Using the Microsoft 365 Defender portal

- [Instructor] Now that you're familiar with the Security Operations Analyst exam and the key concepts of XDR, SIEM, and SOAR solutions, let's discuss the solutions within Microsoft for enabling security operations within your company. The Microsoft 365 Defender Portal can be used to configure solutions and manage, monitor, and respond to security events. If you're a company that is only utilizing Microsoft 365, this portal provides a full security operations solution for incidents, alerts, and hunting for threats and vulnerabilities. The portal also provides alerts, an action center and secure score to monitor and manage your security posture for endpoints, email and collaboration, and identity within Microsoft 365. When suspicious activity or an attack is identified on a user account, managed device, or exchange online mailbox, the alerts and data are gathered in Microsoft 365 Defender Threat Intelligence and an incident is sent to the portal to investigate. The incidents and alerts are correlated based on severity, category, impacted assets, and additional details of the attack. This allows a security operations team to filter and investigate the events. Any security strategy should include proper training and understanding for people within the organization. To accomplish this understanding for the security operations team on incident and alert response, Microsoft 365 Defender provides an attack simulation training feature that can generate incidents for real-time investigation and training. The Action Center can be used to track the incident and alert activities. To understand your security protection against global threats, Microsoft provides a threat analytics dashboard within the Microsoft 365 Defender portal that lists common threats and their potential impact. This includes ransomware, phishing vulnerabilities, and activity group threats. This dashboard shows active alerts based on these threats and impacted assets in your Microsoft 365 environment. The secure score audits your Microsoft 365 identity, apps, and devices for vulnerabilities and controls that can be enabled to increase your security posture. The Secure Score Dashboard provides recommended actions that you can implement that will increase the secure score. Increasing the secure score strengthens your security posture by adding additional controls that remediate vulnerabilities that may become threats. The final area we will discuss around Microsoft 365 Defender Portal is threat hunting using the advanced threat feature. Threat hunting uses Kusto Query Language, or KQL, to search the log files for suspicious activities. The queries return results that can be used to create incidents. Microsoft 365 Defender Portal has built-in advanced hunting queries that can be run against activity logs to find potential threats. You can also run your own queries within the query editor. The structure of Kusto Query Language and how it is used for threat hunting will be discussed in greater detail in this course. This video has provided an understanding of the Microsoft 365 Defender Portal and how you're able to use it for security operations and alert response. As you continue through this section, you will learn the additional integration of the Microsoft 365 Defender Solutions. Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Azure AD Identity Protection, and Microsoft Defender for Identity. Later in this section, we will walk through the Microsoft 365 Defender Portal to see these solutions and these security operations capabilities.