Intro To Microsoft Defender XDR

0:00All right we're in the first skill of the new SE200 course here at CBT Nuggets and guess what

0:06it's time to talk about some things that you'll need to have in place if you want to follow along

0:11with me and get some hands-on experience. So we're going to look at these three things and how to get

0:15those up and running. So let's get started. All right so three things you're going to need.

0:22Number one is a Microsoft 365 E5 or A5 trial account. Unless you have one. You might have

0:32an active E5 or A5 subscription and that will work. But here's the thing you're not looking

0:37for an Office 365 E5 or A5. That's not what we want. We want a Microsoft 365 E5 or A5 subscription.

0:49So we're going to see how to set up a trial for that. It is a 30-day trial. So after that 30 days

0:54you might need to create a new trial and we're going to talk about that here shortly. The other

0:58thing is you're going to want an Azure trial as well. Absolutely and as of the recording of this

1:07nugget when you sign up for a trial you get $200 of credit. Hey that's pretty awesome. Now that way

1:16if you're going to use some of the resources that we're using you can use that credit toward

1:20that so you don't have to pay out of pocket. And lastly what you're going to need is a Windows 11

1:26workstation. So we need an endpoint or basically a device running Windows 11 that you have

1:34administrative permissions on. Now why do we need this device? We need it because we're going to

1:41install Defender for endpoint on it so that we can have it send logs and information into

1:50our Defender XDR so that we can work with that. So if you already have yourself a Windows 11

1:54workstation you're good to go. But you do have to have administrative privileges over it

1:58so you can install Defender for endpoint. And you're going to be registering that in Microsoft

2:04through the intra ID with your trial account that we create up here your Microsoft 365 E5 or A5.

2:12Now we do the trial it's going to be E5 but you can have maybe you have an A5 account. Hey that

2:17works too. But you do have to have that level of access and we're going to go over licensing and

2:22such a little later on. So now that we know we need these three things I'm going to tell you

2:27that this last piece is going to be up to you and whatever you want to do for this.

2:32Now that means you could build if you have a home lab maybe you're running some hypervisor

2:38or something like VMware or or Microsoft Hyper-V then you can run this as a VM in your lab. Hey

2:46that's cool it works. But if you want to spin up a Windows 11 machine and run it in Azure

2:52and use some of those credits you can do that as well. But however you go about that that's

2:56pretty much going to be up to you at this point. And it doesn't have to be in Azure it can be

3:01on your lab again at the house. It just needs internet access so that we can install our

3:08Defender for Endpoint and Defender for Endpoint can talk to Defender in the cloud. Okay so I'm

3:14going to walk through here now how to go through setting up your Microsoft 365 E5 trial and your

3:20Azure trial and setting up some fail safe to make sure that we don't go over budget or forget to

3:28cancel our trial because nobody wants to do that. All right cool so let's get started on

3:33these necessities. All right here we are we're going to talk about creating our Office 365

3:39E5 account and I'm going to provide a link to this page but you can see it up here it's

3:43microsoft.com slash en dash us slash Microsoft dash 365 slash enterprise slash office dash 365

3:50dash E5. Wow it's a mouthful that's why I'm going to provide a link below or you can just google it

3:55but you do need to find this page so you can create a trial here. A lot of the pages that you

4:00go to when you google it are going to take you to where you have to call sales and stuff and we don't

4:04want to do that. We're looking at right here try for free that's what we want to see right there.

4:11Once we see that we know we're in the right place. Now I know I said you need to get a Microsoft 365

4:17E5 trial not an office trial but this is a hoop that we have to jump through because you can't

4:23just outright get a trial of Microsoft 365 E5. They want you to contact sales so this is a hoop

4:31and we're going to jump through it. So what we'll do is once you get here and you'll see it is $38

4:37per user per month when you pay it yearly but if you select monthly it's going to be more than that

4:43it's just because you get that annual discount but we're not worried about that we're going to

4:46try it for free. So if you click try it for free here it's going to open up this new page

4:51and this is where you're going to go through the signup. So how many people is this for because you

4:56can select multiple trials if you want to set up multiple Windows 11 devices and have different

5:03fake users connect in then you can do that but here's where I want to point out choose the length

5:08of your subscription I'm going to say one month and here's why. Now you'll see yeah by the year

