Pass Microsoft Security SC-200 Exam in First Attempt Easily

Introduction

1. Configuring the Lab Environment

Hello everyone and welcome back to my course, Microsoft Security Operations Analyst SC 200. Because we are still in the introductory section, we will discuss configuring the necessary prerequisites in order to do and complete the hands-on lab because we do need to install some software as well as a Microsoft 365 trial subscription and an Asia trial subscription. In addition to the trial subscriptions, we will need a virtualization software to be able to run the lab VMs locally on your machine because this is a requirement. For example, during the lab, you may need to onboard machines in Microsoft Defender for Endpoint, Microsoft Defender for Cloud, or stream security logs from a virtual machine to Microsoft Sentinel. And in order to do that, you will need some virtual machines to be able to do all these tasks. Now, don't worry, the virtual machines are already set up. They're in my OneDrive link, which you'll have in the downloadable resources for this lesson.

You only need to download them and import them into your virtualization software—my choice here was Oracle VirtualBox. And this is for ease of use and ease of installation. In this lesson, I am going to show you how to install Oracle VirtualBox, how to import, download, and import the virtual machines, and then a few guides on how to create the Microsoft 365 trial subscription and the Asia trial subscription as well. So that being said, let's get into our machine over here, our virtual machine, and let me show you how to actually install, first of all, Virtual Box, our virtualization software. So you will have a link in the downloadable resource file for this lesson. It's a TXT file with several links in it, which you need to be able to download and install this.So going to the link here, we need to click on VirtualBox for Windows hosts.

Now, clicking on this will start downloading our installer file. Once this is downloaded, we just click on it, and the wizard will start up in just a moment here. Here we go. Click on yes, and this will prepare to install. Now, I won't actually install the software because I already have it installed, but this is just a plain, simple Next Finish wizard. So you don't have to configure anything here; just click on Next, Next, let it install, and then Finish. So I will back out of this for the moment. Then the next thing we need to do is download the virtual machines. The virtual machines are already preconfigured for every task that you need to do in the lab, and I have them available in a OneDrive link, which of course you have in the downloadable resource for this lesson.

So I'm going to open a new tab, paste the OneDrive link into it, and go download the virtual machines. Here we go. Now it automatically logged me in, as you can see. But just to note here, you will need a Microsoft account enabled to log into OneDrive and access this folder here, which contains, as you can see, 12345 virtual machines right now onceyou are logged into OneDrive and you are here in thisfolder, all you need to do is on each file you just right click and click Download. This will start downloading the virtual machine to the location of your choice on your local computer. You repeat the step for every virtual machine here until you download all the virtual machines. Now, I've already got these virtual machine OVA files on my computer, so I will not proceed with downloading them. Now let's open up our virtualization software. So if I just type here "VirtualBox," this will open up my Virtual Box. Now I already have a virtual machine here. Don't mind it because it's an old virtual machine that I've used for other labs. Now what we need to do, once we have those virtual machines and those OVA files downloaded, is import those OVAs into our Virtual Box environment.

So for that, we can either click on File and click here on Import Appliance, or if we go to Tools overhere, we will have the Import button available here. So let's click on Import. Let me select the location where I have those files downloaded. So I have them here. As you can see, this is how they all look like they're OV files. So I'm going to start with this one. For example, this is a Linux machine. I am going to click on Next, and we'll just leave the defaults as they are. And of course, you can change the location where you want to store these virtual machines. For example, you can select Other, and you can select this folder or whatever folder you want, wherever you want to put your virtual machines. I recommend that you create a folder in which you will put all of these virtual machines. So I'll select the folder here, and I am going to click on Import.

Now this process will take a little bit of time, and I will leave it here to import. And in the meantime, I will show you how to create the trial subscriptions for Microsoft 365 and the Azure subscription. So I'm going to go back to the browser here, and you have yet another link available in your downloadable resource. For this lesson, I'm going to open up a new tab and paste this link over here. And this is actually a step-by-step guide or step-by-step tutorial on how to create a Microsoft 365 or Five subscription. Because first of all, if I just scroll down a little bit here, you will need to create an Office 365 Five Trial Tenant. And once you complete this process, basically what you need to do is go to this page over here.

Just scroll up a little bit; we'll go to this link over here, and I'll open it in a new tab to show you how it looks. Here we go. This is it. You just need to click on "Free Trial" over here and you'll be taken to set up a wizard page, right? And of course it already sees that I'm signed in with my current account, so this won't work for me. But again, if I just close this and this as well, This will take you to this process right here, right? To sign up for Office three, six, five, trial tenant. Again, you need to set up a Microsoft Account if you don't already have one. This is free to do, and it will take only about two minutes to complete. Then information about yourself, whatever information you want to include, such as a test company name and fixture information, for example.

Then you will need a phone number to basically go through a verification step where you receive a text message and have to enter the code here to continue to the next step. Then, of course, you can set up the custom domain. You can skip all these steps because the cost of a domain means that you need to specify an alias here. For example, mine is called My Custom Domain, and my trial tenant is called SC 200 Training. And let me just log in here to adminMicrosoft.com just to show you because I have something else to show you here in the portal, okay? And as you can see here, my custom domain name is SC Two Hundred Training Lab, right? So you can specify whichever name you want to put here on Microsoft.com.

Now then, you will be asked to set up an account—one that makes sense for you. This is the account that you will use throughout the labs. This is the account that you will use to sign into your Microsoft subscription and your Azure subscription: the admin account. Then of course, you can complete all the other prerequisites here. You can skip the steps where youwant to select a custom domain. This is basically valid if you have your own domain. You own a domain, and you wanted to add it there as a custom domain in your Microsoft subscription. On the next step, you will be able to add new users. Skip this step as well, because I will show you in a moment how to bulk import the users that you will need in the lab because you have a CSV file with all the necessary users already available to you in the downloadable resources, and I will show you how to import those users. So skip the step. Then again, there are several other things that you need to do. Exactly as it is written here. So you want Exchange, so check the box next to Exchange and click Next. This is again about the custom domain and adding DNS records and MX records. This is not necessary. And you arrive here, say, at the end of your wizarding career. Your Microsoft subscription has been created. Now, before actually using this, you will also need to enable Microsoft ThreeSixFiveEight, or Microsoft 365. Not the Office 365 trial subscription, but the MarkSoft 365 trial subscription. So you can do that by going to the Admin Center, to the billing section, and searching for purchase services" for Microsoft 365 e five. And then you just click on "Start a Free Trial." Again, you will have to verify this via SMS on the phone number that you registered earlier. And that's about it.

You will have 25 Microsoft Three Sixty-Five-Eight licences available after this. Okay? Now, once you do this from the Microsoft 365 Admin Center, and if I just go here to actually show you, let me click on "Show All." This is where you want to go for billing and purchasing services, and simply search for Microsoft 365 E5. But again, I already have this enabled. Simply type something into the search bar over here. or you can view by category. And if you select Microsoft 365 again, you will find it in the list here. It's called Microsoft 3 6 5 E 5. just like it's mentioned here in the step-by-step tutorial. Now, going further, once you are set up with the Microsoft 365 subscription, you will also need to create an Asia subscription because you have access at this moment to the Azure AD tenant, but you don't have an Asia subscription.

And we need this to be able to work with Microsoft Defender for the cloud, to create virtual machines, and to create and configure our Microsoft Sentinel Workspace, of course. Now, to create an Azure subscription, you just need to go to the following link: portal.azure.com. Of course, I already have a subscription created, so as you can see, it brings me directly here. However, if you do this as the next step after creating the Microsoft 365 E5 trial, you will see a message here in the centre indicating that you do not have a subscription and the option to create a new subscription. Okay? Now, when you click on that button to create a new subscription, or you can also use this, and you'll also have this link in the downloadable resources, this tutorial over here, you will be actually taken with your Microsoft account to this page, where it's yet another wizard to create your Azure trial subscription. By creating an Azure trial subscription, you will get access for 30 days to all of the Asia services, and you will also get $200 in credit ($170 depending on your currency) depending on the zone that you are in.

Now, one key note here is that you will need a card, a credit card, to be able to create this free trial subscription. Now, don't worry if you don't have a credit card you can use. For example, as I have done for my trial subscription, I have used a Revolut virtual card. It is very simple to open a Revolute account. You have the option to create a virtual card, and you can use that virtual card here to create this as your trial subscription. Again, you don't need any kind of money on your card. You won't be billed a single cent. It's just for verification purposes. And that's it. Once you create the Azure subscription, you will have all the necessary prerequisites in terms of Asia and Microsoft 365 to get going and complete the lapse.

Now, let's see if our virtual machine has been imported successfully over here. And again, you will need to do the same steps for all five virtual machines. So, return to Tools, click Import, and select the location where you downloaded the OVA files. You will need to repeat the Importing step for each of these five virtual machines. Now, after you import the virtual machine, just as a test, you can click on Start to actually start the virtual machine to be sure that it's working and running properly. And once that is complete, you can just shut it down because you will have step-by-step instructions in the lab—instructions when you need to turn on a virtual machine and when you need to turn it off. Because you will not need to run all of these virtual machines at once, right? So you will need, depending on the lab that you're redoing, one or a maximum of two virtual machines to run concurrently, let's say, right? So the virtual machine is loading up. It's running until this virtual machine loads up. I just want to show you a different thing, and that is the instructions for the files. So let me just bring up the instructions over here because you will have these files available as, again, assignment tasks and downloadable resources for the hands-on lab.

