Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 04: Check recommendations and Secure Score, run quick KQL validation, and log outcomes

Security Architecture Team

  1. Go back to your Defender XDR portal tab.

  2. In the leftmost pane, go to Exposure management > Secure score.

  3. Note the overall Secure score.

  4. Near the top of the page, select and review the History tab.

  5. Near the top of the page, select the Recommended actions tab.

  6. In the upper-right corner of the table, select Filter.

    tipq7ziw.jpg

  7. In the flyout pane, under the Product section, select Defender for Endpoint, then select Apply.

  8. Note the Status column.

Security Engineering and Administration

  1. Refresh the winvm-mde device page.

  2. At this point, you would check whether Exposure level/Security recommendations have improved.

  3. You should keep a record of ASR events moving from Audit to Block post-promotion based on the PowerShell output.

SOC Analyst

  1. In the leftmost pane, go to Investigation & response > Hunting > Advanced hunting.

  2. Run the following KQL for a blast-radius sanity check:

     DeviceTvmSecureConfigurationAssessment
 | join kind=inner (DeviceInfo | project DeviceId, OSPlatform, DeviceName) on DeviceId
 | where ConfigurationSubcategory has_any ("Defender", "Endpoint", "Attack Surface Reduction", "Antivirus")
 | summarize AffectedDevices = dcount(DeviceName) by ConfigurationSubcategory
 | top 20 by AffectedDevices desc

    apez9z4e.jpg