Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 01: Capture Secure Score and Exposure Baseline in Defender XDR

Security Architecture Team

  1. In Microsoft Edge, go back to your Microsoft Defender XDR portal tab, or reopen security.microsoft.com.

  2. In the leftmost pane, go to Exposure management > Secure score.

  3. Observe the overall Microsoft Secure Score and Top recommended actions.

    dctodopp.jpg

  4. In the leftmost pane, go to Exposure management > Overview and observe the results.

  5. In the leftmost pane, go to Exposure management > Vulnerability Management > Overview.

    c3bmyhhg.jpg

    Observe the Endpoint exposure score for the organization, which breaks it down by device impact, top software vulnerabilities, misconfigurations and exposed devices.

  6. In the leftmost pane, go to Investigation & response > Incidents & alerts > Incidents.

  7. Near the upper-right corner of the table, set the Time range filter to 1 Week.

    oonzb813.jpg

  8. Remove any filters at the top of the table to see the EICAR_Test_File incident from the test you ran from the winvm-mde VM.

    7yx6vp07.jpg z1dbrxqf.jpg

  9. In the leftmost pane, go to Investigation & response > Incidents & alerts > Alerts.

  10. Near the upper-right corner of the table, set the Time range filter to 1 Week, and remove any filters.

    xp4jnujo.jpg

Security Engineering and Administration

01: Export Microsoft Secure Score & Improvement action

  1. Go to C:\LabFiles\E1.

  2. Right-click ScriptA > Run with PowerShell.

  3. Sign in with your global admin account.

  4. On the Permissions requested dialog, select Consent on behalf of your organization, then select Accept.

    Exports Microsoft Secure Score and Secure Score control profiles from Graph to timestamped JSON files for offline review.

  5. Observe the files it creates in C:\LabFiles\E1:

    • SecureScore-[timestamp].json - Contains the current overall Microsoft Secure Score snapshot - total score, maximum possible score, trend history, and contributing control categories.
    • SecureScoreControls-[timestamp].json - Lists all Secure Score control profiles with detailed metadata (control ID, title, description, category, weighting, implementation status, and remediation guidance).

02: Create an app registration for future scripts

  1. Go back to C:\LabFiles\E1.

  2. Right-click CreateAppRegistration > Show more options > Edit.

  3. Go back to your Windows PowerShell ISE window and select the CreateAppRegistration.ps1 tab.

    foj8vrvp.jpg

  4. On the top bar, select Run Script.

    ghsjz5hg.jpg

  5. If needed, reauthenticate with your global admin account.

    This will create an app registration called MDE-API-App that will be used for various scripts.

  6. In the bottom console pane, it will output the app registration details. Fill out the following text boxes with those values.

    Item Value
    TenantId @lab.TextBox(tenantId)
    ClientId @lab.TextBox(clientId)
    ClientSecret @lab.TextBox(clientSecret)

    njlbi26q.jpg

    The values entered will be used for reference in future steps.

    There will be white spaces on either side of the pasted values in the text box. The script in the next subtask should run fine even without deleting these.

03: Export endpoint exposure using Defender for Endpoint API

  1. In PowerShell ISE’s bottom console pane, enter the following to change directories to the required folder:

     cd C:\LabFiles\E1

    gul3c3sp.jpg

  2. In the bottom pane, enter the following to run ScriptB.ps1 with your app registration:

     .\ScriptB.ps1 -TenantId "@lab.Variable(tenantId)" -ClientId "@lab.Variable(clientId)" -ClientSecret "@lab.Variable(clientSecret)"

    3x7cdvp1.jpg

    This uses the values you provided from the app registration.

    Exports MDE TVM data (machine vulnerabilities, security recommendations, and a machines sanity sample) and optionally bootstraps an app registration with the correct MDE permissions and regional API host discovery.

  3. Observe the files it creates in C:\LabFiles\E1\out:

    • MDE-Machines-sanity-[timestamp].json - Verifies API connectivity by returning a sample of onboarded devices from Microsoft Defender for Endpoint.
    • MDE-Recommendations-[timestamp].json - Contains Threat & Vulnerability Management (TVM) security recommendations for remediation and hardening.
    • MDE-VulnSummary-[timestamp].json - Lists device-specific vulnerabilities (CVE IDs, affected software, exposure level, remediation state).

SOC Analyst

  1. In Microsoft Edge, go back to your Microsoft Defender XDR portal tab, or reopen security.microsoft.com.

  2. In the leftmost pane, go to Investigation & response > Hunting > Advanced hunting.

  3. In the Query pane, enter the following KQL, then select Run query at the top:

     // Incidents by service in last 7 days
 let since = ago(7d);
 AlertInfo
 | where Timestamp >= since
 | summarize Alerts=dcount(AlertId) by ServiceSource
 | order by Alerts desc;

    0hnsaabr.jpg

  4. Under the Query editor, select the Results tab.

    hib3qflj.jpg

  5. Under the tab, select Export, then select Download to CSV.

    This would be part of the package you could provide to the CISO.

  6. In the Query pane, replace the query with the following, then select Run query:

     // Endpoint exposure sample (installed vulnerable software)
 DeviceTvmSoftwareVulnerabilities
 | summarize VulnFindings=count(), AffectedDevices=dcount(DeviceId) by CveId
 | top 10 by VulnFindings desc;

    zob7b6ab.jpg

    You may not see any results.