You will find them in PDF format, and they will look like this. So for example, for the first lab, you will have these instructions. So it gives you a scenario. And then you will have step-by-step instructions on how to complete the lab. The first task is to sign in to your admin account in your Microsoft Admin Center and create two groups that will be necessary further on in the labs. Then you will have to do some configuration here in the Microsoft 365 Defender portal. And of course, you scroll down and complete all the steps here, step by step. Again, it is very easy to complete the labs. Now, one thing I want to emphasise is that you must complete every exercise and task in every lab, because the labs are built one on top of the other. So in this lab, you will configure, for example, the Microsoft 365 portal; in the next lab, You will onboard Windows machines in Defender for Endpoint in the next lab. But eventually you will get to a lab where you will need to have all of those tasks completed in order to be able to complete the lab that you're doing, right?

So you'll need to have that machine from the previous lab onboarded in order to finish the lab you're working on right now. I hope that makes sense. So this is what every lab looks like. These are step-by-step instructions. Now, one last thing I'd like to show you before we go. Our virtual machine has loaded up successfully. You have the credentials to log into each virtual machine in the downloadable resource for this lesson. So for now, I'm going to stop this virtual machine and I am going to just minimise the VirtualBox software because I want to show you another important step that you need to do before actually starting to do the labs, and that is to import users in your Microsoft 365 Admin Center. Because there are some users, of course, there are fixtures that you will need to use throughout the labs. So here, let me go to my Admin Center again.

Once this pop-up bar disappears from here, And in the Admin Center, if we go to Users and Active Users over here, you see that you have an option to add multiple users. So these are the users you will eventually have. They are fixtures users, of course. But click on Multiple Users over here, and then you have the option to upload the users from a CSV file. You already have the CSV file available as a downloadable resource for this particular lesson. So all you need to do is click on "Browse." I have mine over here. It's called Import User Sample CSV. This is what it will be called for you as well. So you need to download this CSV file, place it somewhere on your computer, and go to "Add multiple users" and upload the CSV file. Of course, for me, it will probably return errors because these users are already present in my trial talent here.

And if we click on "View errors here," of course, as you can see, the same email address is used for two different users. All of the errors are the same because I already have these users in my trial tenant. However, you will not encounter any errors. Then you will need to click on "Next," "Follow the Wizard," and after that, you will end up with "Let me cancel out of this." All of these users will be imported and available in your tenant. Now, of course, you don't have any licenced users, but throughout the labs you will be able to assign licences to some users, you will need to assign some privileged roles to other users, and so on. So this is why this step is necessary to import these users into your trial. Tenant, in a nutshell, this is everything you need to do in order to start and finish the lapse successfully. And of course, this brings our discussion for this lesson to an end. And now we are actually going to start the course. We are going to go into the second section. Of course, I hope I see everyone in the next section. Until then, again, hopefully this has been informative for you.

Hide

Mitigate threats using Microsoft 365 Defender

1. Threat Protection with Microsoft 365 Defender

Everyone, and welcome to my course, Microsoft Security Operations Analyst SC 200. This is Section Two of the course, and in this one we will discuss mitigating threats using Microsoft 365 Defender. This is a big section because we have lots and lots of things to cover in all the Microsoft security tools within the Microsoft 365 Defender suite. And these are the lessons that will come through. As a result, Microsoft 365 provides threat protection. We'll talk about incidents in Microsoft 365 Defender. Then we'll discuss another tool within the suite called Microsoft Defender for Office 365. We'll talk about Microsoft Defender for asia Microsoft Defender Ad Identity Protection for Cloud Apps We'll talk about data loss prevention. And we'll close the section with a discussion in regard to insider risk management in Microsoft 365. Now, let's get into the first lesson where we'll discuss threat protection with Microsoft 365. First and foremost, what exactly are threats? So, threats are potential weaknesses that attackers can use to infiltrate an organization.

Keep in mind that attackers will move across domains. And by domains, I mean things like email, identity endpoints, or applications to find a point of list resistance. Now, in today's defense, we as a security operations team must figure out solutions to protect, detect, and block these threats for each domain separately. So, let's talk about some common threats and some common introductions to thread protection, as you can see here on the slide. First of all, let me tell you that in today's cyber threat environment, security teams are up against a constant flood of incoming threats and risks, of course. But with advanced security analytics, machine learning, and their own intuition, of course, security experts are trying to fight back with agile, adaptable defence systems. Now, just to give you an idea, the average large organisation has to switch about 17,000 malware earnings each week.

So you get around 17,000 malware alerts each week. Nine to nine days are the average amount of time for an organisation to discover a security breach. And bear in mind that it takes less than 48 hours for attackers to have complete control of a network. And it's regardless of what to say about the financial losses because, given the studies, it has been decided that around $4 million is the average cost of a data breach to a company. Again, as you can see in the slides, intelligence matters. Microsoft data comes from lots and lots of sources, and they do ingest lots of logs and signals. So what is "Microsoft 365 Defender"? Well, it is an integrated cross-domain threat protection and response solution. So basically, it provides organisations with the ability to prevent, detect, investigate, and remediate sophisticated cross-domain attacks within their Microsoft 365 environments. And as you can see here from the slide, the Microsoft Physics Five Defender leverages raw signal data from individual service domains like User Identity endpoints, applications, emails, and collaboration tools, normalising the data at the ingestion point. The data is analyzed, and low-level signals, again, that may be otherwise missed, are produced into individual alerts or are correlated into incidents.

This basically gives a complete view of an attack that can be responded to in its entirety. Let's say, of course, it leverages powerful workflows and artificial intelligence to perform auto-healing functions on the affected assets. Assets can be, again, user accounts, mailboxes, endpoints, and so on. Let's now talk about some common threats. So users face multiple threats today, from credential theft to malware to phishing to infrastructure attacks. Examples of credential theft are things like mini cat attacks, password spray attacks, or breach harvesting. Examples of malware are viruses, ransomware, and the likes of that right.Phishing means that, basically, you gain access to a user's computer and credentials, while infrastructure attacks include improperly secured virtual machines and resources in Asia or on premises. Now, the typical attack targets the following and has the following workflow. First of all, the first step would be to do research on a company.

And this can be done using social media, open source intelligence tools, data from previous attacks, and preparing for the attack. Now the second phase, and as you can see, this takes 24 to 48 hours, is the elevation of privilege attacks. And this typically uses not only credential theft but also abuse of administrative or management tools and configuration weaknesses. Finally, attackers will typically be extracting data for illicit purposes and will go undetected for 200 days or more. This is a general observation based on the Microsoft Incident Response Team's experience, which again is similar to what is reported by other organisations in the industry. Precise numbers are difficult to produce, of course, because evidence of the initial attack of the initial patient, let's call him or her patient zero, is frequently lost after such a long period of time.

Now, let's get into our Microsoft three, six, and five and discuss the Microsoft 365 architecture. Basically, Microsoft 365 Defender is made up of these security technologies operating in tandem. So you don't need all of these components to benefit from the capabilities of XDR in Microsoft 365 Defender, but you will realise the gains and the efficiencies through using one or all of these capabilities. So now let's talk about these Microsoft 365 Defender components. So first of all, let me bring up the pen here to just put it on the slide. So first of all, we have Microsoft 365 Defender, which again combines signals from all of the Defender components to provide an extended detection and response (XDR) across all of the domains. This includes a unified incident queue, automated response to stop attacks, self-healing, cross-threat hunting, and threat analytics.

So this is what Microsoft Defender 365 does. Then we have the Microsoft Defender 365 for Office365, and this basically safeguards the organisation against malicious threats posed by email messages, links, URLs within email messages, and collaboration tools like Microsoft Teams. It shares signals resulting from these activities with the Microsoft 365 Defender ExchangeOnline Protection, which is integrated with them to provide basic end-to-end protection for incoming emails and attachments. That's a very important note. Then we have the Microsoft 365 Defender for Identity, and this basically gathers signals from servers running Active Directory Federated Services. So from ADFS servers and on premises (Active Directory, domain controllers, and domain services), Of course. So it uses the signals to protect your hybrid identity environment, including against hackers that use compromised accounts to move laterally across workstations in the on-premises environment. Again, one important note here is that Microsoft Defender for Identity is, let's say, applicable in hybrid environments where you have on-premises Active Directory or ADFS Services as well. Then we have the Microsoft Defender for Endpoint, right? and Microsoft Defender for endpoints. Basically, it gathers signals from all of the devices used by organisations and, of course, protects those devices. So you onboard all of the devices on the organization's workstation servers.

Now, it can also be done with networking devices, and they send signals to Microsoft Defender for Endpoint and get protected by its capabilities. And we'll discuss Microsoft Defender for Endpoint in a separate lesson because it is quite a big topic. Then we have the Microsoft Defender for Cloud Apps. and this one gathers signals from your organization's use of cloud apps and protects data flowing between your environment and these cloud apps, including both sanctioned and unsanctioned cloud apps in your organization. And lastly, we have Azure AD Identity Protection, which basically evaluates risk data from billions of sign-in attempts and uses this data to evaluate the risk of each sign-in in your environment. So this data is used by AJD to allow or prevent account access, depending on how conditional access policies are configured within your environment.

Asia Active Directory Premium P2 licence includes Asia Active Directory Identity Protection, which is licenced separately from Microsoft 365 Defender. So, this is an overview of Microsoft 365 Defender. And now I have provided you with a link to the downloadable resources for this particular lesson. And you will find several of these throughout the course, along with a guided demonstration of Microsoft 365 Defender. So, what is this guided demonstration? Basically, these are some prerecorded interactive clips provided by Microsoft, which give you an overview and, let's say, a virtual environment with Microsoft 365 deployed, but you cannot do actions other than those that are prerecorded within this guided demonstration. I think this is a very good way to familiarize yourself with the portal, with the environment, with the tools, with this guided demonstration, and I hope you enjoy them.