5:13it's $39.90 a month if you go monthly it's $45.60 but here's the thing we're going to try this trial

5:20and this trial is good for 30 days okay so that means if you don't cancel it before those 30 days

5:28are up you're going to get billed and if you accidentally have that happen I'd rather be

5:32billed $45.60 for that month than paying an entire year's worth because you're going to pay that one

5:40year up front okay so then you're stuck with it for a year and you've lost that however much it

5:44is it's well what how much is it it's about 40 so you're locking up close to $500 so yeah I'd

5:51rather lose $45 than $500 or somewhere around there because I forgot to cancel a subscription

5:57so then you're just going to go next and you're going to go through this process of setting up

6:01your account then you're going to have one now here's the thing so once you've finished setting

6:06this up what you're going to do is you're going to log in to office.com let me go find mine here

6:11you go and you're going to select the admin so if I let me show you here real quick so if you go

6:16to office.com and you sign in there it is it's going to look something like this you want to go

6:21down to apps and then you're going to go to admin it's going to open up your admin page there we go

6:27okay so at this point we're in our Microsoft 365 admin center here and we have an office 365 e5

6:35account but not a Microsoft 365 e5 and they are really different okay so what we need to do is

6:42come down here to billing you're going to go down to your products here and then what you're going

6:48to see in here is a little bit different than what mine shows mine shows Microsoft 365 e5 yours

6:53are going to show office 365 e5 and that's fine it's supposed to at this point now here's what

6:59we do we're going to go to add more products right here you see that button we're going to click on

7:04that it's going to take you to the marketplace this is where you want to be come down here to

7:09the search let's see it's down here come on it I got to wait on it to reload oh actually I don't

7:14want recommended make sure you go to all products all right and then come down here to the search

7:21we'll get remove that there you go in the search you're going to type capital e number five e5

7:26hit enter and let it search through it might take a little bit and there you go it's going to load

7:32this up look at there right here I'm going to zoom in for you Microsoft 365 e5 that's what we want

7:39that's the golden nugget okay so what are we going to do how do we get it Bob well the good

7:44thing is we get a trial so just click on details it's going to load this up and there it goes

7:51so from here you can choose right here Microsoft let me try to zoom in a little bit uh 365 e5 trial

8:00and it's going to bring this window out here and there it goes and you're going to have to make

8:04sure your appropriate credit card is in there get this but what it does is quantity 25 let me zoom

8:11in so this is a trial and it gives you 25 licenses to start with okay so what I'm going to do is hit

8:22next so I'm going to close this out so then you're just going to come down here and press that

8:26start free trial button so go ahead and click on that it's going to take a moment

8:33and there it goes you select your billing account information there and it says to keep these

8:39services active renew your subscription before your trial expires on March 9th 2026 it'll give

8:45you a month out there but then you're going to need to create another reminder in your phone

8:49to go ahead and cancel this so you have 30 days so this is the kind of hoops we have to jump through

8:55to get a Microsoft 365 e5 account I'm going to cancel this because I'm not actually going to get

9:00that and then once you do have it you're going to come back here to your products and we'll let this

9:08load up here and you'll find your Microsoft 365 e5 and you'll click on that because we have to

9:16assign this license to someone and well we're going to sign it to our own account and then

9:22in here you're going to click assign licenses there you go it's going to take you to your

9:26licenses and subscriptions but you can go down here to get that too all right and then you're

9:30going to select assign license because you'll have one of one up there or actually if you get 25

9:36trials you'll have 25 up there that you can play with but they do all expire at the same time

9:40they're only good for a month not you can't use one one month and one the next and one the next

9:44they all expire within a month so then you're going to assign your licenses and you be sure

9:49to sign it to your account and then any of your other trial accounts you might set up because

9:53actually what you can do is come in here and you can set up additional users and assign it to them

9:59as well and these would be like fake accounts that you're going to use to play around in here with so

10:03that is very important because once you get that Microsoft 365 e5 trials you have to assign them

10:08to yourself okay so that you'll have that to be able to work with okay so that wraps this part up

10:14next you're going to want to let me find my tab here go to azure.microsoft.com and it's going to

10:21take you to this page here because now it's time to set up our azure account so what we're going

10:27to do is click on get started with azure just like that button right there and try azure for free so

10:33when you click on this it'll bring this up and you're going to have to sign in with the account

