Mastering security analysis with Microsoft Defender XDR

This two-day instructor-led course provides delegates with the knowledge and skills to effectively use Microsoft Defender XDR and Security Copilot for responding to cyber-attacks. Delegates will learn how to manage and investigate security incidents within the Defender portal, leveraging automated investigations and threat intelligence.

The course also covers the use of Kusto Query Language (KQL) for advanced threat hunting and introduces Security Copilot as a tool to assist in incident response, script and file analysis, and report generation. Designed for security professionals, this course enables participants to enhance their organisation’s cyber resilience by efficiently detecting, analysing, and mitigating security threats.

By the end of this course, delegates will be able to:

• Navigate the Microsoft Defender portal and explain integrations with Microsoft services such as Entra ID and Azure.
• Use Defender XDR to investigate and respond to cybersecurity incidents, leveraging automated investigations and threat intelligence.
• Build advanced threat-hunting queries using Kusto Query Language (KQL).
• Onboard and use Copilot for Security to assist with incident response, script and file analysis, KQL query writing, and report generation.

An understanding of core technical concepts, including applications, file storage, networking and identities.

An understanding of common security threats and attacks such as malware, phishing, ransomware and software exploits

Instructors will demonstrate features throughout the event. Optional lab exercises are available for students to complete using a commercial Microsoft 365 tenancy with an Azure subscription provided for each student free of charge by QA. The tenancy lasts for 30 days. The Azure subscription will have enough credit to perform lab exercises.

Target audience

This course is designed for:

• Security analysts responsible for monitoring and responding to cyber threats.
• IT administrators with a role in cybersecurity incident response.

Security professionals looking to enhance their skills in Microsoft Defender XDR and Security Copilot.

Overview of Microsoft Defender XDR

• Introduction to Microsoft Defender XDR
• Cybersecurity attack methodologies
  • Zero Trust model
  • MITRE ATT&CK framework
  • Example attack chains
  • Security news and emerging threats
• Microsoft Defender XDR services
• Services overview and capabilities
• Integrations with other Microsoft solutions
• Investigating and responding to security threats
• Lab: Hands-on exploration of Defender XDR

Incident response

• Managing alerts and incidents
  • Alert triage and correlation
  • Incident investigation techniques
• Response actions
• Containing and mitigating threats at the device, user, and network level
• Understanding automated attack disruption
• Remediation actions and Action Center
• Automated investigations
• Lab: Incident investigation and response

Advanced threat hunting with KQL

• Introduction to Kusto Query Language (KQL)
  • Guided and advanced query modes
  • Understanding the schema
  • Saving and sharing queries
• KQL syntax and querying techniques
• Searching, filtering, and sorting data
• Using joins for data correlation
• Summarising and visualising threat data
• Working with strings, dates, and times
• Lab: Writing and executing KQL queries for threat hunting

Security Copilot

• Onboarding Security Copilot
  • Planning and setup
  • Creating a capacity and configuring settings
  • Understanding available plugins
• Standalone capabilities
• Using prompts for security insights
• System capabilities and automation
• Prompt books for common security tasks
• Incident summaries and guided response
• Script and file analysis
• Advanced threat hunting with Copilot
• Generating incident reports
• Embedded capabilities
• Lab: Leveraging Security Copilot for threat analysis and automation

Exams and Assessments

This course does not include any formal assessments.