Just to give you a taste of what it looked like, you basically have a link in the downloadable resources, and when you click the link, you will be taken to this particular guided demonstration, which is hosted in Microsoft Crowd. and you click on this. Again, if it is interactive, I will disable the volume. Not to interfere with the recording, but as you can see, you have the portal and you have to click through. For example, it goes to incidents. Then you have to click through again. Click through, click through, and click through again. And you will be taken to basically take a look at an incident, what it looks like, what the alerts are, familiarize yourself with the portal, and so on. I'm not going to go through with this entire guided demonstration, but I strongly encourage you to do so. With that being said, this basically concludes our lesson, and I'm going to see everyone. In the next lesson we will discuss about incidents in Microsoft 365%. These are the steps you can take to investigate an incident. I hope this has been informative for you.

2. Incidents in Microsoft 365 Defender

And welcome back to my course, Microsoft Security Operations Analyst SC 200. Now, we are in the second lesson of the second section in which we are going to discuss incidents in Microsoft 365 Defender. First of all, Microsoft 365 Defender provides, let's say, a purpose-driven user interface to manage and investigate security incidents and alerts, of course, across your Microsoft 365 services. And we will start by talkingabout the Microsoft 365 Defender Portal. Microsoft 365 Defender, again, is a specialised workspace designed to meet the needs of a security team. Now these solutions are integrated across Microsoft 365 Services and provide actionable insights to help reduce risks and safeguard your digital estate. You can investigate alerts that affect your network, understand what they mean, and collate evidence associated with the incidents so that you can basically devise and effectively implement a remediation plan. Now, the home page shows many of the common cards that a security team needs. The composition of these cards and data is dependent on the user's role in the Microsoft 365 services because the Microsoft 365 Defender Portal uses role-based access control. So different roles will see different cards that are more meaningful to their, let's say, day-to-day jobs. Now, let's say, at a glance, this information helps you keep up with the latest activities in your organization.

The Microsoft 365 Defender Portal brings together signals from different sources to present a holistic view of your Microsoft 365 Defender environment. Now, this will include, as you can see here from the slides, the home blade, the incidents, and alerts. Action Center threat analytics; secure score policies and rules; and permissions and rules But it would be better off if we discussed this directly in the portal so I could show you what you can see on each of these tabs or blades, whatever you want to call them. So I am going to go into my Microsoft 365 Security Center. This is a trial tenant, of course, and if you have not created one yet, please go back to the introductory section and watch the videos there, in which I explain and show you step by step how to create a Microsoft 365 trial subscription and an Azure subscription. So we are on the Home tab here, and here we can, let's say, get a glass view of the overall security health of the organization.

Now, going forward on the Incidents and Alerts tab, we can see, let's say, the broader story of an attack by connecting the dots seen on the individual alerts on entities. So you'll know exactly where an attack started, what devices are impacted, and who was affected and where the threat has gone. So basically, if we go to the Alerts tab, we will see we have a lot of alerts here, of course, that were generated by me. So I can show you how to work with them and how to investigate them. And on the Incidents tab, over here we have an incident because I am only using one device that's enrolled. So, in essence, all of these alerts were compiled into an incident. But we'll talk about this a little bit later on. Now, going forward, we have the Action Center.

And here in the Action Center, we basically can reduce the volume of alerts the security team must address manually by allowing the security operations team to focus on more sophisticated threats and other, let's say, high-value initiatives. So here, basically, we will see what actions have been taken in response to alerts and incidents across the environment. So we have no action pending here, but again, we have a separate discussion in regards to the Action Center. Then we have the secured score. Basically, this shows you the overall SecureScore calculated by Microsoft across several domains. Now you can improve the overall security posture with the Security Score. And again, this page provides, let's say, an all-around summary of the different security features and capabilities you have enabled for the tenant. Now, as you can see, I only have apps here because this is a trial tenant. It was just created. There's not much, let's say, data to work with at the moment. So this is what we get for the Secure Score. But don't worry, when you start doing the labs, you will bring more and more data to your trial tenant, and then you will see basically how all other domains are represented here and the overall Secure Score. Then we have things like policies and rules under email and collaboration here. And here you can set up policies to manage devices and protect against threats.

You can receive alerts from these policies about various activities in the organization, like device activities, email and collaboration activities, and so on. And last but not least, we can also find here the Permissions and Rules blade, for example, in which you can basically manage who in your organisation has access to view content and perform tasks in the Microsoft 365 Defender Portal. You can also assign Microsoft 365 permissions in the Azure Ad Portal, and we will have a separate discussion on the Azure Ad Portal going forward. So now let's talk about managing incidents. So again, the cool thing about Microsoft365 Defender is that it provides across domain threat correlation and purpose driven,let's say, portal to investigate threats. Incidents are based on alerts generated when a malicious event or activity is detected in the network. Individual alerts provide valuable clues, let's say, about the ongoing attack. However, the attacks typically employ various vectors and techniques to carry out a breach. An incident is a collection of correlated alerts that make up the story of an attack.

Microsoft 365 Defender automatically aggregates malicious and suspicious events that are found in different devices, users, mailboxes, and other entities in the network. By grouping related alerts into an incident, a Security Defender gains a comprehensive view of an attack. For instance, security defenders can see where the attack started, what tactics were used, and how far the attack has gone into the network. They can also see the scope of the attack, like how many devices, users, or mailboxes were impacted or how severe the impact was, and other details, of course, about the affected entities. Now, if enabled, Microsoft 365 Defender can automatically investigate and resolve the individual alerts through automation and artificial intelligence, so that basically Security defenders can also perform more remediation steps to resolve the attack. From the incident view, Again, the incidents shown on the Incidents page are from the last 30 days in the incident queue.

And from here, security operations engineers or analysts can see which incidents should be prioritised based on risk level and other factors. Now, Microsoft 365 Defender applies correlation analytics and aggregates all the alerts, as I've mentioned, and investigations from the different products into one single incident. It also triggers unique alerts on activities that can only be identified as malicious. Given the end-to-end visibility, let's say, of Microsoft 365 Defender across the entire state and suite of products This view basically gives your security operations the broader attack story, which kind of helps them to better understand and deal with complex threats across the organization. The Incident Queue is shown as a collection of flagged incidents across devices, users, and mailboxes. These are all called entities, and they help you sort through incidents, prioritise them, and create an informed, let's say, cybersecurity decision.

Right? So let's get back to Portland and take a look at this by default, and let me go to the Incidents page because we have an incident here. So by default, the queue in the Microsoft 365 Defender portal displays the incidents from the last 30 days, with the most recent incident being on top of the list so that you can see it first. That can be changed from here, and you can go to one day, three days, one week, 30 days, or the incidents for the past six months. Now, the Incident Skew exposes customizable columns here like the incident name, text severity, and so on, that can give you visibility into different characteristics of an incident. This helps you make an informed decision regarding the prioritization of incidents to handle. Now, for more clarity, automatic incident naming generates incident names based on the alert attributes such as the number of endpoints affected and users affected. Like you see here, this is a multi-stage incident involving one single device and several data sources or categories. So this allows you to quickly understand the scope of the incident. Now we can filter the incident queue by the available filters, and if I just click on filters over here, you will see that we have the available filters as soon as they load up. So first of all, we can filter by the category.

So if I just scroll down a little bit, you will see that these categories basically mean that you can choose categories that you want to focus on specific tactics, techniques, or attack components such as execution, discovery, defense, evasion, and so on. Then you can also filter by the assigned to filter, filter here we go by the incident assignment and this way you can choose to show incidents that are assignedto you or those that are handled by automation, of course, and these would be the unassigned ones. Then you can filter by classification. And if I just scroll down a little bit again, here we find the classification filter, and here you can filter incidents based on the set of classifications of the related alerts. As you can see, the values include true alerts, false alerts, and alerts that were not set by, say, a security operations analyst. Again, you can filter by data sensitivity. You have all these filters here. I encourage you to go through them.

You can filter by vulnerability; you can filter bythe let me scroll up a little bit bythe device group the device is part of. You can filter by the investigation state. You have incidents that are under automated investigation, and you have incidents that are manually investigated. You can filter by categories, which I've already mentioned, by service sources, by data sources, as you can see here, by app governance, MicrosoftDefender, Microsoft Defender for endpoints, from wherever the, let's say, attack originated from, right? Then you can filter by operating system platform, by service sources, by severity, or by status. And again, please go through all of these sets of filters that you can apply to the instance queue on.Now let's talk about previewing incidents. So previewing incidents, when I hover the mouse over here, you see that I have a little circle over here, right? And then you have the "more" arrow and the incident name itself.

Now let's see what each of these does. So selecting the circle basically lets me close the filters. Selecting the circle basically brings up a blade on the right side of the page with, let's say, a preview of the line item of the incident that's been selected via the circle with an option here. If I just scroll down a little bit, you can see all of these overviews, let's say, and you have the option to open the full incident page. Now, if I close this and click on the greater symbol greater arrow here), you will see if there are related records that can be displayed as long as it loads up. Basically, this will display the aggregate arraignments that formed this particular incident. And as you can see here, the automated investigation is running for some of the alerts of the entities that were discovered, while others are not running just yet. Now, the link page will basically let me unexpand this. So the link page will navigate you to the full page of the line item of the incident that you are clicking on. And if I click on this, basically, here is the full page of the incident.