10:37that you just made for your Microsoft 365 e5 now i can't actually go through that process but you're

10:43going to do that and you're going to walk through setting it up and you will get it should say down

10:49here yeah right here $200 credit you see that and that's what we're wanting so that we can use now

10:57you got to use it within 30 days so again you're going to when you sign up for these let me give

11:02you this little tip here when you're signing up for these create a kind of i'd say throwaway

11:08free gmail account or some other email provider that's free because once you sign up for a trial

11:15and that 30 days ends you can't re-sign up with that email account so you don't want to use your

11:19primary email account like your personal one don't do that create a separate one just for the trial

11:24and that way when your trial expires and you cancel your services you can go sign up from again

11:29with a different email hopefully that will work for you but again sometimes it does match it to

11:34a credit card so you might run into some issues there because i know for a fact that when you're

11:39doing your azure setup and you're actually microsoft 365 you're going to have to provide

11:43a credit card in order to get that going but this is why we want to set up reminders to cancel ahead

11:49of time okay so you're going to go through and you're going to set up your azure free account

11:54just go through the wizard and set it up and once you do that you are signed up and let me show you

12:01next what we're going to do and this is we're going to set up a budget and a budget alert let

12:08me explain why let me go over to here to cost analysis let's go to this is in microsoft azure

12:15so once you're signed in just search for budgets just like this you see the budgets and you click

12:22on budgets so you're going to come in here to the budgets and since i don't have any budgets

12:26so what i'm going to do is go to add all right you're going to create a budget and what this

12:32is is you're basically saying this is what i'm allowed to spend for this month okay and then

12:38you can set up rules saying hey send me an email notification to when i'm getting close to

12:43matching my budget and here what we're going to do is set one up for two hundred dollars so here

12:47we'll call this azure trial dash 200 because that's your 200 credits reset period is monthly

12:54creation date was just january all right that works for me budget amount is going to be that

13:00200 there we go and we'll say next and now here this is what we want alerts alert condition

13:09select type i want a an actual cost so this is what i'm actually spending okay and then the

13:15percent of the budget i would say like 80 and then action group we'll set to leave it none at this

13:23point because we don't have one but then you're going to come down here to your email recipients

13:27you're going to put in as many emails as you want but you're going to want to make sure it's email

13:32accounts that you're going to look at those emails you're going to see these notifications

13:36because this way once your budget and your 30-day trial hits 160 you're going to be notified because

13:42then you can go in and turn services off before you go over 200 this gives you plenty of time

13:47to do that because if it goes over 200 your credit card is going to be charged and we're

13:51trying to avoid that so put your email addresses in here so it'd be email at email emails whatever

13:57dot com and you just comma separated so then you're going to have dot com or something like

14:03that and you can put another one in here you can say email to at email.com and you can put a third

14:08one in there but the idea is you're going to put those emails in there so that you can be alerted

14:14you don't want to go over that 200 all right so this is your alert conditions so then you would

14:20go ahead and click on create and away you go and actually the default language you could go ahead

14:26and hit wherever you are your language and then go ahead and create that so that you will have a

14:31budget all right so at that point you would be good to go with your budget created okay so let's

14:38go to the next thing now we've got one more thing that we want to do in here and that is to disable

14:44what's known as the security defaults because they're going to cause us some issues in the lab

14:50so what you're going to do is you're going to go over to intra id so let's go ahead and go back to

14:55home so say okay there we go and there's microsoft intra id but you can always just type intra id in

15:01there and you want to go over to microsoft intra id this is basically our identity provider within

15:06entry used to be azure active directory now it's intra id here's our users and groups we've got

15:12devices and roles and administrative units and all kinds of wonderful things in here but here at the

15:18overview what we want to do is go over to the properties tab right here and we're going to click

15:24on properties it's going to fill this out for us and then what we're going to do is scroll to the

15:29bottom and right here security defaults you see that there it says security defaults are basic

15:35identity security mechanisms recommended by microsoft but we want to disable it so you're

15:41going to click on manage security defaults and you're going to say disabled and then it'll prompt

15:46you well why do you want to do this and you can just pick any of the reasons it doesn't matter but

15:50the most accurate reason is conditional access policy something to deal with that because we're

15:55going to be dealing with conditional access policies all right which is a great microsoft

15:58security feature they're great i love them they do lots of good stuff for security wise but you

16:02want to make sure that is disabled all right and then we're going to be working with that a little

16:06later on all right so at this point you just need to get your windows 11 device set up and available

16:12with internet connection and then we'll be able to get started so in the next nugget now that we've

16:17got these things out of the way we're going to start talking about what microsoft defender xdr

16:22is and why it's pretty darn cool actually i really like it a lot so i'll see you there shortly

0:01So, the question of the day, what is Microsoft Defender XDR?

