate a file
Investigate a user account
Investigate an IP address
Investigate a domain
Topic 17 Configure and manage automation using Microsoft Defender for Endpoint
Configure advanced features
Manage automation upload and folder settings
Configure automated investigation and remediation capabilities
Block at risk devices
Topic 18 Configure for alerts and detections in Microsoft Defender for Endpoint
Configure advanced features
Configure alert notifications
Manage alert suppression
Manage indicators
Topic 19 Utilize Vulnerability Management in Microsoft Defender for Endpoint
Understand vulnerability management
Explore vulnerabilities on your devices
Manage remediation
LU4 Mitigate threats using Microsoft Defender for Cloud
Topic 20 Plan for cloud workload protections using Microsoft Defender for Cloud
Explain Microsoft Defender for Cloud
Describe Microsoft Defender for Cloud workload protections
Exercise – Microsoft Defender for Cloud interactive guide
Enable Microsoft Defender for Cloud
Topic 21 Connect Azure assets to Microsoft Defender for Cloud
Explore and manage your resources with asset inventory
Configure auto provisioning
Manual log analytics agent provisioning
Topic 22 Connect non-Azure resources to Microsoft Defender for Cloud
Protect non-Azure resources
Connect non-Azure machines
Connect your AWS accounts
Connect your GCP accounts
Topic 23 Manage your cloud security posture management
Explore Secure Score
Explore Recommendations
Measure and enforce regulatory compliance
Understand Workbooks
Topic 24 Explain cloud workload protections in Microsoft Defender for Cloud
Understand Microsoft Defender for servers
Understand Microsoft Defender for App Service
Understand Microsoft Defender for Storage
Understand Microsoft Defender for SQL
Understand Microsoft Defender for open-source databases
Understand Microsoft Defender for Key Vault
Understand Microsoft Defender for Resource Manager
Understand Microsoft Defender for DNS
Understand Microsoft Defender for Containers
Understand Microsoft Defender additional protections
Topic 25 Remediate security alerts using Microsoft Defender for Cloud
Understand security alerts
Remediate alerts and automate responses
Suppress alerts from Defender for Cloud
Generate threat intelligence reports
Respond to alerts from Azure resources
LU5 Create queries for Microsoft Sentinel using Kusto Query Language (KQL)
Topic 26 Construct KQL statements for Microsoft Sentinel
Understand the Kusto Query Language statement structure
Use the search operator
Use the where operator
Use the let statement
Use the extend operator
Use the order by operator
Use the project operators
Topic 27 Analyze query results using KQL
Use the summarize operator
Use the summarize operator to filter results
Use the summarize operator to prepare data
Use the render operator to create visualizations
Topic 28 Build multi-table statements using KQL
Use the union operator
Use the join operator
Topic 29 Work with data in Microsoft Sentinel using Kusto Query Language
Extract data from unstructured string fields
Extract data from structured string data
Integrate external data
Create parsers with functions
LU6 Configure your Microsoft Sentinel environment
Topic 30 Introduction to Microsoft Sentinel
What is Microsoft Sentinel?
