Threat Protection

Workshop
Delivery Guide v3.0 – July 2021
Table of Contents
1. Introduction......................................................................................................................................................................... 2
1.1 Document purpose............................................................................................................................................... 2
1.2 Audience................................................................................................................................................................... 2
2. Engagement modules...................................................................................................................................................... 3
2.1 Threat Check........................................................................................................................................................... 3
2.2 Endpoint Protection [Optional Module]....................................................................................................... 3
2.3 Hybrid Identity Protection [Optional Module]........................................................................................... 4
2.4 Customer Conversations.................................................................................................................................... 5
2.5 Microsoft Security Demos.................................................................................................................................. 5
3. Engagement phases......................................................................................................................................................... 6
3.1 Pre-engagement.................................................................................................................................................... 7
3.2 Readiness (Optional)............................................................................................................................................ 8
3.3 Engagement Setup............................................................................................................................................... 8
3.4 Data Collection....................................................................................................................................................... 9
3.5 Exploration and Report Generation............................................................................................................. 10
3.6 Workshop Day..................................................................................................................................................... 11
3.7 Engagement Decommissioning.................................................................................................................... 11
4. Engagement objectives................................................................................................................................................ 13
4.1 Endpoint Protection [Optional Module].................................................................................................... 13
4.2 Hybrid Identity Protection [Optional Module]........................................................................................ 13
5. Engagement effort......................................................................................................................................................... 15
5.1 Endpoint Protection [Optional Module].................................................................................................... 16
5.2 Hybrid Identity Protection [Optional Module]........................................................................................ 17
6. Engagement scope......................................................................................................................................................... 19
In scope........................................................................................................................................................................... 19
Out-of-scope................................................................................................................................................................. 19
6.1 Endpoint Protection [Optional Module].................................................................................................... 19
In scope........................................................................................................................................................................... 19
Out-of-scope................................................................................................................................................................. 20
6.2 Hybrid Identity Protection [Optional Module]........................................................................................ 20
In scope........................................................................................................................................................................... 20
Out-of-scope................................................................................................................................................................. 21
7. Customer requirements................................................................................................................................................ 22

1
8. Recommended resources............................................................................................................................................ 23
8.1 Recommended customer resources............................................................................................................ 23
8.2 Recommended delivery resources............................................................................................................... 23
9. Pre-engagement............................................................................................................................................................. 25
9.1 Pre-engagement Call........................................................................................................................................ 25
9.2 Prepare and send Threat Protection Workshop Questionnaire........................................................33
9.3 Fill in and send back the Threat Protection Workshop Questionnaire..........................................35
9.4 Review Threat Protection Workshop Questionnaire............................................................................. 37
10. Readiness – Optional................................................................................................................................................ 39
10.1 Microsoft Defender for Endpoint - Overview.......................................................................................... 39
10.2 Microsoft Defender for Identity - Overview............................................................................................. 41
11. Engagement Setup.................................................................................................................................................... 43
11.1 Kick-off Meeting................................................................................................................................................. 43
11.2 Define scope......................................................................................................................................................... 46
11.3 Change Management (optional)................................................................................................................... 51
11.4 Threat Check - Configuration......................................................................................................................... 53
11.5 Endpoint Protection - Configuration [Optional module]....................................................................61
11.6 Hybrid Identity Protection - Configuration [Optional module]........................................................69
11.7 Hybrid Identity Protection - Complete Sensor Deployment [Optional module]........................79
12. Data Collection............................................................................................................................................................ 83
12.1 Cloud Discovery Log Collection.................................................................................................................... 83
13. Exploration and Report Generation.................................................................................................................... 85
13.1 Threat Check - Exploration.............................................................................................................................. 85
13.2 Endpoint Protection - Exploration [Optional Module].........................................................................98
13.3 Hybrid Identity Protection - Exploration [Optional Module]...........................................................102
13.4 Threat Check - Report Generation............................................................................................................. 106
13.5 Endpoint Protection - Report Generation [Optional Module]........................................................108
13.6 Hybrid Identity Protection - Report Generation [Optional Module]............................................110
14. Workshop Day.......................................................................................................................................................... 112
14.1 Threat Results Presentation.......................................................................................................................... 112
14.2 Customer Conversations............................................................................................................................... 114
14.3 Customer Cost Savings Conversation [Optional Module]................................................................116
14.4 Microsoft Security Demos............................................................................................................................. 119
14.5 Next Steps Discussion.................................................................................................................................... 122
15. Engagement Decommissioning......................................................................................................................... 124