0:04Come on Bob, spill the beans already.

0:06Well, that's what we're going to do in this nugget.

0:08That's right, we're going to talk about XDR and exactly what it is.

0:10Let's get started.

0:12Alright, so, what is it?

0:14That's the big question.

0:16Well, let's start off with what XDR stands for.

0:18It stands for Extended Detection and Response.

0:23Alright, let's talk about these.

0:25So, it's extended because it can see into all the Defender products.

0:31All those Defender products are sending their logs and information into Defender XDR

0:37for lots of things like detection and response.

0:42So, that's why it's known as extended.

0:45It's getting to see into the Microsoft ecosystem.

0:48We're talking about things like email, or your office products, identities, and cloud apps, and endpoints, and more.

1:01Yes, that's right, there's more.

1:03So, then on to detection.

1:06So, XDR receives a large amount of security data from these endpoints and from these systems.

1:13And it also accesses and analyzes end-user behavioral data from these products.

1:19So, that's pretty important.

1:21And it analyzes and correlates.

1:23So, that's the key here.

1:25Analyze and correlate.

1:28Now, what does correlate really mean?

1:31Well, it's the idea that if I'm able to see into all these different products across my network,

1:39and my systems, and my environment, I'm going to have a lot of insight as to what exactly is going on.

1:46Because I can see that something happened over here and it's related to what's over here.

1:51And if I analyze it, I can find that it's also over here and something out on the World Wide Web or something.

1:58So, it's able to analyze all this information and do correlation to figure out exactly what's going on.

2:03It's just like, if you think about it, your day-to-day life, the way for you to make good decisions is to be informed about what's going on around you.

2:12And at work, maybe it's helpful that you understand what different departments are doing or groups within your department,

2:19so that you can make better decisions and see the big picture.

2:22That's what happens here is our Defender XDR gets to see the big picture of everything that's going on.

2:30So that it can do the analysis and correlation to figure out when an event has occurred.

2:35At which point, we have response.

2:38So, Defender XDR has the ability to automatically respond to an incident in near real-time and disrupt the attack.

2:45So, near real-time responses.

2:50And it's really looking to disrupt the attack.

2:54Stop it in its tracks before it has time to complete and take hold.

2:59And along with this response, it provides a lot of information along with it.

3:06For example, if there is an attack, it's going to give you information like IPs involved, domain names involved, devices involved, identities that are involved in it.

3:18All kinds of information that it's doing with the correlation.

3:22So, it can show you everything that was involved in this, so that you can do follow-ups to it and understand.

3:28Now, the other thing that's pretty cool is AI.

3:33Yes, AI is built into it.

3:36So, that we can use plain speak to create advanced queries and help with investigations and such.

3:43So, we can do that.

3:45And we're going to get into that a little later on more.

3:47So, this is what it is in a nutshell.

3:50Here we go.

3:51Nutshell.

3:53We've got Microsoft XDR here in the center.

3:55Defender for Identity, Defender for Endpoint, IoT, Defender for Cloud, Cloud Apps, Office, and more.

4:02Yes, this isn't everything.

4:04It's just to give you the idea that all the Defender products are feeding information into XDR.

4:09And XDR is able to then do the analysis, correlation, and response and create incidents that we can then investigate.

4:16For example, we say automated response.

4:19Well, that's generally for more of the simple attacks that occur.

4:26When it comes to a more complex attack, when we're talking about various levels of the attack, so it's very complicated,

4:35at that point, alerts will happen and an incident ticket is going to be created within XDR or Defender so that you can investigate.

4:48So, just be aware of that.

4:50And we're going to go through all that again.

4:51Don't worry.

4:52So, now that we see this, we can think of XDR as a single pane of glass into our Defender products in the Microsoft ecosystem.

5:04So, here's a full list of the products, and we see there's quite a bit in here.

5:09So, your Defender for Endpoint.

5:11I better change colors here.

