- Defender for Identity entity tags in Microsoft 365 Defender
https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts - Using role-based access control (RBAC)
https://docs.microsoft.com/en-us/learn/modules/deploy-microsoft-defender-for-endpoints-environment/4-manage-access - Manage portal access using role-based access control
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide - Safe Attachments policies in Microsoft Defender for Office 365.
Remember – Dynamic Delivery delivers messages immediately, replaces attachments with placeholders while scanning completes
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments?view=o365-worldwide - Hunt for threats across devices, emails, apps, and identities & Hunting scenarios
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - Create indicators for files
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-file?view=o365-worldwide - Microsoft Purview Information Protection integration
https://docs.microsoft.com/en-us/cloud-app-security/tutorial-dlp
https://docs.microsoft.com/en-us/cloud-app-security/azip-integration - Microsoft Purview Information Protection integration
Integrate Microsoft Purview Information Protection with Defender for Cloud Apps | Microsoft Docs - Get behavioural analytics and anomaly detection
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy - Using the location condition in a Conditional Access policy
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition - Working with IP ranges and tags
https://docs.microsoft.com/en-us/defender-cloud-apps/ip-tags - Zero-hour auto purge (ZAP) in Exchange Online (“zero-hour auto purge (ZAP) is an email protection feature that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes.”)
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide - Attack surface reduction capabilities
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide - Azure Active Directory monitoring
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-monitoring - Permissions in Microsoft Defender for Cloud
https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions - Microsoft Defender for Endpoint Endpoint detection and response / Take response actions on a device
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide&viewFallbackFrom=o365-worldwide%20https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fnetwork-devices%3Fview%3Do365-worldwide - Manage and respond to security alerts in Microsoft Defender for Cloud
https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-responding-alerts - Respond to Microsoft Defender for Key Vault alerts
https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-usage - Create a logic app and define when it should automatically run
https://docs.microsoft.com/en-us/azure/security-center/workflow-automation#create-a-logic-app-and-define-when-it-should-automatically-run - Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection - Configure email notifications for security alerts
https://docs.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications - Malicious Software Removal Tool
https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx - Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login
https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx - Process Explorer and try to identify unknown running processes
https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx - Extend Microsoft Sentinel across workspaces and tenants
https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants - Use playbooks with automation rules in Microsoft Sentinel
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook - Microsoft Sentinel roles, permissions, and allowed actions
| Role | Create and run playbooks | Create and edit analytics rules, workbooks, and other Microsoft Sentinel resources | Manage incidents (dismiss, assign, etc.) | View data, incidents, workbooks, and other Microsoft Sentinel resources |
| Microsoft Sentinel Reader | — | —* | — | ✓ |
| Microsoft Sentinel Responder | — | —* | ✓ | ✓ |
| Microsoft Sentinel Contributor | — | ✓ | ✓ | ✓ |
| Microsoft Sentinel Contributor + Logic App Contributor |
https://docs.microsoft.com/en-us/azure/sentinel/roles
- Connect your AWS account to Microsoft Defender for Cloud | Microsoft Docs
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings - Use notebooks with Microsoft Sentinel for security hunting | Microsoft Docs
https://docs.microsoft.com/en-us/azure/sentinel/notebooks - Create anomaly detection policies in Defender for Cloud Apps | Microsoft Docs
https://docs.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