2
Appendix A - Readiness and Technical Content................................................................................................... 129
Appendix B - Threat Protection Workshop toolkit............................................................................................... 132
Appendix C - Action Required Email Template..................................................................................................... 133

3
Version history
Version Changes Date
2.0 Initial Release July 2020
2.1 Updated Microsoft Defender October 2020
product names and added
the Endpoint Protection
optional module.
Added the Customer Cost
Savings optional module.
2.2 Fixed various typos. February 2021
2.3 Added Hybrid Identity April 2021
Protection optional module
3.0 Name changed to Threat July 2021
Protection Workshop

Disclaimer
© 2021 Microsoft Corporation. All rights reserved. This document is provided "as-is."
Information and views expressed in this document, including URL and other Internet Web site
references, may change without notice.

This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. Microsoft customers and partners may copy, use, and share these materials
for planning, deployment, and operation of Microsoft products.

We look forward to your feedback!

Thank you for your continued trust and partnership. The resources within this
toolkit will be iteratively improved upon based on product releases as well as
direct feedback from delivered engagements. We encourage you to provide
feedback to help us improve our products and toolkits. Please use the
feedback process available through this web site:
http://aka.ms/SecurityWorkshop/Feedback

4
1. Introduction
This document contains the delivery guidance needed to successfully deliver the Microsoft
Threat Protection Workshop.

The Microsoft Threat Protection Workshop is an engagement that helps customers assess their
security landscape and address their most pressing security goals and challenges and provides
an immersive experience that brings the Microsoft security vision and capabilities to life.

As part of the workshop, customers will:

 Receive a documented security strategy for their teams and stakeholders.

 Better understand, prioritize, and mitigate potential threats.
 Work together with the delivery resource to define a list of next steps based on their
needs, objectives, and results from the Threat Protection Workshop.
 Learn how they can accelerate their security journey together with Microsoft.

1.1 Document purpose

This delivery guide describes a multi-step engagement that Microsoft or a Microsoft partner can
offer to a customer to help them get an understanding of the Microsoft security story as well as
insights on active threats across on-premises and cloud workloads. For each step, this guide
provides execution guidance and tips and discusses resources and deliverables. Overall, the
focus is on a successful engagement and valuable outcome.

1.2 Audience
This document is primarily intended to be used by Microsoft field or Microsoft partners with a
Security Competency as guidance on how to deliver the Threat Protection Workshop.

5
2. Engagement modules
The Threat Protection Workshop consists of modules which can be standalone or can be
delivered through activities in multiple phases of the engagement.

The Threat Protection Workshop also has common activities that cover certain general aspects.
These are:

 Pre-engagement Call
 Prepare and send Threat Protection Workshop Questionnaire
 Kick-off Meeting
 Define Scope
 Next Steps Discussion

2.1 Threat Check

Threat Check is a module of the Threat Protection Workshop, with activities delivered in multiple
phases of the engagement. Selected Microsoft 365 security products and features are used to
gain visibility into threats to a customer’s Microsoft 365 cloud environment across email,
identity, and data in order to better understand, prioritize, and mitigate potential vectors of
cyberattacks against the customer’s organization.

After the Threat Check configuration is done in the Engagement Setup phase, data about threats
are collected in the Data Collection phase over a period of two to three weeks. Then, in the
Threat Exploration and Report Generation phase, threats that were found in the Threat Check
are explored (analyzed) and a report of them is prepared. Findings and recommendations from
the Threat Check are then presented during the Workshop Day phase. Finally, all the
configuration changes are decommissioned in the Engagement Decommissioning phase.

2.2 Endpoint Protection [Optional Module]

The Endpoint Protection optional module of the Threat Protection Workshop uses Microsoft
Defender for Endpoint to discover threats and security vulnerabilities affecting Windows 10
devices. Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat
Protection) is an enterprise endpoint security platform designed to help enterprise networks
prevent, detect, investigate, and respond to advanced threats.

NOTE:
The Threat Protection Workshop can be delivered with or without the Endpoint Protection optional
module.

6
Endpoint Protection is an optional module of the Threat Protection Workshop, with activities
delivered in multiple phases of the engagement. It leverages Microsoft Defender for Endpoint to
help organizations gain insights on active threats and weaknesses related to their Windows 10
endpoints.

At the end of the Threat Protection Workshop engagement with the Endpoint Protection
optional module, the customer will:

 Better understand the features and benefits of Microsoft Defender for Endpoint.
 Better understand how to prioritize and mitigate potential threats found during the
engagement.
 Better understand existing endpoint weaknesses and what can be done to harden the
endpoint surface area.
 Have defined next steps based on their needs and objectives.