5:13Our Defender for Office 365, Defender for Identity, Cloud Apps, Defender for Vulnerability Management, Defender for Cloud,

5:22ID Protection, Data Loss Prevention, App Governance, and Microsoft Purview, as far as Insider Risk Management.

5:30So, all of this stuff feeds into XDR.

5:34That is a whole lot of information, as you can imagine.

5:38Now, again, one of the great features is the ability of automated response.

5:44So, this lady is pretty happy about automated responses because we don't have to wait for a SOC analyst to perform the investigation.

5:52So, you got your analyst over here thinking, hmm, and then performing an investigation, which takes time.

5:58And then they say, oh, we need to change this.

6:02Okay, whatever this is.

6:04It has to be changed.

6:05So, we need to create a firewall rule, whatever it might be.

6:07Well, the thing is, that person's most likely not going to be doing that.

6:11That's going to be another team within the organization.

6:13So, then that has to go to the other team.

6:16Well, the thing is, then it has to be assigned to someone to do.

6:19There might be change management practices that have to occur.

6:23You see where I'm going.

6:25When an automated response happens, again, it is in near real time.

6:31Whereas, if we had something like down here, it might take an hour for that to happen.

6:36It might take six hours for that to happen.

6:38Who knows?

6:39So, you see the difference here.

6:41Pretty darn important.

6:43All right, next up, threat intelligence.

6:45So, Microsoft Defender XDR does use threat intelligence.

6:48Now, the question is, what is threat intelligence?

6:52Here we go.

6:53Threat Intel.

6:54Now, this comes from the Microsoft Threat Intel teams.

6:58They have their own Intel teams that are working on this.

7:01And that information that they derive and come up with is fed down to Defender XDR.

7:07And some of that information is things like known malicious IP addresses,

7:12known malicious domain names, known attack methods, malicious file hatches.

7:17And the list goes on and on and on.

7:19This is information.

7:20This is Intel that is about risky events.

7:26Okay?

7:27And those events are where we match up with these specific data points.

7:33So, we have known bad actors using various domains, IP addresses, methods, file hatches, all this stuff.

7:39And so, these can be clues to kind of signal to us, hey, there's something going on here.

7:46This known malicious activity has been seen elsewhere in a breach.

7:49Now, we see it here.

7:51So, we should look at this.

7:52And that's fed down into our Defender XDR.

7:55Now, I do want to say, I want to start this early.

7:58I'm not going to be referring to Defender XDR by that name every time.

8:03It's most likely just going to be Defender.

8:05Because you'll see, once we're in there and working in the Defender portal, it's just Defender.

8:09It doesn't say Defender XDR.

8:11Because XDR is just what it is.

8:13It provides you your extended detection and response.

8:18That's kind of what it does.

8:19Defender is still really the name for it.

8:22So, we're going to see Defender throughout this course, of course.

8:26So, I just wanted to give you a heads up.

8:28So, I'm not forgetting it.

8:29It's just for simplicity's sake.

8:31So, what does XDR do?

8:32XDR at work.

8:34Well, the first thing it does is, as that security data flows into the Defender, the data is normalized.

8:43This is normal data.

8:44I can read it.

8:45What's so normal about it?

8:46Well, here's the thing.

8:47When you have data coming in from various applications and services, it's not always the same format.

8:56So, your fields are going to be a little bit different.

8:59They might be the same name.

9:00We'll say, like, timestamp.

9:02And you might have device.

9:04And it might be a user, UPN, or whatever it is.

9:10They're in different formats.

9:11They're in different fields or in different places.

9:13And in order to make it all come together and appear like it is one set of data, that's what normalization is.

9:21So, as that data comes in, it is formatted so that it looks like it is all in the same format.

9:29That's the normalization data.

9:30It just makes when we're dealing with it and analyzing it so much easier.

9:33If you've ever had to do an investigation, even something small, and you have to go look at the system logs,

9:39when it consists of more than one system that you're looking at, you have your timestamps in here.

9:44You've got all this log information.

9:46And over here, you have another system.

9:47And you have to correlate between those and look at the logs to see, well, what happened here at this time and over here at this.

9:52You don't have to do any of that or even worry about it.

9:54It's fed in.

9:55It's normalized.

9:56So, it's very easy to sort through and analyze.

9:59That's the whole idea behind normalizing the data.