As you can see, we have 116 active alerts on this incident. So managing incidents is critical to ensuring that the threats are contained and addressed. In Microsoft 365 Defender, you have access to managing incidents on devices, users, and mailboxes. So you can manage incidents by selecting an incident from the incidents queue, and you will be taken to this page. You can edit the incident name by clicking here on Manage Incident. You can basically resolve an incident. You can obtain status, classification, or determination from this page over here. If I just scroll down and if I click on Manage Incident, as you can see, you can edit the name, you can assign tags, you can assign the incident to yourself, you can resolve it, and you can set the classification as being false. True or false? Sorry. Now, in cases where you would like to move alerts from one incident to another while investigating, you can also do so. But this is done from the Alerts page, which we'll discuss in a moment. Again, I showed you how to edit the incident name, how to assign the incident—you can basically assign it to yourself over here, and you can see that it's assigned to my admin account—and set the status and classification of the incident. You can also add comments to an incident in case you want to view historical events about the incident, or in case, let's say, multiple security operations engineer work on the same incident. It is clear who did what during that particular incident. And of course, you can also assign tags, as I mentioned, because you might want to implement, let's say, a tagging strategy for your instance in Microsoft Defender 365. Now let's talk about managing and investigating alerts. So alerts are basically the basis of all incidents and indicate the occurrence of a malicious or suspicious event in your environment. Alerts are typically part of a broader attack and provide clues about an incident. Here in Microsoft 365, related alerts are aggregated together to form incidents, and incidents will always provide the broader context of the attack if the alerts are, let's say, relevant to one another.

Now, the alerts queue will show you the current set of alerts. As you can see here, we have many alerts, and you get to the alerts queue by clicking here on Alerts under Incidents and Alerts. Now, alerts from different Microsoft security solutions, like Microsoft Defender for Endpoint and Microsoft Defender for Office 365, which we'll talk about in an upcoming lesson, appear here in the queue, all of them. By default. The alerts queue displays the new and inprogress alerts from the last 30 days. as you can see here. I have set mine to one week, but you can set it to 30 days, six months, and one day or three days exactly like you could on the incidents page. Now you can filter the alerts again, and you can filter the alerts according to several criteria, like the severity, the status of the alert, the category of the alert, the source of the alert, tags if you have tagged the alert by entities, or you can choose to filter by, say, the automated investigation state. You can also filter by the impacted assets. Now, if you return to the alert page and select one of the alerts, say, clicking on the circle displays an overview of the alert.

Then, essentially, if you click on the alert itself, this is the overview. You can open the alert page or you can do several things from here: manage the alert, go and see the alert in the timeline of the machine, and so on. You can do more stuff here. Now, once you selected an entity of interest, let's say an alert, the details page willchange to display information about the selected alert,historic information when it's available and you havethe options again to action this alert basically. Now you can also resolve the alert from here by clicking on the three dots. You can also create a suppression rule, link it to another incident, or consult a threat expert, which we'll talk about in an upcoming topic here in our lesson. Again, by clicking on Manage Alert, you can set the status, set the classification, and add a comment to the alert.

Now, let's talk about investigating the incidents. Investigating the Incident: Let me close this down. Simply returning to my incident and clicking on the title, the overview page provides you with a snapshot of the key insights to notice about the incident itself. Now, the attack categories listed here give you a visual and numerical view of how advanced the attack has progressed against the kill chain. As with other Microsoft security products, Microsoft 365 Defender is aligned with minor attack tactics. Over here you can see it and the scope section givesyou the let's say the scope section gives you a listof the top impacted assets that are part of the incident. If there is a specific information regarding the assetssuch as risk level, investigation priority or tagging, itwill also surface here on the investigation. So, as you can see in the scope part, we only have one impacted device and one impacted user because we only have one single device on board in Microsoft 365 Defender for endpoints in this trial tenant. Now, the alerts timeline, the alerts timeline here providesyou as you can see here below, this isthe alert timeline and this provides you with asneak peek into the chronological order in which thealerts occurred and the reason that this alerts arelinked to this incident. And lastly, the Evidence section provides a summary of how many different artefacts were included in the alert and their remediation status. So you can immediately identify if any action is needed on your end. So if I just go to the evidence over here, you can see that it has found Solar 281 entities. Now, first of all, if we go to the Alerts tab, we can view all of the alerts related to the incident and other information about them, such as the severity of the entities that were involved in the alert, the source of the alerts, and the reason that they were linked together. If we go to the user staff, we can see the users who have been identified to be part of the related incident.

Right-clicking on a username takes you directly to the user page, where further investigation can be conducted. And this page will open in Microsoft Defender for cloud apps, which we are going to talk about in a separate lesson. If we go to Mailboxes again, this basically lets you investigate mailboxes that have been identified as part of the related incident. So to do further investigative work here, you select a mailbox. Of course, there's no mailbox involved here, but you selected a mailbox. And this will open the Microsoft Defender for Office 365, where you can take remediation actions. Again, we'll talk about Microsoft Defender for Office 365 in an upcoming lesson. If we go to the Investigations tab here, we can find and select the investigations to see all the automated investigations triggered by the alerts in this incident. The investigations will perform remediation actions or wait for an analyst to approve these actions, depending on how you have configured or automated investigations to run within Microsoft Defender for Endpoint or Microsoft Defender for Office 365.

Based on the evidence and response here, Microsoft 365 Defender will automatically investigate the incidents, supported events, and suspicious entities in the alerts, providing you with an auto response and information about the important files, processes, services, emails, and more entities that are involved in the alert. As you can see here, we have user activities, files, processes, and one IP address involved. So, as you can imagine, this helps quickly detect and block potential threats in the incident. Each of the analysed entities will be marked with a verdict, being malicious, suspicious, or clean, and the remediation status. Of course. Now we can also use the UnifiedAction Center for Microsoft 365 Defender that basically lists the pending and completed remediation actions for your devices, for your email and collaboration content, and for your identity. And all of these are in one location, which is over here, called the Action Center.

Now, the Action Center consists of pending and historical items. So we are on the Pending tab at the moment, and this displays a list of ongoing investigations that require your attention. We have none. Of course, the suggested actions are basically things that your security operations team can approve, apologise for, or reject. The Pending tab appears only if there are pending investigations to be approved or rejected, of course. And as you can see, we don't have any here. On the other hand, on the History tab, we have an audit log of all the following items: remediation actions that were taken as a result of an automated investigation, remediation actions that were approved by your security operations team, commands that were run, and remediation actions that were applied in live response sessions—and we'll talk about that a little bit later. and remediation actions that were applied to Microsoft Defender Antivirus. So, as you can see here, we have lots and lots of actions. These ones were approved, and most of the remediation actions, as you can see here, were to quarantine the file involved in the alert. Now, when an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be malicious, suspicious, or not transformed, depending, of course, on the type of threat, the resulting verdict, or how your organization's device groups are configured. The remediation actions can occur automatically or only upon approval by your organisation's security operations team. Basically, you have to review the pending actions on the Pending tab, but we have none over here, again, as I've mentioned, and you can select any item on the Pending tab. You can approve it or reject it. Now, upon completing the remediation action, you can review that on the History tab, and you can select an item, of course.

And let me select one item over here. Let's say this file, for example, and this will bring us an overview here on the right side of what exactly happened. Now, if upon review of a file thathas been quarantined, for example, right, you canactually undo the action directly from here. So you click the undo button, and this file will be removed from the quarantine on the affected device. But again, that shouldn't be a recommended option if the file is indeed deemed to be malicious by Microsoft 365 Defender. So, that being said, let's now talk about performing advanced hunting. So, advanced hunting Advanced Hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. With Advanced Hunting, you can proactively inspect events in your network to locate threat indicators and entities with Advanced Hunting.

Now, flexible access to data enables unconstrained hunting for both known and potential threats. Advanced hunting data can be categorised into two distinct types, each consolidated differently. Let's see, right? So the first one, and let me bring up my pen, is event or activity data. Right? This basically populates tables about alerts, security events, system events, and routine assessments. Advanced Hunting receives data almost immediately after the sensors start to collect data from the machines that are onboarded within Microsoft Defender for Endpoint and successfully transmit the data to the Defender for Endpoint portal. The other type is entity data, and here entity data basically populates tables with consolidated information about users and devices.

This data comes from both relatively static data sources and dynamic data sources such as ActiveDirectory entries, event logs, or Asia ActiveDirectory entries and event logs. to provide fresh data. Tables are updated with any new information every 15 minutes, adding roles that might not be fully populated. So every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity. Now, let's talk about the data scheme. Now, this is the data schema from Microsoft Defender for Endpoint. So the following here refers to and lists all the tables in the Advanced Hunting schema. By the way, Advanced Hunting uses a query language called Crystal Query Language), which we kind of have a separate section just about, so we'll get into more details when we get to that section.

So here is the schema. Basically, these are the tables available for you to query in Advanced Hunting in Microsoft 365 Defender. So we have the device alerts first of all, and these are alerts on the Microsoft 365 Defender portal. We have Device info and this isdevice information, including operating system information andother info about the device. We have device network info, and here it stores data about the network properties of the device, including adapters, IP addresses, Mac addresses, as well as connected networks and domains. Then we have Device Process Events here, and this contains data about process creation and related events. Device Network Events, as the name implies, contain data about network connections and related events. File Creation:

This section includes file creation, modification, and other file system events. Then you have the creation and modification of device registries. Of course, this section contains device Log On Events, which essentially contain data about finances and other authentication events. Device Image Load Events this one dealswith DLL loading events for example. Then we have a more broader,let's say, table called Device Events. And here we can find multiple event types, including events triggered by security controls such as Microsoft Defender antivirus and Exploit Protection. We also have a table that deals with data about the certificates on the device certificate and information on signed files obtained from the certificate verification events on the end point. Then there's the Device TVM software. Inventory and Vulnerabilities Here we have an inventory of the software on the devices and any known vulnerabilities in these software products. Then we have the TVM software vulnerabilities. KB Knowledge Base, right? And this is essentially a repository of publicly disclosed vulnerabilities, including whether or not exploit code is publicly available. And the last two deal with threatened vulnerability management, assessment events, and a knowledge base of various security configurations used by threat and vulnerability management to assess devices, including of course the mapping of various standards and benchmarks.

