📄️ Provision Security Copilot Units (SCUs)
Implementation Effort: Medium — Provisioning SCUs requires IT and Security Operations teams to configure and manage capacity through Azure or the Security Copilot portal.
📄️ Manage and Monitor Usage of Security Compute Units (SCUs)
Implementation Effort: Medium — Administrators only need to perform targeted actions in the Security Copilot or Azure portal to view usage or adjust capacity.
📄️ Manage Plugins in Microsoft Security Copilot
Implementation Effort: Medium — Admins must configure, approve, and govern plugin access, which requires a defined project effort.
📄️ Threat Hunting Agent (Microsoft Defender)
Implementation Effort: Medium – This requires IT and Security Operations teams to configure access and incorporate the Threat Hunting Agent into existing Defender XDR hunting workflows, which is a project rather than a long‑term operational program.
📄️ Defender Threat Intelligence Agent
Implementation Effort: Medium — IT and Security Operations teams must enable and integrate Microsoft Defender for Endpoint and Defender External Attack Surface Management so the agent has the required telemetry to operate effectively.
📄️ View Incident Summaries and Use Guided Response to Remediate
Implementation Effort: Low — Security administrators only need to perform targeted actions in Microsoft Defender XDR to view AI‑generated summaries and guided remediation steps.
📄️ Analyze Potentially Malicious Files, Scripts, and Code with Microsoft Security Copilot
Implementation Effort: Low — Security teams only need to enable and use built‑in Security Copilot capabilities, requiring targeted actions rather than ongoing programs.
📄️ Review and Understand Details About Identities and Devices Using Microsoft Security Copilot
Implementation Effort: Low — Only targeted actions by administrators are required; there is no large deployment project.
📄️ Enable Microsoft Defender for Cloud Apps
Implementation Effort: Low
📄️ Identity and Device Pillars of the Zero Trust Workshop
Identity Pillar
📄️ Discover Cloud Apps
Implementation Effort: Medium – Requires integration with network infrastructure (e.g., firewalls, proxies, Defender for Endpoint) and setup of log collection or API automation.
📄️ Enable App Governance
Implementation Effort: Low
📄️ Create File Policies with Microsoft Defender for Cloud Apps
Implementation Effort: Medium
📄️ Connect Apps to Microsoft Defender for Cloud Apps
Implementation Effort: High
📄️ Regulate apps with priority account consent
Implementation Effort Customer IT and Security Operations teams need to drive projects to set up and customize app governance policies based on organizational needs.
📄️ View the Cloud Discovery dashboard to see what apps are being used in your organization
Implementation Effort Customer IT and Security Operations teams need to drive projects to set up and configure the Cloud Discovery dashboard and manage ongoing monitoring and filtering of apps.
📄️ Create access policies - Microsoft Defender for Cloud Apps
Implementation Effort Creating access policies involves configuring multiple prerequisites, including licenses, onboarding apps, and setting up Conditional Access policies, which require ongoing management and monitoring.
📄️ Govern discovered apps - Microsoft Defender for Cloud Apps
Implementation Effort Customer IT and Security Operations teams need to drive projects to review, sanction, and unsanction apps, and potentially integrate with existing security appliances.
📄️ Get insights on and regulate access to sensitive content with app governance - Microsoft Defender for Cloud Apps
Implementation Effort This effort score was chosen because customer IT and Security Operations teams need to drive projects to customize policies and monitor app activities.
📄️ Block download of sensitive information with conditional access app control
Implementation Effort Customer IT and Security Operations teams need to implement programs that require ongoing time or resource commitment. This involves setting up and managing policies in Microsoft Defender for Cloud Apps and ensuring continuous monitoring and adjustments.
📄️ Conditional Access app control - Microsoft Defender for Cloud Apps
Implementation Effort Configuring Conditional Access app control requires setting up access and session policies, which involves project-level work by IT teams.
📄️ Create Defender for Cloud Apps anomaly detection policies
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage the anomaly detection policies effectively.
📄️ Microsoft Defender for Cloud Apps - EntraID Identity Protection integration and reporting
Implementation Effort Implementing visibility and control over cloud apps requires ongoing monitoring, configuration, and management by IT and Security Operations teams.
📄️ Require step-up authentication (authentication context) upon risky action
Implementation Effort This effort score is chosen because it involves creating and managing Conditional Access policies and session policies, which require ongoing time and resource commitment from IT and Security Operations teams.
📄️ App Discovery Policy in Microsoft Defender for Cloud Apps
Implementation Effort: Medium
📄️ Create policies to control OAuth apps - Microsoft Defender for Cloud Apps
Implementation Effort Creating an OAuth app policy involves configuring settings and permissions within the Microsoft Defender Portal, which requires project-level effort from IT teams.
📄️ Create session policies - Microsoft Defender for Cloud Apps
Implementation Effort Creating session policies requires configuring multiple settings and ensuring prerequisites are met, which involves project-level effort.
📄️ Integrate Microsoft Defender for Endpoint - Microsoft Defender for Cloud Apps
Implementation Effort Customer IT and Security Operations teams need to drive projects to integrate and configure the systems.
📄️ Deploy the Defender for Cloud Apps Log Collector on Your Firewalls and Other Proxies
Implementation Effort: Medium – This deployment requires IT teams to configure network devices (firewalls, proxies) and set up a log collector server, which involves coordination and testing.
📄️ SaaS Security Initiative - Microsoft Defender for Cloud Apps
Implementation Effort Customer IT and Security Operations teams need to drive projects to connect applications to Microsoft Defender for Cloud Apps and manage security recommendations.
📄️ Create a Custom Activity Policy to Get Alerts About Suspicious Usage Patterns
Implementation Effort: Low
📄️ Review Microsoft Defender for Cloud Apps Incidents for Suspicious Activity
Implementation Effort: Low — This is a targeted administrative task focused on reviewing and investigating alerts in the Defender for Cloud Apps portal, with no broader program or deployment required.
📄️ Review Conditional Access App Control Alerts Along With the Activity Log (Daily)
Implementation Effort: Low — This is a targeted daily task for administrators to review alerts and activity logs, requiring no major deployment effort.
📄️ Review the App Governance Overview Page and Create or Adjust App Governance Policies (Daily)
Implementation Effort: Low — This is a targeted daily action where administrators review insights and adjust app governance policies as needed.
📄️ Review Cloud App Policies and Make Any Necessary Updates (Monthly)
Implementation Effort: Low — This is a recurring administrative task where IT/SecOps reviews existing cloud app policies and adjusts them as needed.
📄️ Prepare to deploy Microsoft Defender for Endpoint
Implementation Effort: Medium – This deployment requires IT and Security Operations teams to coordinate licensing, tenant setup, network configuration, and onboarding tools, but it does not require ongoing programmatic changes.
📄️ Assign Roles and Permissions for Microsoft Defender for Endpoint
Implementation Effort: Low – This requires IT and Security Operations teams to plan and configure role-based access control (RBAC) or Unified RBAC (URBAC), including defining roles, mapping them to Microsoft Entra groups, and managing access reviews.
📄️ Identify your architecture and select a deployment method for Defender for Endpoint
Implementation Effort: Medium
📄️ Onboard Devices to Microsoft Defender for Endpoint
Implementation Effort: Medium – This task requires IT teams to plan and execute onboarding across multiple device types and platforms using tools like Microsoft Intune, Group Policy, or local scripts.
📄️ Set up Device Discovery in Microsoft Defender for Endpoint
Implementation Effort: Low – Setup involves enabling a feature and selecting discovery mode in the Microsoft Defender portal, with minimal ongoing maintenance.
📄️ Set Microsoft Defender Antivirus to Active Mode
Implementation Effort: Medium – This requires IT or Security Operations teams to configure Group Policy, Microsoft Intune, or other management tools to enforce Defender Antivirus as the primary AV solution.
📄️ Configure Behavioral, Heuristic, and Real-Time Protection
Implementation Effort: Medium
📄️ Enable EDR in Block Mode
Implementation Effort: Medium – While the feature is enabled through a simple configuration, it often requires coordination with security teams to validate compatibility with existing antivirus solutions and ensure proper monitoring is in place.