10:03Okay, after the data is normalized, well, we've got analysis.

10:06Absolutely.

10:07We talked about analysis and correlation.

10:09So, that is that Defender looking at that data to identify abnormal activity or suspicious data points,

10:20such as known malicious IP addresses, domain names, all those things, but also that abnormal activity.

10:26Because, generally, these systems will manage by exception, meaning they know what's normal.

10:32After a little while, they learn what's normal.

10:34So, when something is abnormal, that raises the flag.

10:38And then we're like, hmm, we should probably look into that.

10:41And then, lastly, Defender, once it goes through and does the analysis and correlation, it will create incidents and alerts.

10:50And it can, again, of course, do the auto response if we configure it to do so for various incidents or scenarios.

10:59But then you're also going to have those incidents, which are basically like incident tickets that are created,

11:04so that you can add notes, you do research, and you do that kind of stuff in it.

11:08And, of course, sending alerts.

11:10That's pretty important, too.

11:12And when it creates these tickets and alerts, it's providing lots of telemetry data.

11:17So, let me put over telemetry data.

11:20And we're going to talk about what that is.

11:21We actually already have briefly, but it's the idea that in this incident ticket, you're going to have information about the devices,

11:28the IPs, users, services, cloud, apps or workloads, mailboxes, all kinds of stuff.

11:40So, this is telemetry data.

11:42And, again, back when we're talking about analyzing and correlation,

11:46that correlation where Defender was finding all these little things that were tied together,

11:52well, this is all the information and much more that's going to be fed down into that telemetry data.

11:58Really give you the ability to see the big picture within that incident.

0:00All right, moving on. Great tools for SOCs. Your Security Operations Center, or SOC,

0:09is a great place for Defender. Absolutely, because if you've ever worked as a security

0:14analyst or even attempted to investigate an incident, you know that digging through all

0:18those logs on those various systems, like I mentioned, is such a pain in the rear and it

0:22takes forever and just so slow and in these days and times inadequate. Not good, right?

0:27Absolutely not. So when we introduce Defender into this, and let's say we're a Microsoft shop,

0:34hey, this makes a lot of sense. We have maybe some Azure workloads. We're using

0:42intra-ID as our identity provider. We're using the Office stack. Now, we could be doing all this.

0:50And when you're running a highly Microsoft centralized shop, man, I'll tell you what,

0:57Defender can really, really get you some great information and provide adequate defense, okay?

1:04And even their Defender for Endpoint, I remember several years ago, this is several years ago,

1:11thinking, wow, this is horrible. Well, I'll tell you what, folks, in the last few years,

1:15Defender for Endpoint has become an amazing endpoint protection platform, all right? And

1:22now I'm just not blowing smoke here. It is very good. So that's why I'm excited to see how

1:28Microsoft has taken this route. They make all these little pieces and services that are

1:33security-centered around individual services like identity, Office, cloud workloads and such,

1:40but then it feeds that data back into our Defender so that we can do the analysis and

1:47correlation instances. I mean, honestly, it's just really great seeing this done this way.

1:52I'm pretty excited about it. I love it because I did the last SE200 course. And at that point,

1:56and that was like three years ago, about, and maybe three and a half, I could see that this

2:01was on the horizon. They were going this direction, but wasn't sure if they'd ever

2:05really fully get there. But guess what, folks, they have. It's here. And that's why this is

2:09a whole new course because of the changes they made. And it's pretty awesome. Now, guess what

2:14else comes with our Defender XDR? That's right. Absolutely. Microsoft Copilot, because I had

2:21mentioned earlier, AUI was available. Well, that's because we've got our Copilot right here,

2:28integrated into Defender. So that means when you're in a hurry and you're having a hard time

2:33thinking about exact queries that you want to run for a KQL query, guess what you can do? You can

2:39just speak it. Tell Copilot, I want to look for this IP address in this timeframe, looking for

2:46these applications or services or such. And guess what? It can write those queries for you. It can

2:50help you do your investigations. So if you're not great at KQL queries, or you're just under

2:55stress and you need to get things quick and you're not thinking completely straight and

2:59trying to remember all those formats and keywords and such, Copilot is there to assist. Yes,

3:05absolutely. All right. Now, one more thing I want to talk about, and that is SIEMs versus Defender

3:11XDR. Now, if you're not familiar with a SIEM, that is a security information and

3:19event management platform. Now, a SIEM, let's talk about what this is if you're not familiar

3:25with the SIEM. Now, if you are, bear with me or just speed up a little bit. Get to where we talk

3:29about Defender XDR and how they're different. Now, a SIEM is meant to ingest large amounts of data.