Now, we also have another part of advanced hunting called custom detections. And for custom detections, basically, let me just quickly change up the slides. With Custom Detection, you can proactively monitor for and respond to various events and system states, including suspected breach activities, misconfigured devices, and such. You can do this with customizable detection rules that automatically trigger alerts and response actions. Custom deductions work with advanced hunting, which provides a powerful and flexible query language (KQL) that covers a broad set of event and system information from your network. You can set them to run at regular intervals. With these custom detection rules, you can generate alerts and also take response actions whenever there are any matches to your queries.

So the customer detection rules in a nutshell provide alerts for rule-based detections built from advanced hunting queries and automatic response actions that apply to files and devices. So now let's get into the portal and let's see what we were talking about. So here we go to advanced hunting. Basically we can find advanced hunting over here under the hunting blade in the portal and if we expand that we have advanced Hunting, the advanced hunting blade where we can create query and we have predefined queries that look for specific events within your network and we'll talk about that in the next topic. And we also have the custom detection rules. And here on the custom detection rules again, we can see that we have none at the moment. But we will create one just now we can see our custom detection rules. So let me get back to advanced hunting and basically show you the steps to creating a detection rule.

So first of all you need to prepare the query. So we go here to advanced hunting and when using new query we click the run query to identify any errors possible in our query and so on. So let me just copy and paste a query over here. Here we go. So what this does is basically look at device events, and we are performing a filter. As you can see we are performing a filter of time. So when the device looks into the device event table where the event is less than seven days ago and the action type is a block by the antivirus detection engine, right and I'll explain the other operators shortly in an upcoming topic. Now we run the query right first of all just to see that we don't have any errors. So we have identified a resolve for our query and now we are ready to create our detection rule, our custom detection rule. So we click on the button over here to create a new detection rule. Of course we are going to give this a name. We'll call this test detection rule. We are going to give it a frequency that we want this rule to run, this basically query that we've just run. So let's say we want to run it every 12 hours. We also need

to provide an alert title, right? Because this rule, if it finds any results, If it gets any matches like we just did with that single device, it will generate an alert. So let's also call this a test alert. We set the severity of the alert. We will set this to medium. We set the category of the alert based on the minor attack framework categories, and we will say that this will be an initial access. Let's say, right, you can choose whatever one you like. Then we give a description. So that description, of course, is whatever you want; it really doesn't matter because it's just a test rule. And you can also leave a set of recommended actions for the security operations team when they encounter this alert, so they know what to do. So let's click on "next," and then we'll identify the affected assets in the query results. And these will be devices because they will look like devices.

And then we need to specify the column that contains the device ID. And we have only one option here in our case, the device ID column. Then we go to Actions so we can choose an applicable action to take on entities found by this query whenever an alert fires up. So, as you can see, we have users, but we don't have any user results in our query. We have also got files that we could allow or block, quarantine the files, and in our case, we have our device over here, so we can set the following actions: isolate the device. This basically cuts off the internet connection on the device. We can collect an investigation package, run an antivirus scan, initiate an investigation, or restrict application execution across the device. So we will stick with initiating an investigation-hour case here and click on "next." We will be presented with a summary of our detection rule, of our custom detection rule.

And then we can just click on submit, and this will create the detection rule. And in a moment, we will go to the detection rules over here. And let me just look, and we should be able to see our rule. Again, you can create these rules on your own based on queries. There are lots and lots of query examples in Microsoft 365 Defender's GitHub repository, for which you will have a link in the downloadable resources for this lesson. So again, I encourage you to go get some queries from Microsoft Defender's 365GitHub repository and test them here. Create your own detection rules. Okay, now let's talk about the advanced hunt. So, advanced hunting, again, this was just detection rules. Advanced hunting within the 365 Defender again allows you to hunt for possible threats across your entire organization. To investigate the advanced hunting queries, we will essentially arrive at the portal's advanced hunting section. And again, we have our query here.

Let me just delete this. But first, let me try to explain the advanced hunting query operators, because there are some operators in the Cousteau query language that you should be aware of, even though we will go over them in more detail in a later section. And lesson because we have a separate, I believe two or three lessons just for crystal query language. Now the available operators in Advanced Hunting in Microsoft Defender 365 for the queries that we use in Advanced Hunting are the following: where this will basically filter a table to the subset of rows that satisfy the predicate. Then you have summed this up, which basically summarizes the results produced by the query and outputs them in a table. The join is used when you want to combine data from two tables. Then you have to count when you want to return only the number of results.

Then you have top, and this basically returns the first N records, as it says here, and N can be a number specified by you. Then you have the limit, and with this, you limit the number of results that are basically returned. You have projected that with this operator, you can select only specific columns that you want returned in your results. You have extended, and this basically extends the columns and looks into a result set because you might have columns that contain a result that contains itself another set of results. When you extend that column, you get into that set of results, and you can choose whatever you want from that to be returned. This returns the dynamic JSON, as it says here, an array of a set of distinct values, and you have the fine operator, which basically finds rows that match the keyword given by you across a set of tables or all the tables. I left the explanations here in the slideshow so you can have them at hand. So now let's get back to the portal, and let's take a look at an advanced hunting query. So, for example, let's take this query: we click here on Queries, and you can see that you have community queries suggested queries, as well as community queries you can run against your network. So let's take partial downloads as an example because I know for sure that there is such an event on my test device that's on board here in Microsoft Defender 365. So, by clicking on these three dots over here, we can choose Open the query in the editor.

Now first of all, let me just maximize this a little bit. So we have all the query here in the query editor, and first of all, let's see what we are doing exactly in this query. First of all, we filter the events to show only what's relevant to us. So we're filtering events from the previous seven days here. Then we are also filtering on the file name column to contain only instances of PowerShell XE, right? Because we are interested in what the query describes over here, it finds PowerShell execution events that could involve a download. So in the file name, we are interested only in PowerShell exe, right? Then we filter on the process command line, and if the file name is PowerShell, we filter on the process command line. The actual command that was run contains these expressions: net web client, download file, invoke web, request, invoke shellcode, because all of these basically involve a download, and then at the end we project. So we are interested in only these columns as results, right?

And, of course, we want the first 100 events to be ordered by timestamp and time of occurrence. So if I just run this query, you can see that we got our device over here, the device name, and exactly these columns that we wanted to project, right? So timestamp, device name, initiating process filename, and the actual command line that was used in the download process, right? So this is how you perform advanced hunting. You can create another type of detection rule, a custom detection rule. You can run any other queries or community queries from this advanced hunting query. As you can see, you have lots and lots of queries that you can run.

I encourage you to test several of these or all of these if you have the time and can see what results they produce. You can see what kind of queries you can run within your organization. And this, too, is a proactive task. So for these queries, you should select a set of queries that interest you, and you should perform advanced hunting queries regularly to possibly detect threats within your organization that you were not aware of. And now for the last topic over here in the lesson, let's talk about consulting a Microsoft Threat Expert. And let me get to the slide. Here we go. So Microsoft's threat experts Targeted attack notification is a managed threat hunting service, right? Once you apply and are accepted, you will receive targeted attack notifications from Microsoft Threat Experts, so you won't miss any critical threats within your environment.

Now these notifications will help you protect your organization's endpoints, email, and identities. Microsoft Threat Experts Basically, there's another service called Microsoft Threat Experts, experts on demand, that lets you get expert advice about threats in your organization that you are facing. You can reach out for help on threats in your organization, and it is available as a subscription service. Now let's talk about the targeted attack notification. So Microsoft Threat Experts provide proactive hunting, as I mentioned, for the most important threats in your network, including human adversary intrusions, hands-on and keyboard attacks, and advanced attacks like cyber espionage. And the managed hunting service also includes all of these bullet points that I've mentioned here. I'm not going to go through all of them. So threat monitoring and analysis, hunter-trained artificial intelligence, identifying the most important risks and the scope of compromise, and much more Now collaborate with Experts on Demand; that's another feature of Microsoft 365 Defender.

So customers can actually engage Microsoft security experts directly from within the Microsoft Defender Portal for a timely and accurate response. Now, experts, these experts provide insights needed to better understand the complex threats affecting your organization from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, or stuff like threat intelligence regarding an ongoing advanced persistent threat. Now, with this capability, basically you can get more clarification on alerts, you can gain clarity into suspicious device behavior, you can determine risk and protection, and you can seamlessly transition to Microsoft Incident Response or other third party incident response services when necessary. Now again, in the portal you have the option to consult a threat expert.

And this is available in several places in the portal, so you can engage with the experts in the context of your investigation. Let me get back to the portal and show you what I'm talking about. But we already talked about this. For example, if I go to incidents, as you can see, an automated investigation has started. We also have our test alert that's fired up because the analytics rule fired up. And here, if we open the incident page, let's see, you have a button over here called Consult a Threat Expert. Now, as soon as you do that, you get access to help and support from threat expert from Microsoft, as I've mentioned before. Now, this concludes our discussion about Microsoft Defender 365 incidents. I will see you in the next lesson where we will discuss about remediating risks with Microsoft 365 Defender. It is three six for officers.

3. Remediate risks with Microsoft Defender for O365

And welcome back to my course, Microsoft Security Operations Analyst SC 200. Now, in this lesson, we are going to discuss remediating risks with Microsoft 365 Defender for Office 365. Of course. First of all, let's get into a little bit of an overview of what Microsoft Defender for Office 365 is. So, Microsoft Defender for Office 365 is Microsoft Defender, a cloud-based email filtering service that helps you protect the organization against unknown malware or viruses by providing zero-day protection. So it includes features to safeguard the organization from harmful links in real time. For example, it also has reach reporting and URL trace capabilities that give administrators insights into the kind of attacks happening within the organization itself.