How Microsoft Sentinel works
When to use Microsoft Sentinel
Topic 31 Create and manage Microsoft Sentinel workspaces
Plan for the Microsoft Sentinel workspace
Create a Microsoft Sentinel workspace
Manage workspaces across tenants using Azure Lighthouse
Understand Microsoft Sentinel permissions and roles
Manage Microsoft Sentinel settings
Configure logs
Topic 32 Query logs in Microsoft Sentinel
Query logs in the logs page
Understand Microsoft Sentinel tables
Understand common tables
Understand Microsoft Defender XDR tables
Topic 33 Use watchlists in Microsoft Sentinel
Plan for watchlists
Create a watchlist
Manage watchlists
Topic 34 Utilize threat intelligence in Microsoft Sentinel
Define threat intelligence
Manage your threat indicators
View your threat indicators with KQL
LU7 Connect logs to Microsoft Sentinel
Topic 35 Connect data to Microsoft Sentinel using data connectors
Ingest log data with data connectors
Understand data connector providers
View connected hosts
Topic 36 Connect Microsoft services to Microsoft Sentinel
Plan for Microsoft services connectors
Connect the Microsoft Office 365 connector
Connect the Microsoft Entra connector
Connect the Microsoft Entra ID Protection connector
Connect the Azure Activity connector
Topic 37 Connect Microsoft Defender XDR to Microsoft Sentinel
Plan for Microsoft Defender XDR connectors
Connect the Microsoft Defender XDR connector
Connect Microsoft Defender for Cloud connector
Connect Microsoft Defender for IoT
Connect Microsoft Defender legacy connectors
Topic 38 Connect Windows hosts to Microsoft Sentinel
Plan for Windows hosts security events connector
Connect using the Windows Security Events via AMA Connector
Connect using the Security Events via Legacy Agent Connector
Collect Sysmon event logs
Topic 39 Connect Common Event Format logs to Microsoft Sentinel
Plan for Common Event Format connector6
Connect your external solution using the Common Event Format connector
Topic 40 Connect syslog data sources to Microsoft Sentinel
Plan for syslog data collection
Collect data from Linux-based sources using syslog
Configure the Data Collection Rule for Syslog Data Sources
Parse syslog data with KQL
Topic 41 Connect threat indicators to Microsoft Sentinel
Plan for threat intelligence connectors
Connect the threat intelligence TAXII connector
Connect the threat intelligence platforms connector
View your threat indicators with KQL
LU8 Create detections and perform investigations using Microsoft Sentinel
Topic 42 Threat detection with Microsoft Sentinel analytics
Exercise - Detect threats with Microsoft Sentinel analytics
What is Microsoft Sentinel Analytics?
Types of analytics rules
Create an analytics rule from templates
Create an analytics rule from wizard
Manage analytics rules
Exercise - Detect threats with Microsoft Sentinel analytics
Topic 43 Automation in Microsoft Sentinel
Understand automation options
Create automation rules
Topic 44 Threat response with Microsoft Sentinel playbooks
Exercise - Create a Microsoft Sentinel playbook
What are Microsoft Sentinel playbooks?
Trigger a playbook in real-time
Run playbooks on demand
Exercise - Create a Microsoft Sentinel playbook
Topic 45 Security incident management in Microsoft Sentinel
Exercise - Set up the Azure environment
Understand incidents
Incident evidence and entities
Incident management
Exercise - Investigate an incident
Topic 46 Identify threats with Behavioral Analytics
Understand behavioral analytics
Explore entities
Display entity behavior information
Use Anomaly detection analytical rule templates
Topic 47 Data normalization in Microsoft Sentinel
Understand data normalization
Use ASIM Parsers
Understand parameterized KQL functions
Create an ASIM Parser
Configure Azure Monitor Data Collection Rules
Topic 48 Query, visualize, and monitor data in Microsoft Sentinel
Exercise - Query and visualize data with Microsoft Sentinel Workbooks
Monitor and visualize data
Query data using Kusto Query Language
Use default Microsoft Sentinel Workbooks
Create a new Microsoft Sentinel Workbook
Exercise - Visualize data using Microsoft Sentinel Workbooks
Topic 49 Manage content in Microsoft Sentinel
Use solutions from the content hub
Use repositories for deployment
LU9 Perform threat hunting in Microsoft Sentinel
Topic 50 Explain threat hunting concepts in Microsoft Sentinel
Understand cybersecurity threat hunts
Develop a hypothesis
Explore MITRE ATT&CK
Topic 51 Threat hunting with Microsoft Sentinel
Explore creation and management of threat-hunting queries
Save key findings with bookmarks
Observe threats over time with livestream
Exercise - Hunt for threats by using Microsoft Sentinel
Topic 52 Use Search jobs in Microsoft Sentinel
Hunt with a Search Job
Restore historical data
Topic 53 Hunt for threats using notebooks in Microsoft Sentinel
Access Azure Sentinel data with external tools
Hunt with notebooks
Create a notebook
Explore notebook code
Topic 54 Who Hacked cloud game
Play Who Hacked?
Keep playing to find the culprit!