3:37Now, Defender XDR can ingest large amounts as well. But when we talk about large, we're talking

3:43about terabytes. That's what I mean by large, not 100 gig, but terabytes a day. So SIEMs can do that.

3:52They're built for that. And really what they are is you can configure just about anything to send

4:00data to a SIEM. So the SIEM is to collect all of this security information from all these different

4:07products, different vendors, different types of products. So it could be logs from a switch

4:14or a firewall. But it can also collect data from applications and identity providers,

4:22different identity providers, and anything you can think of just about that creates logs,

4:26you can send them to a SIEM. And the SIEM will then do analysis on that and will say, hey,

4:32this is something you should look at. However, what SIEMs do not do as a SIEM in general. Now,

4:39if you've got like a specialized SIEM, then it might do this. But in general, SIEMs do not

4:45provide automated response. So SIEMs are an analysis and correlation, and they will provide

4:53alerting when there's something out there that it found. That's what SIEMs do. So I think I just

5:01spoiled this for you. So here we go. Ingest large amounts of data used for log management,

5:05incident management and compliance. Yes. And I do want to say this is key here,

5:09the compliance part. When you're talking about compliance, oftentimes SIEMs are required as

5:13part of compliance because they're also used for log management where you can retain logs for 90

5:19days if you need to. But for longer than that, generally, you need another solution. But of

5:24course, they're used for incident management because they get all these logs from all these

5:27systems. So you have them all in one place and you can analyze them there. And then lastly,

5:32they don't provide automated remediation. So, yeah, I just kind of put all that up there.

5:38Now, let's compare that to Defender XDR because Defender XDR, guess what? It only ingests data

5:45from pre-built connectors that Microsoft creates. So really, it's ingesting data from Microsoft

5:50services. OK, it's not going to allow you to ingest anything from anywhere like a SIEM will do

5:56just about. Also provides telemetry and activity data for analysis. We talked about that as well.

6:02So when it's doing that analysis and correlation, it's going to give you that telemetry and activity

6:06data, which is super awesome. But also, of course, we don't want to forget provides automated response

6:12which SIEMs do not do. Now, I do want to say we have something called SOAR, S-O-A-R, and that is

6:20security orchestration, automation and response. So what security orchestration means is that you

6:29can create like a playbook and orchestration of what you want to do and then automatically use it

6:33to respond to something. Yes, Defender XDR is a SOAR. Defender XDR is not a SIEM. No, it is not.

6:44So I want you to understand that. Now, we are going to talk about Microsoft Sentinel and work

6:49with that. And guess what? Sentinel is a SIEM and is also a SOAR. So it is a SOAR SIEM solution.

6:58But when you're talking about just a SIEM, I want you to understand Defender XDR is not a SIEM.

7:02It is providing analysis and correlation from your Defender and Microsoft security products

7:09and providing automated remediation. All right. So that is a big nutshell, I understand. But that's

7:15what Microsoft Defender XDR is. Next up, we're going to talk about some Microsoft Defender

7:20prerequisites. So I'll see you there shortly.

0:00Now that we know what Microsoft Defender XDR is, it's time for us to talk about the prerequisites,

0:06because you're going to need to know what those are in order to make sure you have the right

0:09licensing and permissions to go ahead and use it, right? Absolutely. So let's get started.

0:15All right, here we go. Microsoft Defender XDR prerequisites. I will include links to

0:19a couple of sites here underneath the nugget. So we're going to focus on here's the licensing

0:24requirements here. So if I scroll on down here, we can get a little briefing of XDR. We already

0:29know what that is, but here's the licensing requirements. So as I said earlier, Microsoft 365,

0:36not Office 365, this is completely different. Microsoft 365, E5 or A5, out of the gate,

0:43give you what you need. You get all the bells and whistles and the Defender products and Defender

0:48XDR. That's wonderful. Now, if you have 365 E3, you can add on Defender Suite, okay? And that'll

0:58get you there. Or you can add on the Enterprise Mobility and Security E5 add-on. Maybe you want

1:04to go that route. Now, if you're A3, you need to add in your Microsoft 365 A5 Security add-on.