So I just wanted to highlight the four main benefits of Microsoft Defender for Office 365. The first one would be industry-leading protection. So here you can think about what Microsoft Defender for Office 365 leverages, taking into consideration the fact that many organizations and many homeusers use Microsoft Office 365. And Microsoft Defender for Office 365 basically gathers signals across all of those users and organisations who are using the service. So, just some numbers to get you going: Let's say it has around 6.5 trillion signals daily from email alone. And of course, you can imagine that it quickly and accurately detects threats and protects users against sophisticated attacks such as zero-day malware. Other numbers would be that, according to a report dating back to 2018, Microsoft Defender for Office 365 was blocking around 5 billion spam emails and analysing over 300,000 phishing campaigns, again in 2018 alone, protecting 4 million unique users from advanced threats.

Another benefit would be actionable insights. And actionable insights are presented to security administrators by actually correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address those potential problems. Now, these recommendations include remediation actions, empowering, of course, security operations, MLS, or administrators to proactively secure their organization, and then you have a very important de-automated response. So investigation and remediation in post-breach scenarios can be sometimes difficult, sometimes expensive, sometimes time-consuming, or all of those at once, right? So most organisations lack the expertise or the resources that are needed for rapid investigation and effective remediation. Microsoft Defender for Office 365 basically provides advanced automated response options that security operators can leverage, saving significant time, money, and resources. And then there's the training and awareness piece. And here, basically, you can think of, for example, social engineering. The tax such as phishing often look very legitimate and arehard to spot for the day to day user, right? So it's kind of critical for an organisation to train the end users to make the right decisions in the event of an attack.

So in production, notifications will help your users understand the risks of performing an action such as clicking on a suspicious link. Features such as the Attack Simulator also help administrators to launch realistic threat simulations so they can train their users to be more aware, or, let's say, more vigilant. Now let's look into the automation, investigation, and response capabilities. When it comes to investigating a potential cyber attack, time is of the essence. The sooner you identify and mitigate threats, the better off the organisation will be. Of course, automated investigation and response, or AI, as it is often abbreviated, include a set of security playbooks that can be launched automatically, such as when an alert is triggered, or manually if you want, such as from the Explorer view in Microsoft Defender for Office 365. Again, automated investigation and response can save your security operations team time and effort while effectively and efficiently mitigating threats. So here's how our workflow looks for AI Air for automated investigation and response. Usually I'm not going to go through this too much, but usually, first of all, an alert gets sent, right? So an alert is triggered, and then automatically, depending on the type of alert or the settings in your organization, the security playbook triggers as well. And an automated investigation begins immediately, right? While the automated investigation, of course, runs and scopes the attack, it also brings in additional alerts if they are triggered. For example, if an email is received by several users, they start clicking on stuff over there. So initially, it starts investigating one alert for one email received by the user. But as soon as other alerts trigger and are related to the initial investigation, they will be added to the scope of the initial investigation. Then, of course, you get results, you get automatic actions that can be taken, and of course, the actions will be available for you, basically, as a security operations engineer, to review and approve the remediation action or deny the remediation action, right? So this is the usual, let's say, workflow for an automated investigation and response.

So now, just as an example, let's start here with a screenshot of an alert that, let's say, was generated by a Defender for Office 365. So these alerts are typically investigated manually, right? So this is where automated investigation response comes in. Because attackers frequently send URLs through emails to avoid detection by security solutions, they weaponize them after delivery to launch their attack. So if you notice here in the following screenshot that the alert identifies a URL that was recently weaponized and was detected by Microsoft Defender for Office Three, Six, and Five through the Safe Links feature, and you can see this in the details here over to the right of the preview pane, Right now, Microsoft Defender for Office365 automatically triggers an Air playbook based on this alert and resolves the alert once the automatic investigation is finished. and I will change the slide in a moment.

Here we go. So clicking on the investigation in the investigation diploma from the alert itself brings up the Office 365 Threat Intelligence Summary Investigation Graph. This is what it's called. So this graph shows all the different entities, emails, users, and their activities that were applicable, as well as devices that have been automatically investigated as part of the triggered alert. So specifically, we can note here on this investigation graph that again, several emails were identified as being relevant to this investigation. And we can see that over here, right? And of course, based on the sender, IP domain, URL, or other email attributes, a subset of them were identified as being maliciously sent from an internal user in the organization, which itself is a strong indicator of a compromised user. And as you can see here, six of these are deemed to be phishing emails. Now, when you pivot on this investigation, you can also identify that there were anomalies detected for one specific user. And, of course, again, there have been five users investigated, but one of them was found to have malicious or suspicious logins, as you can see over here. This investigation, of course, identifies user anomalies and compromised device threats with these compromised users (sorry, "users"). Of course, when Microsoft Defender Four detects a compromise, Office365 also takes some auto-remediation actions, such as blocking the URL, deleting any emails from the related mailboxes, and triggering Azure Active Directory workflows to reset the password for that particular compromised user or challenge that user for MSA. Now, automated Investigation and Response for Office 365 in Defender for Office 365 includes certain remediation actions.

So whenever an automated investigation is running or has completed, you will typically see one or more remediation actions that will require approval by your security operations team or the administrator that's dealing with this particular tool. and social remediation actions would include the following criteria: You can soft delete email messages or clusters, you can block URLs, you can turn off external mail forwarding, or you can turn off delegation. Right. So this action can be found here on the Action tab under the selected investigation, as you can see here in this particular screenshot. Now, to better understand and familiarise yourself with Microsoft Defender for Office 365 and how you would investigate a particular incident, you will have a link in the downloadable resources for this lesson that will take you to a guided demonstration for Defender for Office 365. Again, as I mentioned earlier in the section, this guided demonstration is actually an interactive demonstration, or should I say an interactive guide, that is available on Microsoft's TechNet community and that I believe is very, very good at helping you understand and become familiar with the product. It will take you through an investigation of an incident and an investigation graph. You will have to dismiss some alerts, of course, interactively because you just point and click, but you also have a narrative along the way that will basically explain all the actions that are taken in the portal. So I strongly recommend you do this. It takes about 2025 minutes to complete this interactive guide, but it's very beneficial for you to familiarise yourself with the product.

Now, after you've gone through the interactive guide, let's talk about the simulated attacks. So the simulated attacks include, let's say, best-of-class threat investigation and response tools that enable you as a security analyst to work with a security operations team to anticipate, understand, and prevent malicious attacks. Assume you currently have Threat Trackers. First of all, here we go. And these basically provide the latest intelligence on prevailing cybersecurity issues. For example, you can view information about the latest malware and take countermeasures before it poses an actual trap to your particular organization. Available trackers include noteworthy trackers, trending trackers, tracked queries, and saved queries. Then you have the threat explorer. And this is a very, very useful tool. You can also call it, as you can see here, "realtime detections." So Explorer is a real-time report that basically allows you to identify and analyse recent threats. You can configure Explorer to show data for, let's say, customer periods, or for any kind of particular period, or for periods of one month, the last 30 days, and so on.

You can customise it however you want. And I was going to show you the Explorer in the portal itself, but unfortunately, as you can imagine, we have absolutely no emails flowing through this trial talent, which I'm using for demonstration purposes. So if I go to explore over here, of course this is where you access it from. But, sorry, you will have no data available because we haven't basically flown any emails through this tenant. It only has one mailbox, and that is for the admin account that I've created. But you will find lots of information in the interactive guide. Let's get back to our slide over here. Then we have the attack simulator, right? and the attack simulator. Essentially, this allows you to run realistic attack scenarios in your organisation to identify vulnerabilities. So simulations of current types of attacks are available, including spear phishing, credential harvesting, attachment attacks, password spraying, and brute force password attacks. Getting back a little bit to the Explorer again, here we have a screenshot of an Explorer page that actually has some data on it. So basically, again, it enables you to begin delving into granular data for your organisation before you are first shown a variety of threat families impacting the organisation over time. And additionally, you are shown the top threats and top targeted users inside the organization. You can also change, of course, the category for the graph. In this case, the malware family is shown, but you can filter Threat Explorer from over here.

This is the category. Let me just circle it. Okay, you can click on this drop-down menu over here and you can change this to anything that you might want to see here, like a category would be "all email" and you would be able to filter for any kind of email on the subject, on the sender, on the date, and every other filter that you can think of. Now this option again includes sender, email, recipient email, and even the detection technology that was used to actually stop a threat. The Explorer also allows a deeper look into a threat, beginning with a thorough description of the Mauer family's behavior. It also provides a definition of the threat, the message, traces of the emails delivering that threat, technical details of the threat, global details of the threat, and advanced analysis. On the users tab once more. If you go to the user tab, you can see each instance where a user in the organisation received an attachment containing malware or any other type of threat. Now if a user had actually received and opened an email, that would also appear under the status, enabling you to basically reach out to the user and take the appropriate mediation actions, such as scanning their device. But you can also, of course, delete the email directly from the portal. Now that being said, this concludes our discussion about mitigating risks with Microsoft Defender for Office 365. I am going to see everyone in the next lesson, where we'll discuss yet another very cool and interesting tool in the security stack, Microsoft Defender for identity. Until then, I hope this has been informative for you, and thank you for watching.

