GOC Defender Training on Eriks training corner

M01 · Threat Modeling and MITRE ATT&CK

Mon, 01 Jan 0001 00:00:00 +0000

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 3.0 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): MITRE ATT&CK is versioned and updated roughly twice a year, and Microsoft renames portal surfaces frequently. Technique IDs are stable, but matrix contents, the current ATT&CK version number, and Microsoft portal paths change. Verify the live ATT&CK version at https://attack.mitre.org and product names against Microsoft Learn before relying on any specific detail below.

M02 · Azure Supporting Technologies

Mon, 01 Jan 0001 00:00:00 +0000

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 3.5 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): Azure portal labels, blade names, and navigation paths change frequently. This handout describes goals and structure rather than exact click-paths where the portal is volatile. Verify current paths against Microsoft Learn before relying on a specific UI step.

Learning objectives

By the end of this module you will be able to:

M03 · Security Platform Overview

Mon, 01 Jan 0001 00:00:00 +0000

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 2.5 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): Microsoft renames and reorganizes this product family frequently, and licensing bundles change regularly. Verify product names, portal paths, and which plan unlocks which capability against current Microsoft Learn before relying on specifics here.

Learning objectives

By the end of this module you will be able to:

Describe the Microsoft security ecosystem and how its major products relate to one another.
Explain Zero Trust principles and identify where each Microsoft product enforces them.
Name the core products — Defender XDR, Sentinel, Entra, Intune, Purview, Security Copilot — and their primary functions.
Identify which licensing plans unlock which capabilities.

1. The Microsoft security stack at a glance

Microsoft’s security portfolio spans several disciplines that together cover identity, devices, data, cloud, and operations. The acronyms map to familiar categories:

M04 · Microsoft Defender XDR

Mon, 01 Jan 0001 00:00:00 +0000

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 3.5 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): Portal paths, schema table names, and feature labels in the unified Defender portal change frequently. Verify navigation and Advanced Hunting schema against current Microsoft Learn / in-portal schema reference before relying on specifics.

Learning objectives

By the end of this module you will be able to:

Explain the unified portal’s data sources and how signals from multiple workloads are correlated.
Navigate incidents, alerts, and the investigation graph.
Describe how automated attack disruption works and when it triggers.
Perform basic threat hunting using the Advanced Hunting interface and pre-built queries.

1. What “XDR” means here

Extended Detection and Response (XDR) unifies detections from multiple security workloads into a single, correlated investigation experience. Microsoft Defender XDR is the unified portal (https://security.microsoft.com) that brings together the workload Defenders so you investigate one incident instead of chasing separate alerts in separate consoles.

M05 · Defender for Endpoint

Mon, 01 Jan 0001 00:00:00 +0000

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 3.5 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): MDE portal paths, ASR rule sets, and response-action labels change frequently. Verify rule IDs, default behaviors, and click-paths against current Microsoft Learn before relying on specifics.

Learning objectives

By the end of this module you will be able to:

Describe the core capabilities of Microsoft Defender for Endpoint (MDE): EPP, EDR, and vulnerability management.
Explain attack surface reduction (ASR) rules and identify common configurations.
Use the device page to review alerts, timeline, and recommendations.
Perform basic device response actions: isolate, collect investigation package, run antivirus scan.

1. MDE architecture

Microsoft Defender for Endpoint (MDE) is Microsoft’s endpoint security platform. Three pieces work together:

M06 · Defender for Office 365

Mon, 01 Jan 0001 00:00:00 +0000

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 3.0 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): MDO policy names, Threat Explorer labels, and portal paths change frequently. Plan 1 vs. Plan 2 feature boundaries also shift. Verify against current Microsoft Learn before relying on specifics.

Learning objectives

By the end of this module you will be able to:

Describe how Defender for Office 365 (MDO) protects email and collaboration services.
Explain the function of Anti-phishing policies, Safe Links, and Safe Attachments.
Use Threat Explorer to investigate an email-based threat.
Describe automated investigation and response (AIR) and how to review AIR results.

1. MDO protection layers

Microsoft Defender for Office 365 (MDO) protects email and collaboration (Exchange Online, Teams, SharePoint, OneDrive) against phishing, malware, and business email compromise. It is layered:

M07 · Defender for Cloud Apps

Mon, 01 Jan 0001 00:00:00 +0000

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 3.0 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): MDCA (Cloud App Security) portal location, policy templates, and app-governance labels change frequently; much of MDCA now surfaces inside the unified Defender portal. Verify paths against current Microsoft Learn before relying on specifics.

Learning objectives

By the end of this module you will be able to:

Explain how Defender for Cloud Apps (MDCA) discovers and assesses SaaS application usage.
Describe OAuth app governance and the risks of over-permissioned apps.
Explain session controls and conditional access app control (CAAC).
Create a simple app policy and review policy matches.

1. What MDCA is and how it sees cloud apps

Microsoft Defender for Cloud Apps (MDCA) is a Cloud Access Security Broker (CASB) — it gives visibility and control over the SaaS applications your organization uses. It gathers signal through three mechanisms:

M08 · Defender for Cloud

Mon, 01 Jan 0001 00:00:00 +0000

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 3.5 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): Defender for Cloud plan names, Secure Score controls, and portal paths change frequently; compliance standards are updated by their authoring bodies. Verify plan coverage and navigation against current Microsoft Learn before relying on specifics.

Learning objectives

By the end of this module you will be able to:

Describe the difference between cloud security posture management (CSPM) and cloud workload protection (CWPP).
Navigate the Secure Score and explain how recommendations improve it.
Identify workload protection plans and what each covers (servers, containers, SQL, storage, Key Vault).
Use the regulatory compliance dashboard to review a compliance standard.

1. CSPM vs. CWPP — two jobs, one product

Microsoft Defender for Cloud does two complementary things:

M09 · Additional Defender Workloads

Mon, 01 Jan 0001 00:00:00 +0000

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 2.5 hours (including light lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): These workloads evolve quickly and some surfaces have been renamed or reorganized (e.g., “Defender for DevOps” capabilities under DevOps security posture management). Verify product names, plan availability, and portal paths against current Microsoft Learn before relying on specifics; mark anything in preview [PREVIEW].

Learning objectives

By the end of this module you will be able to:

M10 · Security Copilot

Mon, 01 Jan 0001 00:00:00 +0000

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 3.5 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): Microsoft Security Copilot changes rapidly — embedded experiences, plugins/agents, and the standalone portal evolve on roughly a monthly cadence, and some features are [PREVIEW]. Verify capabilities, availability, and portal paths against current Microsoft Learn before relying on specifics; never present a preview feature as generally available.

Learning objectives

By the end of this module you will be able to: