Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 01: Verify prerequisites and enable Automatic Attack Disruption for a pilot group

Security Architecture Team

01: Pilot scope

  1. Define pilot scope: 1 Windows devices (MDE onboarded), 1-2 test users.

  2. Guardrails: Device isolation and user containment are allowed.

  3. Record success metrics: MTTR, number of auto-containments, and Secure Score deltas.

02: Capture baselines

  1. Take screenshots of the Secure score and Incidents page.

  2. Take screenshots of Identity and Endpoints dashboards.

Security Engineering and Administration

Turn on required Defender for Endpoint features.

  1. In the Defender XDR portal’s leftmost pane, go to System > Settings.

  2. Select Endpoints.

  3. Ensure the following are both On:

    • Enable EDR in block mode
    • Automatically resolve alerts

    klvqgwms.jpg

    Select Save preferences, if you made a change.

    Enable EDR in block mode is required for richer containment/remediation behavior.

SOC Analyst

  1. In the Defender XDR portal’s leftmost pane, go to Assets > Devices.

  2. Confirm winvm-mde has the following set:

    Item Value
    Onboarding status Onboarded
    Sensor health state Active

    9ao57k24.jpg

    The columns are likely off-screen to the right.