3. Remediate risks with Microsoft Defender for O365

And welcome back to my course, Microsoft Security Operations Analyst SC 200. Now, in this lesson, we are going to discuss remediating risks with Microsoft 365 Defender for Office 365. Of course. First of all, let's get into a little bit of an overview of what Microsoft Defender for Office 365 is. So, Microsoft Defender for Office 365 is Microsoft Defender, a cloud-based email filtering service that helps you protect the organisation against unknown malware or viruses by providing zero-day protection. So it includes features to safeguard theorganization from harmful links in real time. For example, it also has reach reporting and URL trace capabilities that give administrators insights into the kind of attacks happening within the organisation itself. So I just wanted to highlight the four main benefits of Microsoft Defender for Office 365. The first one would be industry-leading protection. So here you can think about what Microsoft Defender for Office 365 leverages, taking into consideration the fact that many organisations and many homeusers use Microsoft Office 365.

And Microsoft Defender for Office 365 basically gathers signals across all of those users and organisations who are using the service. So, just some numbers to get you going: Let's say it has around 6.5 trillion signals daily from email alone. And of course, you can imagine that it quickly and accurately detects threats and protects users against sophisticated attacks such as zero-day malware. Other numbers would be that, according to a report dating back to 2018, Microsoft Defender for Office 365 was blocking around 5 billion spam emails and analysing over 300,000 phishing campaigns, again in 2018 alone, protecting 4 million unique users from advanced threats. Another benefit would be actionable insights. And actionable insights are presented to security administrators by actually correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address those potential problems.

Now, these recommendations include remediation actions, empowering, of course, security operations, MLS, or administrators to proactively secure their organization, and then you have a very important de-automated response. So investigation and remediation in post-breach scenarios can be sometimes difficult, sometimes expensive, sometimes time-consuming, or all of those at once, right? So most organisations lack the expertise or the resources that are needed for rapid investigation and effective remediation. Microsoft Defender for Office 365 basically provides advanced automated response options that security operators can leverage, saving significant time, money, and resources. And then there's the training and awareness piece. And here, basically, you can think of, for example, social engineering. The tax such as phishing often look very legitimate and arehard to spot for the day to day user, right? So it's kind of critical for an organisation to train the end users to make the right decisions in the event of an attack.

So in production, notifications will help your users understand the risks of performing an action such as clicking on a suspicious link. Features such as the Attack Simulator also help administrators to launch realistic threat simulations so they can train their users to be more aware, or, let's say, more vigilant. Now let's look into the automation, investigation, and response capabilities. When it comes to investigating a potential cyber attack, time is of the essence. The sooner you identify and mitigate threats, the better off the organisation will be. Of course, automated investigation and response, or AI, as it is often abbreviated, include a set of security playbooks that can be launched automatically, such as when an alert is triggered, or manually if you want, such as from the Explorer view in Microsoft Defender for Office 365.

Again, automated investigation and response can save your security operations team time and effort while effectively and efficiently mitigating threats. So here's how our workflow looks for AI Air for automated investigation and response. Usually I'm not going to go through this too much, but usually, first of all, an alert gets sent, right? So an alert is triggered, and then automatically, depending on the type of alert or the settings in your organization, the security playbook triggers as well. And an automated investigation begins immediately, right? While the automated investigation, of course, runs and scopes the attack, it also brings in additional alerts if they are triggered. For example, if an email is received by several users, they start clicking on stuff over there. So initially, it starts investigating one alert for one email received by the user. But as soon as other alerts trigger and are related to the initial investigation, they will be added to the scope of the initial investigation. Then, of course, you get results, you get automatic actions that can be taken, and of course, the actions will be available for you, basically, as a security operations engineer, to review and approve the remediation action or deny the remediation action, right?

So this is the usual, let's say, workflow for an automated investigation and response. So now, just as an example, let's start here with a screenshot of an alert that, let's say, was generated by a Defender for Office 365. So these alerts are typically investigated manually, right? So this is where automated investigation response comes in. Because attackers frequently send URLs through emails to avoid detection by security solutions, they weaponize them after delivery to launch their attack. So if you notice here in the following screenshot that the alert identifies a URL that was recently weaponized and was detected by Microsoft Defender for Office Three, Six, and Five through the Safe Links feature, and you can see this in the details here over to the right of the preview pane, Right now, Microsoft Defender for Office365 automatically triggers an Air playbook based on this alert and resolves the alert once the automatic investigation is finished. and I will change the slide in a moment. Here we go. So clicking on the investigation in the investigation diploma from the alert itself brings up the Office 365 Threat Intelligence Summary Investigation Graph.

This is what it's called. So this graph shows all the different entities, emails, users, and their activities that were applicable, as well as devices that have been automatically investigated as part of the triggered alert. So specifically, we can note here on this investigation graph that again, several emails were identified as being relevant to this investigation. And we can see that over here, right? And of course, based on the sender, IP domain, URL, or other email attributes, a subset of them were identified as being maliciously sent from an internal user in the organization, which itself is a strong indicator of a compromised user. And as you can see here, six of these are deemed to be phishing emails. Now, when you pivot on this investigation, you can also identify that there were anomalies detected for one specific user.

And, of course, again, there have been five users investigated, but one of them was found to have malicious or suspicious logins, as you can see over here. This investigation, of course, identifies user anomalies and compromised device threats with these compromised users (sorry, "users"). Of course, when Microsoft Defender Four detects a compromise, Office365 also takes some auto-remediation actions, such as blocking the URL, deleting any emails from the related mailboxes, and triggering Azure Active Directory workflows to reset the password for that particular compromised user or challenge that user for MSA. Now, automated Investigation and Response for Office 365 in Defender for Office 365 includes certain remediation actions. So whenever an automated investigation is running or has completed, you will typically see one or more remediation actions that will require approval by your security operations team or the administrator that's dealing with this particular tool. and social remediation actions would include the following criteria: You can soft delete email messages or clusters, you can block URLs, you can turn off external mail forwarding, or you can turn off delegation. Right. So this action can be found here on the Action tab under the selected investigation, as you can see here in this particular screenshot. Now, to better understand and familiarise yourself with Microsoft Defender for Office 365 and how you would investigate a particular incident, you will have a link in the downloadable resources for this lesson that will take you to a guided demonstration for Defender for Office 365. Again, as I mentioned earlier in the section, this guided demonstration is actually an interactive demonstration, or should I say an interactive guide, that is available on Microsoft's TechNet community and that I believe is very, very good at helping you understand and become familiar with the product. It will take you through an investigation of an incident and an investigation graph.

You will have to dismiss some alerts, of course, interactively because you just point and click, but you also have a narrative along the way that will basically explain all the actions that are taken in the portal. So I strongly recommend you do this. It takes about 2025 minutes to complete this interactive guide, but it's very beneficial for you to familiarise yourself with the product. Now, after you've gone through the interactive guide, let's talk about the simulated attacks. So the simulated attacks include, let's say, best-of-class threat investigation and response tools that enable you as a security analyst to work with a security operations team to anticipate, understand, and prevent malicious attacks. Assume you currently have Threat Trackers. First of all, here we go. And these basically provide the latest intelligence on prevailing cybersecurity issues.

For example, you can view information about the latest malware and take countermeasures before it poses an actual trap to your particular organization. Available trackers include noteworthy trackers, trending trackers, tracked queries, and saved queries. Then you have the threat explorer. And this is a very, very useful tool. You can also call it, as you can see here, "realtime detections." So Explorer is a real-time report that basically allows you to identify and analyse recent threats. You can configure Explorer to show data for, let's say, customer periods, or for any kind of particular period, or for periods of one month, the last 30 days, and so on. You can customise it however you want.

And I was going to show you the Explorer in the portal itself, but unfortunately, as you can imagine, we have absolutely no emails flowing through this trial talent, which I'm using for demonstration purposes. So if I go to explore over here, of course this is where you access it from. But, sorry, you will have no data available because we haven't basically flown any emails through this tenant. It only has one mailbox, and that is for the admin account that I've created. But you will find lots of information in the interactive guide. Let's get back to our slide over here. Then we have the attack simulator, right? and the attack simulator. Essentially, this allows you to run realistic attack scenarios in your organisation to identify vulnerabilities.

So simulations of current types of attacks are available, including spear phishing, credential harvesting, attachment attacks, password spraying, and brute force password attacks. Getting back a little bit to the Explorer again, here we have a screenshot of an Explorer page that actually has some data on it. So basically, again, it enables you to begin delving into granular data for your organisation before you are first shown a variety of threat families impacting the organisation over time. And additionally, you are shown the top threats and top targeted users inside the organization. You can also change, of course, the category for the graph. In this case, the malware family is shown, but you can filter Threat Explorer from over here. This is the category. Let me just circle it. Okay, you can click on this drop-down menu over here and you can change this to anything that you might want to see here, like a category would be "all email" and you would be able to filter for any kind of email on the subject, on the sender, on the date, and every other filter that you can think of. Now this option again includes sender, email, recipient email, and even the detection technology that was used to actually stop a threat. The Explorer also allows a deeper look into a threat, beginning with a thorough description of the Mauer family's behavior. It also provides a definition of the threat, the message, traces of the emails delivering that threat, technical details of the threat, global details of the threat, and advanced analysis. On the users tab once more.

If you go to the user tab, you can see each instance where a user in the organisation received an attachment containing malware or any other type of threat. Now if a user had actually received and opened an email, that would also appear under the status, enabling you to basically reach out to the user and take the appropriate mediation actions, such as scanning their device. But you can also, of course, delete the email directly from the portal. Now that being said, this concludes our discussion about mitigating risks with Microsoft Defender for Office 365. I am going to see everyone in the next lesson, where we'll discuss yet another very cool and interesting tool in the security stack, Microsoft Defender for identity. Until then, I hope this has been informative for you, and thank you for watching.