1:12All right, and then there's some more down here. I'm not going to go through every one of these

1:15and bore you out of your mind. The primary thing is you need to remember you need a Microsoft 365,

1:22E5 or A5. If you have something other than that dealing with an E3, you're going to need an

1:27add-on of some sort, all right? Just keep that in mind. And if we scroll down here, they're going

1:32to talk about checking your existing licenses. And we already went through that. We went to our

1:38Microsoft Office Admin page, went to Billing and the License to see what we had, and also assign

1:44a license to our account, make sure we had it. We're going to talk about required permissions

1:48here. You can look at that. But we're going to go through and actually look at those permissions

1:52here in just actually a couple of skills here. We're going to go through and set up a group with

1:58all the necessary permissions so that we can use principle of least privilege and not just give

2:03everybody who needs access to Defender our global admin kind of access. No, we don't do that. All

2:10right, super. So those are the licensing requirements in order to gain access into Defender.

2:18All right, what else are we going to talk about? Over here. So when we're talking about, let me

2:22scroll down here, Microsoft 365 E3 versus E5. Okay, we're going to scroll down here and look

2:29at the difference. I want to scroll on down. I'm going to go way down here because I'm looking to

2:33go down to Security and Administration, and then also our Cyber Threat Protection. So let's go

2:39ahead and scroll on down. Oh, I went a little too far. Okay, there it is, Security and Administration.

2:44So we see E5 comes with Plan 2, and this is Microsoft Intra ID Plan 2. So what's the difference

2:51between Plan 1 and Plan 2? Well, Plan 2 adds some advanced security features like AI-driven identity

2:58protection. That's pretty cool. Also, risk-based conditional access policies. Now with Plan 1, you

3:04get some conditional access policies you can create, but they're just kind of like old school

3:10firewall rules, right? They did the job, but they could be so much better. And then we had like

3:16new types of firewalls come out and different types of rule sets. Well, this is like that.

3:22It's able to understand risky events that have occurred in your environment. And if like a

3:28certain identity had risky sign-ins, it could force that user to reset their password or to

3:33re-authenticate with MFA or could lock the account. And those are the type of things you get with Plan

3:382, those risk-based conditional access policies. It also gives you PIM or Privileged Identity

3:44Management, which is awesome, and some automated governance features. So really, the E5 and the

3:52Intra ID Plan 2 is really great for companies who need compliance. All right, I'll just leave it at

3:57that. All right, let's scroll on down to our Cyber Threat Protection. Here we go, right here, Cyber

4:02Threat. So what do we get down here? Well, you get your AI-powered Defender for Endpoint. You have

4:08Defender for Office 365, Defender for Identity. You have AI tools with Microsoft Defender for

4:15Cloud Apps Discovery and also Defender for Cloud Apps for your SaaS application, that's your Software

4:21as a Service apps. And for IoT, you've got Microsoft Defender for IoT. You get that as well. And then

4:28as it goes down, you've got Microsoft Purview Data Loss Protection or DLP. Wow, I mean, we get a lot.

4:34You got your Microsoft Purview Information Protection. Again, pretty good stuff. And

4:40then Microsoft Purview for Insider Risk Management as well. So you get a lot. And then when it comes

4:46to compliance, you have the ability to log and search for audited activities within Microsoft

4:52Purview. So within Purview, you can create an audit, you can create parameters around that,

4:56and it's going to go out and find certain information. And you're going to be able to,

5:00you know, do a self audit and find that information to prove that you're doing certain

5:04things as far as compliance. You also get Purview eDiscovery. Now, eDiscovery goes out and looks

5:09for certain types of data. If there was some type of a breach, you would do eDiscovery looking for

5:14information related to that breach, and it would go through your environment and find that

5:18information and bring it together for you, making it fairly easy to collect the necessary information

5:23for an investigation. And then lastly, Microsoft Purview Communication Compliance, dealing with

5:30business contact violations, where you can create rules along the lines of watching communications,

5:36looking for keywords, or it could be lots of different things. But again, you get all these

5:41bells and whistles with that Microsoft 365 E5, and of course, Defender XDR, which again, we're just

5:48going to go with Defender from here on out. But I'll say XDR because it's fun. All right, so those

5:53are prerequisites for using Microsoft Defender XDR.