📄️ Enable Cloud Protection
Implementation Effort: Low – This is a straightforward configuration that can be deployed quickly using Group Policy, Intune, or other endpoint management tools.
📄️ Turn on Tamper Protection
Implementation Effort: Low- Turning on tamper protection is a targeted action that can be done via the Microsoft Defender portal, Intune, or directly on individual devices
📄️ Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface
Implementation Effort This feature can be enabled through targeted configuration changes using Group Policy or Intune, without requiring a broader program or ongoing resource commitment.
📄️ Prevent users from locally modifying Microsoft Defender Antivirus policy settings
Implementation Effort: Low
📄️ Enable Attack Surface Reduction Rules
Implementation Effort: High
📄️ Enable Application Control
Implementation Effort Requires ongoing management and monitoring by IT and Security Operations teams to ensure policies are correctly enforced and updated.
📄️ Device control in Microsoft Defender for Endpoint
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage device control policies using tools like Intune.
📄️ Turn on network protection
Implementation Effort Enabling network protection requires configuring endpoint security policies and potentially updating the Microsoft Defender anti-malware platform, which involves ongoing management and resource commitment.
📄️ Enable Web Protection in Microsoft Defender for Endpoint
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and maintain web protection settings.
📄️ Enable exploit protection
Implementation Effort Implementing exploit protection requires setting up monitoring for application crashes and hangs, enabling full user mode dump collection, and ensuring compatibility with existing applications. This involves ongoing resource commitment and careful deployment practices to avoid productivity outages
📄️ Review and Classify Your Critical Device Assets with Microsoft Security Exposure Management
Implementation Effort: Medium. Customer IT and Security Operations teams need to drive projects to classify and manage critical device assets.
📄️ Review & Action Auto Investigation & Remediation Recommendations (Defender for Endpoint)
Implementation Effort: Medium – IT and SecOps teams must configure automation levels and establish workflows to review and approve remediation actions based on automated investigations.
📄️ Enable controlled folder access
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and deploy controlled folder access using various methods.
📄️ Investigate Incident Details & Remediate as Necessary (Daily)
Implementation Effort: Medium — Security operations teams must perform daily review and triage of incidents, which requires ongoing analyst time but no major implementation projects.
📄️ Prioritize vulnerability remediation with attack paths
Implementation Effort Customer IT and Security Operations teams need to drive projects to integrate and analyze data sources for attack path visualization.
📄️ Prioritize Actions to Improve Your Endpoint Security Posture Based on Risk and Impact
Implementation Effort: Medium — Security and IT teams must drive ongoing review and improvement projects using prioritized recommendations from Defender for Endpoint and Microsoft Security Exposure Management, but these do not require broad operational restructuring.
📄️ Review the Device Health Report to Ensure All Devices Are Fully Protected; Update Devices That Are Out of Compliance (Daily)
Implementation Effort: Low — This is a targeted daily action where IT/SecOps reviews existing reports without needing long-term programs.
📄️ Review Threat Analytics Daily
Implementation Effort: Low — This is a targeted daily action performed by security teams using built‑in dashboards and requires no long-term implementation effort.
📄️ Lay the Groundwork for Microsoft Defender for Identity
Implementation Effort: Medium — While the deployment requires planning and coordination across teams, it follows a well-documented process and can be phased in gradually.
📄️ Install Microsoft Defender for Identity (MDI) Sensors on All Domain Controllers
Implementation Effort: High
📄️ Configure sensors for AD FS, AD CS, and Microsoft Entra Connect
Implementation Effort Installing and configuring sensors across multiple services (AD FS, AD CS, Microsoft Entra Connect) requires significant planning, coordination, and ongoing management by IT and Security Operations teams.
📄️ Security Assessment: Ensure privileged accounts are not delegated
Implementation Effort Customer IT and Security Operations teams need to drive projects to review and configure privileged accounts.
���📄️ Microsoft Defender for Identity monitored activities
Implementation Effort Customer IT and Security Operations teams need to drive projects to integrate and configure Defender for Identity with domain controllers.
📄️ Defender for Identity entity tags
Implementation Effort Customer IT and Security Operations teams need to drive projects to manually tag entities and configure settings in Microsoft Defender XDR.
📄️ Identity Inventory in Microsoft Defender for Identity
Implementation Effort Customer IT and Security Operations teams need to drive projects to integrate and manage identity data from various sources.
📄️ Microsoft LAPS Usage Assessment - Microsoft Defender for Identity
Implementation Effort Customer IT and Security Operations teams need to drive projects to implement and configure Microsoft LAPS across domain-joined computers.
📄️ Security Assessment: Dormant Entities in Sensitive Groups
Implementation Effort: Medium. Customer IT and Security Operations teams need to drive projects to identify and manage dormant entities.
📄️ Remove local admins on identity assets
Implementation Effort This effort score was chosen because it requires ongoing monitoring and remediation of privileged access rights across identity assets, which involves continuous resource commitment from IT and Security Operations teams.
📄️ Remove non-admin accounts with DCSync permissions
Implementation Effort Customer IT and Security Operations teams need to drive projects to identify and remove DCSync permissions from non-admin accounts.
📄️ Security assessment: Remove unnecessary replication permissions for Microsoft Entra Connect AD DS Connector Account
Implementation Effort Customer IT and Security Operations teams need to drive projects to review and adjust permissions for the AD DS Connector accounts.
📄️ Security assessment: Remove unsafe permissions on sensitive Entra Connect accounts
Implementation Effort This effort score is chosen because customer IT and Security Operations teams need to implement programs that require ongoing time or resource commitment, including continuous monitoring and adjustments.
📄️ Unsecure SID History attributes assessment - Microsoft Defender for Identity
Implementation Effort Removing unsecure SID history attributes requires ongoing monitoring and remediation efforts by IT and Security Operations teams to ensure the security posture is maintained.
📄️ Security assessment: Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account
Implementation Effort This effort score is chosen because it requires organizations to create or assign a lower-privileged account specifically for directory synchronization, which involves significant changes to existing configurations and ongoing monitoring.
📄️ Deceptive Defense: Best Practices for Identity-Based Honeytokens in Microsoft Defender
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage honeytoken accounts within Microsoft Defender.
📄️ Review and classify critical assets in Microsoft Security Exposure Management
Implementation Effort Customer IT and Security Operations teams need to drive projects to classify and manage critical assets using predefined and custom classifications.
📄️ Swiftly remediate compromised identities with Response Actions to prevent further damage (daily)
Implementation Effort: Low — Administrators only need to take targeted response actions such as disabling accounts or resetting passwords when identities are compromised, which requires no large project or ongoing program.
📄️ Microsoft Defender for Identity Health Alerts
Implementation Effort: Medium. Customer IT and Security Operations teams need to drive projects to monitor and resolve health issues.
📄️ Tune Security Alerts
Implementation Effort: Medium - Customer IT and Security Operations teams need to drive projects to configure and manage security alerts within Microsoft Defender XDR.
📄️ Understand and investigate Lateral Movement Paths - Microsoft Defender for Identity
Implementation Effort Customer IT and Security Operations teams need to drive projects to continuously monitor and manage lateral movement paths.
📄️ Remediate misconfigurations and risky identity practices with security posture assessments (weekly)
Implementation Effort: Low — Administrators only need to review and act on published security posture assessments; this is a targeted operational task, not a major project.
📄️ Troubleshoot Known Issues in Microsoft Defender for Identity
Implementation Effort: Medium
📄️ Investigate All Sensitive Accounts in Your Organization with Identity Inventory (Daily)
Implementation Effort: Low — This is a targeted admin‑led activity that uses the built‑in Microsoft Defender for Identity Identity Inventory to review and tag sensitive accounts.
📄️ Investigate incidents where a user or asset has unusual or high-risk activities
Implementation Effort: Low — This is a targeted action performed by security operations using built‑in investigation tools in the Microsoft Defender portal.
📄️ Configure Email Authentication
Implementation Effort: Medium – IT and Security teams must configure SPF, DKIM, and DMARC records, which involves DNS changes, Microsoft 365 configuration, and ongoing monitoring.