4. Microsoft Defender for Identity

And welcome back to my course, Microsoft Security Operations Analyst SC 200. Now, in this lesson, we are going to discuss remediating risks with Microsoft 365 Defender for Office 365. Of course. First of all, let's get into a little bit of an overview of what Microsoft Defender for Office 365 is. So, Microsoft Defender for Office 365 is Microsoft Defender, a cloud-based email filtering service that helps you protect the organisation against unknown malware or viruses by providing zero-day protection. So it includes features to safeguard the organisation from harmful links in real time. For example, it also has reach reporting and URL trace capabilities that give administrators insights into the kind of attacks happening within the organisation itself. So I just wanted to highlight the four main benefits of Microsoft Defender for Office 365. The first one would be industry-leading protection. So here you can think about what Microsoft Defender for Office 365 leverages, taking into consideration the fact that many organisations and many home users use Microsoft Office 365.

And Microsoft Defender for Office 365 basically gathers signals across all of those users and organisations who are using the service. So, just some numbers to get you going: Let's say it has around 6.5 trillion signals per day from email alone. And of course, you can imagine that it quickly and accurately detects threats and protects users against sophisticated attacks such as zero-day malware. Other numbers would be that, according to a report dating back to 2018, Microsoft Defender for Office 365 was blocking around 5 billion spam emails and analysing over 300,000 phishing campaigns, again in 2018 alone, protecting 4 million unique users from advanced threats. Another benefit would be actionable insights. And actionable insights are presented to security administrators by actually correlating signals from a broad range of data to help identify, prioritize, and provide recommendations on how to address those potential problems.

Now, these recommendations include remediation actions, empowering, of course, security operations, MLS, or administrators to proactively secure their organization, and then you have a very important de-automated response. So investigation and remediation in post-breach scenarios can be sometimes difficult, sometimes expensive, sometimes time-consuming, or all of those things at once, right? So most organisations lack the expertise or the resources that are needed for rapid investigation and effective remediation. Microsoft Defender for Office 365 basically provides advanced automated response options that security operators can leverage, saving significant time, money, and resources. And then there's the training and awareness piece. And here, basically, you can think of, for example, social engineering. The tax such as phishing often look very legitimate and arehard to spot for the day to day user, right? So it's kind of critical for an organisation to train the end users to make the right decisions in the event of an attack. So in production, notifications will help your users understand the risks of performing an action such as clicking on a suspicious link. Features such as the Attack Simulator also help administrators to launch realistic threat simulations so they can train their users to be more aware, or, let's say, more vigilant. Now let's look into the automation, investigation, and response capabilities. When it comes to investigating a potential cyber-attack, time is of the essence. The sooner you identify and mitigate threats, the better off the organisation will be. Of course, automated investigation and response, or AI, as it is often abbreviated, include a set of security playbooks that can be launched automatically, such as when an alert is triggered, or manually if you want, such as from the Explorer view in Microsoft Defender for Office 365.

Again, automated investigation and response can save your security operations team time and effort while effectively and efficiently mitigating threats. So here's how our workflow looks for AI Air for automated investigation and response. Usually I'm not going to go through this too much, but usually, first of all, an alert gets sent, right? So an alert is triggered, and then automatically, depending on the type of alert or the settings in your organization, the security playbook triggers as well. And an automated investigation begins immediately, right? While the automated investigation, of course, runs and scopes the attack, it also brings in additional alerts if they are triggered. For example, if an email is received by several users, they start clicking on stuff over there. So initially, it starts investigating one alert per email received by the user.

But as soon as other alerts trigger and are related to the initial investigation, they will be added to the scope of the initial investigation. Then, of course, you get results, you get automatic actions that can be taken, and of course, the actions will be available for you, basically, as a security operations engineer, to review and approve the remediation action or deny the remediation action, right? So this is the usual, let's say, workflow for an automated investigation and response. So now, just as an example, let's start here with a screenshot of an alert that, let's say, was generated by a Defender for Office 365. So these alerts are typically investigated manually, right? So this is where automated investigation response comes in. Because attackers frequently send URLs through emails to avoid detection by security solutions, they weaponize them after delivery to launch their attack.

So if you notice here in the following screenshot that the alert identifies a URL that was recently weaponized and was detected by Microsoft Defender for Office Three, Six, and Five through the Safe Links feature, and you can see this in the details here over to the right of the preview pane, right now, Microsoft Defender for Office365 automatically triggers an Air Playbook based on this alert and resolves the alert once the automatic investigation is finished. and I will change the slide in a moment. Here we go. So clicking on the investigation in the investigation diploma from the alert itself brings up the Office 365 Threat Intelligence Summary Investigation Graph. This is what it's called. So this graph shows all the different entities, emails, users, and their activities that were applicable, as well as devices that have been automatically investigated as part of the triggered alert.

So specifically, we can note here on this investigation graph that again, several emails were identified as being relevant to this investigation. And we can see that over here, right? And of course, based on the sender, IP domain, URL, or other email attributes, a subset of them were identified as being maliciously sent from an internal user in the organization, which itself is a strong indicator of a compromised user. And as you can see here, six of these are deemed to be phishing emails. Now, when you pivot on this investigation, you can also identify that there were anomalies detected for one specific user. And, of course, again, there have been five users investigated, but one of them was found to have malicious or suspicious logins, as you can see over here. This investigation, of course, identifies user anomalies and compromised device threats associated with these compromised users (sorry, "users"). Of course, when Microsoft Defender Four detects a compromise, Office365 also takes some auto-remediation actions, such as blocking the URL, deleting any emails from the related mailboxes, and triggering Azure Active Directory workflows to reset the password for that particular compromised user or challenge that user for MSA. Now, automated Investigation and Response for Office 365 in Defender for Office 365 includes certain remediation actions.

So whenever an automated investigation is running or has completed, you will typically see one or more remediation actions that will require approval by your security operations team or the administrator that's dealing with this particular tool. and social remediation actions would include the following criteria: You can soft delete email messages or clusters, you can block URLs, you can turn off external mail forwarding, or you can turn off delegation. Right. So this action can be found here on the Action tab under the selected investigation, as you can see here in this particular screenshot. Now, to better understand and familiarize yourself with Microsoft Defender for Office 365 and how you would investigate a particular incident, you will have a link in the downloadable resources for this lesson that will take you to a guided demonstration for Defender for Office 365. Again, as I mentioned earlier in the section, this guided demonstration is actually an interactive demonstration, or should I say an interactive guide, that is available on Microsoft's TechNet community and that I believe is very, very good at helping you understand and become familiar with the product. It will take you through an investigation of an incident and an investigation graph.

You will have to dismiss some alerts, of course, interactively because you just point and click, but you also have a narrative along the way that will basically explain all the actions that are taken in the portal. So I strongly recommend you do this. It takes about 2025 minutes to complete this interactive guide, but it's very beneficial for you to familiarise yourself with the product. Now, after you've gone through the interactive guide, let's talk about the simulated attacks. So the simulated attacks include, let's say, best-of-class threat investigation and response tools that enable you as a security analyst to work with a security operations team to anticipate, understand, and prevent malicious attacks. Assume you currently have threat trackers. First of all, here we go. And these basically provide the latest intelligence on prevailing cybersecurity issues.

For example, you can view information about the latest malware and take countermeasures before it poses an actual trap to your particular organization. Available trackers include noteworthy trackers, trending trackers, tracked queries, and saved queries. Then you have the threat explorer. And this is a very, very useful tool. You can also call it, as you can see here, "realtime detections." So Explorer is a real-time report that basically allows you to identify and analyse recent threats. You can configure Explorer to show data for, let's say, customer periods, or for any kind of particular period, or for periods of one month, the last 30 days, and so on. You can customise it however you want. And I was going to show you the Explorer in the portal itself, but unfortunately, as you can imagine, we have absolutely no emails flowing through this trial talent, which I'm using for demonstration purposes. So if I go to explore over here, of course this is where you access it from. But, sorry, you will have no data available because we haven't basically flown any emails through this tenant. It only has one mailbox, and that is for the admin account that I've created. But you will find lots of information in the interactive guide. Let's get back to our slide over here. Then we have the attack simulator, right? and the attack simulator. Essentially, this allows you to run realistic attack scenarios in your organisation to identify vulnerabilities. So simulations of current types of attacks are available, including spear phishing, credential harvesting, attachment attacks, password spraying, and brute force password attacks. Getting back a little bit to the Explorer again, here we have a screenshot of an Explorer page that actually has some data on it.

So basically, again, it enables you to begin delving into granular data for your organisation before you are first shown a variety of threat families impacting the organisation over time. And additionally, you are shown the top threats and top targeted users inside the organization. You can also change, of course, the category for the graph. In this case, the malware family is shown, but you can filter Threat Explorer from over here. This is the category. Let me just circle it. Okay, you can click on this drop-down menu over here and you can change this to anything that you might want to see here, like a category would be "all email" and you would be able to filter for any kind of email on the subject, on the sender, on the date, and every other filter that you can think of. Now this option again includes sender, email, recipient email, and even the detection technology that was used to actually stop a threat.

The Explorer also allows a deeper look into a threat, beginning with a thorough description of the Mauer family's behavior. It also provides a definition of the threat, the message, traces of the emails delivering that threat, technical details of the threat, global details of the threat, and advanced analysis. Return to the users tab. If you go to the user tab, you can see each instance where a user in the organisation received an attachment containing malware or any other type of threat. Now if a user had actually received and opened an email, that would also appear under the status, enabling you to basically reach out to the user and take the appropriate mediation actions, such as scanning their device. But you can also, of course, delete the email directly from the portal. Now that being said, this concludes our discussion about mitigating risks with Microsoft Defender for Office 365. I am going to see everyone in the next lesson, where we'll discuss yet another very cool and interesting tool in the security stack, Microsoft Defender for identity. Until then, I hope this has been informative for you, and thank you for watching.

Hide