Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 01: Measure email protection posture and executive exposure

Security Architecture Team

  1. In the leftmost pane, go to Email and Collaboration > Policies & rules.

  2. Select Threat policies.

  3. Investigate policies related to Anti-phishing, Anti-spam, and Anti-malware.

    a7iid8op.jpg

  4. In the leftmost pane, go to Reports.

  5. Under Email & collaboration, select Email & collaboration reports.

  6. Select Mailflow status summary.

    1riggyl6.jpg

  7. Near the top of the page, select the Mailflow tab.

    ktsz8gcb.jpg

  8. Verify the Filters at the top of the page are capturing the past week.

  9. Below the chart, select Export.

    fjitinnp.jpg

  10. In the flyout pane, select Export to download the CSV.

  11. At the top of the page, select the Email & collaboration breadcrumb link.

    rrlnyqvg.jpg

  12. Select Thread protection status.

    x1m77dtt.jpg

    If any data is available, observe information about any threats found prior to email delivery.

  13. In the leftmost pane, go to Exposure management > Secure score.

  14. Near the top of the page, select the Recommended actions tab.

    oot5v8md.jpg

  15. In the upper-right corner of the table’s search box, enter Defender.

    d8p6y2he.jpg

  16. Note the top five recommended actions sorted by Score impact in descending order.

    7tohnrqv.jpg

Security Engineering and Administration

  1. In Microsoft Edge, go back to your Microsoft Defender XDR portal tab, or reopen security.microsoft.com.

  2. In the leftmost pane, select Email & collaboration > Attack simulation training.

  3. Select Launch a simulation.

    em1d0mw3.jpg

  4. In the wizard, select Malware Attachment, then select Next.

  5. For Simulation Name, enter Test Malware Simulation, then select Next.

  6. On the Select payload and login page step, search for and select DocuSign Shared Document, then select Next.

    2c3k3gyg.jpg

  7. On the Target users step, select Add users.

  8. Enter and select user1@@lab.Variable(userDomain) for the Lab User One account.

    The user must be licensed to appear on the list.

  9. At the bottom of the flyout pane, select Add 1 User(s).

    tytiex8j.jpg

  10. Back on the Target users step, select Next.

  11. On Exclude users, select Next.

  12. On Assign training, select Next.

  13. On Phish Landing Page, select Microsoft Landing Page Template 1, then select Next.

    7v2nslq2.jpg

  14. Select Microsoft default notification (recommended).

  15. Under the Delivery preference dropdown menu, select the following:

    • Deliver after simulation ends
    • Weekly

    kevbx981.jpg

  16. Select Next until you reach the Review simulation step.

  17. Select Send a test, select Confirm in the dialog, then select Close.

  18. Back on the Review simulation step, select Submit, then select Done.

SOC Analyst

  1. In Microsoft Edge, go back to your Microsoft Defender XDR portal tab, or reopen security.microsoft.com.

  2. In the leftmost pane, go to Investigation & response > Incidents & alerts > Incidents.

  3. Select the Administrative action submitted by… incident.

    ib4uwp5t.jpg

  4. Review the Attack story tab and impacted entities.

  5. Near the top of the page, select the Evidence and Response tab, and make note of the First seen value for reporting.