📄️ Phishing Triage Agent in Microsoft Defender
Implementation Effort: Medium — Setup requires provisioning Security Copilot capacity, configuring Defender for Office 365 Plan 2, assigning permissions, and enabling plugins. It’s a project-driven task but doesn’t require ongoing infrastructure changes.
📄️ Review Configuration Analyzer and/or ORCA recommendations in Microsoft Defender for Office 365
Implementation Effort: Low
📄️ Onboard Admin Users with Least Privilege Roles in Microsoft Defender for Office 365
Implementation Effort: Medium
📄️ Identify and Set Up Priority Accounts and User Tags in Microsoft Defender for Office
Implementation Effort: Medium
📄️ Set up Enhanced Filtering for Connectors (when using another email solution ahead of Defender for Office 365)
Implementation Effort: Medium – This setup requires coordination between email routing configurations, connector settings, and Defender for Office 365 policies, typically involving IT and Security teams.
📄️ Configure Antimalware Policies
Implementation Effort: Low
📄️ Configure anti-phishing policies in Microsoft Defender for Office 365
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage anti-phishing policies in the Microsoft Defender portal.
��📄️ Set up Anti-Spam Policies in Microsoft Defender for Office 365
Implementation Effort: Low
📄️ Create Quarantine Policies
Implementation Effort: Medium - Creating and configuring quarantine policies requires project-driven efforts by IT and Security Operations teams. This involves setting up different access levels, permissions, and notification settings
📄️ Set up Safe Attachments policies in Microsoft Defender for Office 365
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage Safe Attachments policies.
📄️ Set up Safe Links policies in Microsoft Defender for Office 365
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage Safe Links policies, including setting up permissions and using the Microsoft Defender portal or Exchange Online PowerShell.
📄️ User reported settings - Microsoft Defender for Office 365
Implementation Effort Customer IT and Security Operations teams need to implement programs that require ongoing time or resource commitment to configure and manage user reporting settings effectively.
📄️ Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage ZAP and quarantine policies.
📄️ Attack Simulation Training in Microsoft Defender for Office 365
Implementation Effort: High - Customer IT and Security Operations teams need to drive projects to set up and manage simulations.
📄️ Manage Allows and Blocks in the Tenant Allow/Block List
Implementation Effort: Medium
📄️ Configure Outbound Spam Policy
Implementation Effort: Medium
📄️ Automated investigation and response (AIR) in Microsoft Defender for Office 365
Implementation Effort Customer IT and Security Operations teams need to drive projects to integrate AIR capabilities into their existing security workflows and ensure audit logging is enabled.
📄️ Configure Teams protection policies
Implementation Effort: Medium — IT and SecOps teams must configure multiple Defender for Office 365 protection layers (Safe Links, Safe Attachments, ZAP, and reporting), which requires a coordinated project rather than a single action.
📄️ Review Defender for Office Incidents Page for Suspicious Activity
Implementation Effort: Low – This is a targeted action performed by Security Operations analysts to review and triage incidents in the Defender portal.
📄️ Hunt for Threats Using Email and Collaboration Advanced Hunting Tables
Implementation Effort: Medium – This requires SecOps teams to author, run, and maintain KQL queries using advanced hunting tables, which is a project‑level activity involving analysis and repeatable workflows..
📄️ Phishing Triage Agent in Microsoft Defender
Implementation Effort: Medium – Setup requires provisioning Security Copilot capacity, configuring permissions, and enabling the Phishing Triage Agent, making this a project‑driven task for IT and SecOps teams.
📄️ Regularly submit admin and user false positives/false negatives to Microsoft (Defender for Office 365)
Implementation Effort: Medium — Requires IT/SecOps to set up and maintain an ongoing process for reviewing and submitting misclassified messages.
📄️ Roles and permissions in Microsoft Sentinel
Implementation Effort Customer IT and Security Operations teams need to drive projects to set up and manage Azure RBAC roles within Microsoft Sentinel.
📄️ Design log analytics workspace architecture
Implementation Effort: Medium This effort score was chosen because designing a Log Analytics workspace architecture requires customer IT and Security Operations teams to drive projects that involve evaluating multiple criteria and configuring workspaces accordingly.
