Exercise 01: Establish a Prevention Baseline & Executive Visibility across MDO, MDE, MDI, MDA

Exercise learning objectives

• Capture current-state baselines (Secure Score, Exposure/Recommendations, email and endpoint posture, identity posture, cloud-app risk).
• Define a minimum viable prevention baseline (Safe Links/Attachments, anti-phish, ASR rules, EDR in block, MDI sensors, app discovery and controls).
• Assign owners, SLAs, and measurable targets that answer, “How would we have prevented this?”

Estimated time: 90 minutes

---

CISO Overview - Scenario and goals

Zava Oil & Resources is expanding rapidly but has uneven coverage across email, endpoints, identities, and cloud apps. You need to create a single, defensible prevention baseline deployable this week, and executive visibility to prove risk reduction (Secure Score up, exposure down, MTTR down).

The CISO has asked:

• The Architecture Team to define the minimum standard.
• Engineering to implement and tune controls.
• The SOC to validate signal quality and visualize blast radius in Defender XDR.

Expected outcomes

1. A snapshot baseline (Secure Score, exposure, sensor/device coverage).
2. Minimum controls enforced (email, endpoint, identity, cloud apps) within a pilot scope.
3. A short executive deck/export proving coverage and measurable deltas tracked weekly.

---

This workshop will showcase the actions for three different departments, you will see their actions in order.

• Architecture team
• Engineering team
• SOC team

---

Table of contents

• 01: Capture Secure Score and Exposure Baseline in Defender XDR
• 02: Verify identity sensors and endpoint onboarding health
• 03: Apply Safe Links, Safe Attachments, and Anti-Phish to a pilot group
• 04: Turn on Discovery via MDE and tag risky apps
• 05: Executive report: Export & publish the baseline