2.3 Hybrid Identity Protection [Optional Module]

The Hybrid Identity Protection optional module of the Threat Protection Workshop uses
Microsoft Defender for Identity to discover threats and security vulnerabilities related to Active
Directory. Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) is a
cloud-based security solution that leverages Active Directory signals to identify, detect, and
investigate advanced threats, compromised identities, and malicious insider actions directed at
your organization.

NOTE:
The Threat Protection Workshop can be delivered with or without the Hybrid Identity Protection
optional module.

Hybrid Identity Protection optional module activities are delivered in multiple phases of the
Threat Protection Workshop engagement. It leverages Microsoft Defender for Identity to help
organizations gain insights on active threats and weaknesses related to their Active Directory by
leveraging the cloud-based Microsoft Defender for Identity service and Microsoft Defender for
Identity sensors installed on Active Directory servers (Active Directory Domain Controllers and
Active Directory Federation Services servers).

At the end of the Threat Protection Workshop engagement with the Hybrid Identity Protection
optional module, the customer will:

 Better understand the features and benefits of Microsoft Defender for Identity.
 Better understand how to prioritize and mitigate potential threats found during the
engagement.

7
  Better understand existing Active Directory security weaknesses and what can be done to
harden its surface area.
 Have defined next steps based on their needs and objectives.

2.4 Customer Conversations

Customer Conversations are pitch decks created to deliver the most appropriate storytelling
approach based on your customer’s needs and priorities. The goal is to deliver a presentation
that showcases the value proposition of the Microsoft solutions that match the customer’s
interests. Review the Microsoft Security Diagnostics Guide to find the best pitch deck for you.

The “Streamline and Strengthen” conversation deck includes a summary of estimated cost
savings possible with Microsoft Security while reducing cyber risk across the kill chain. This
conversation can be delivered as-is using the example calculations, or you can leverage the
included worksheet to customize the conversation for your customer.

2.5 Microsoft Security Demos

Microsoft Security Demos is a standalone module of the Threat Protection Workshop. It is
delivered during the Workshop Day phase of the engagement. With it, you can demonstrate
how the security solutions work to help you land the product value and key differentiators.
Please download the most up-to-date interactive guides available in the CDX platform.

8
3. Engagement phases
On a high level, the activities for the Threat Protection Workshop engagement can be grouped
into the following phases that are delivered over a five-week period:

 Week 1 – Pre-engagement
 Week 1-2 – Readiness (optional)
 Week 2* – Engagement Setup
 Weeks 2**-4*** – Data Collection
 Week 5**** – Threat Exploration and Report Generation
 Week 5**** – Workshop Day
 Week 5**** – Engagement Decommissioning

The illustration below provides a high-level overview of all phases that are part of the Threat
Protection Workshop engagement and what these phases include:

START
Threat Protection
Workshop

Prepare and send Fill in Review

engagement

and send back

Week 1

Pre-Engagement Threat Protection Threat Protection

Pre-

Threat Protection
Call Workshop Workshop Workshop
Questionnaire Questionnaire Questionnaire
Week 1 -2
Readiness
(optional)

Microsoft Defender Microsoft Defender

for Endpoint - for Identity -
Overview Overview

Hybrid Identity
Engagement

Change Endpoint Hybrid Identity

Week 2*

Kick-off Define Threat Check - Protection -

Setup

Management Protection - Protection -

Meeting Scope Configuration Complete Sensor
(optional) Configuration Configuration
Deployment
Week 2**-4***
Collection

Cloud Discovery
Data

Log Collection

Endpoint Hybrid Identity

Threat Check -
Protection - Protection -
Exploration
and Report Generation

Exploration Exploration
Week 5****
Exploration

Threat Check - Endpoint Hybrid Identity

Report Protection - Report Protection - Report
Generation Generation Generation
Week 5****
Workshop

Threat Results Customer Microsoft Security Next Steps

day

General activities
Presentation Conversations Demos Discussion

Optional module(s)
Decommissioning
Engagement

Week 5****

END Customer activities

Engagement
Threat Protection
Decommissioning
Workshop

9
 *
“Engagement Setup” phase might take longer depending on the time required for the
“Change Management” and “Hybrid Identity Protection – Complete Sensor Deployment”
customer activities.