📄️ Prioritize data connectors for Microsoft Sentinel
Implementation Effort Customer IT and Security Operations teams need to drive projects to determine which data connectors are relevant and set up custom and partner connectors.
📄️ SVA_Sentinel004
Microsoft Sentinel Cost Planning
📄️ Enable Unified Security Operations Platform
Implementation Effort: Low
📄️ Enable Microsoft Sentinel
Implementation Effort: Low
📄️ Connect your first-party data sources to Microsoft Sentinel using data connectors
Implementation Effort: Medium – This requires IT and Security Operations teams to install solutions from the Content Hub, configure connectors, and ensure prerequisites are met for each data source.
📄️ Set up third-party data connectors in Microsoft Sentinel
Implementation Effort: Medium – Setting up third-party connectors typically requires IT or SecOps teams to configure ingestion pipelines using Syslog, CEF, REST APIs, or custom connectors, which involves moderate project work and coordination with external systems.
📄️ Creating Microsoft Sentinel custom connectors
Implementation Effort Creating custom connectors involves significant development work, including programming and configuration, which requires ongoing time and resource commitment.
📄️ Configure Interactive and Long-Term Data Retention in Microsoft Sentinel
Implementation Effort: Medium – Customer IT and Security Operations teams need to drive configuration projects across multiple tables and connectors, including optional onboarding to the data lake.
📄️ Set up analytics rules in Microsoft Sentinel
Implementation Effort: Medium – Setting up analytics rules requires IT and security teams to design KQL queries, configure rule logic, and manage rule lifecycle, but it doesn’t require ongoing user involvement.
📄️ Correlate Data with Watchlists
Implementation Effort: Medium
📄️ Streamline Data Analysis with UEBA in Microsoft Sentinel
Implementation Effort: Medium – Enabling UEBA in Microsoft Sentinel requires configuring data connectors, ensuring proper log ingestion, and tuning analytics rules, which involves a project-driven effort by IT and security teams.
📄️ Integrate MDTI Feeds to Microsoft Sentinel
Implementation Effort: Medium
📄️ Turn on Auditing and Health Monitoring in Microsoft Sentinel
Implementation Effort: Low — This feature requires administrators to enable built-in monitoring and auditing settings in Microsoft Sentinel, which is a targeted configuration task with minimal ongoing resource needs.
📄️ Custom Data Ingestion and Transformation in Microsoft Sentinel
Implementation Effort: High
📄️ Normalize Microsoft Sentinel Data with the Advanced Security Information Model (ASIM)
Implementation Effort: Medium – This requires IT and security teams to configure and maintain ASIM parsers and schemas, and potentially refactor existing analytics rules and queries to align with normalized data models.
📄️ Understand Sentinel Security Coverage by the MITRE ATT&CK® Framework
Implementation Effort: Medium
📄️ View and Manage SOC Optimization Recommendations in Microsoft Sentinel
Implementation Effort: Medium
📄️ Create and use Microsoft Sentinel automation rules to manage response
Implementation Effort: Medium
📄️ Automate Threat Responses with Sentinel Playbooks
Implementation Effort: Medium – Setting up playbooks requires configuring Azure Logic Apps, defining automation rules, and coordinating with SOC processes, but it doesn’t require continuous manual effort once deployed.
📄️ Set up Microsoft Sentinel Workbooks
Implementation Effort: Medium
📄️ Hunt for Threats and Investigate Incidents
Implementation Effort: Medium - This requires ongoing time and resource commitment from security operations teams to create hypotheses, conduct hunts, and act on findings.
📄️ Follow security recommendations to improve BEC, CIS Foundations, and Ransomware Protection Initiative Scores
Implementation Effort: Medium - Customer IT and Security Operations teams need to drive projects to manage and improve the security posture against BEC attacks.
📄️ Consider Microsoft Defender Experts for XDR
Implementation Effort: Medium – This requires IT and Security Operations teams to drive onboarding, validate licensing, and configure permissions for expert access.
📄️ 001: Header
Implementation Effort: High