**
Start of “Data Collection” phase might depend on the time required for the “Change
Management” customer activity.

***
Amount of time needed for “Data Collection” might depend on the time required to
complete the “Hybrid Identity Protection – Complete Sensor Deployment” customer
activity.

****
Start of this phase might depend on the time required for previous “Engagement Setup”
and “Data Collection” phases.

3.1 Pre-engagement
The Pre-engagement phase includes the Pre-engagement Call, which is typically an online
meeting organized as the first step of the engagement. During this online meeting, the delivery
resource will introduce the customer to the Threat Protection Workshop engagement, discuss
the upcoming activities, align expectations, and establish timelines. After the Pre-engagement
Call, the customer will be provided with the Threat Protection Workshop questionnaire and
asked to respond to the questions in the week following the call.

The Pre-engagement phase includes the following activities:

 Pre-engagement Call – Use this activity to introduce the customer to the Threat
Protection Workshop engagement, discuss the upcoming activities, align expectations,
and establish timelines.

10
  Prepare and send Threat Protection Workshop Questionnaire – Use this activity to prepare
and send the Threat Protection Workshop Questionnaire which will help you gain an
understanding of the customer’s environment as preparation for the engagement
activities. If customer agrees to a specific cost savings discussion, the questionnaire also
includes questions that allow you to customize the security cost savings calculations in
the “Streamline and Strengthen” deck.
 Fill-in and send back Threat Protection Workshop Questionnaire – In this activity
customers to fills in and sends back to you the Threat Protection Workshop
Questionnaire. Typically, no action is required from you in this activity.
 Review Threat Protection Workshop Questionnaire – In this activity you the Threat
Protection Workshop Questionnaire filled in by the customer.

The Pre-engagement phase is delivered in week 1 of the Threat Protection Workshop

engagement.

More details about the Pre-engagement phase can be found in section 9 Pre-engagement of this
document.

3.2 Readiness (Optional)

The Readiness phase is an optional phase where you can provide additional readiness content to
the customer if required.

 Microsoft Defender for Endpoint - Overview – Use this activity to provide the customer
with an overview of how the Microsoft Defender for Endpoint unified endpoint security
platform provides preventative protection, post-breach detections, automated
investigations, and response capabilities.
 Microsoft Defender for Identity - Overview – Use this activity to provide the customer with
an overview of how the Microsoft Defender for Identity can be used as a comprehensive
solution for detecting security threats to Active Directory and assess its weaknesses.

3.3 Engagement Setup

The Engagement Setup phase includes the Kick-off Meeting, which provides an engagement
overview to the entire project team, followed by a workshop to define the engagement scope,
and finally, configuration of the engagement tools.

The Engagement Setup phase includes the following activities:

11
  Kick-off Meeting – Use this activity to introduce the customer to the Threat Protection
Workshop engagement, discuss the upcoming activities, align expectations, and
establish timelines.
 Define Scope – Use this activity of the Threat Protection Workshop to work together with
the customer to define and finalize the engagement scope and required configuration
settings for the engagement tools.
 Change Management (optional) – In this optional activity of the Threat Protection
Workshop the customer goes through their change management processes to obtain
necessary approvals for the deployment of the engagement tools as per agreed the
engagement scope.
 Threat Check - Configuration – Use this activity of the Threat Protection Workshop to
work together with the customer to deploy and configure the Microsoft 365 security
tools.
 Endpoint Protection - Configuration [Optional module] – Use this activity of the Threat
Protection Workshop to work with the customer to deploy and configure Microsoft
Defender for Endpoint in the customer tenant. You then assist the customer to onboard
up to a maximum of 100 Windows 10 devices to Microsoft Defender for Endpoint.
 Hybrid Identity Protection – Configuration [Add-on module] – Use this activity of the
Threat Protection Workshop to work with the customer to deploy and configure
Microsoft Defender for Identity in the customer tenant. You then assist the customer to
configure Microsoft Defender for Identity in their tenant and deploy sensors to initial 2-3
of their Active Directory Domain Controllers.
 Hybrid Identity Protection – Complete Sensor Deployment [Add-on module] – In this
activity of the Threat Protection Workshop the customer will deploy Microsoft Defender
for Identity sensors to remaining Active Directory Domain Controllers, as per
engagement scope.

The Engagement Setup phase is delivered in week 2 of the Threat Protection Workshop
engagement.

More details about the Engagement Setup phase can be found in section 11 Engagement Setup
of this document.

3.4 Data Collection

The Data Collection phase includes the technical preparations required to complete the Threat
Check Cloud Discovery activity.

The Data Collection phase includes the following activities:

12
  Cloud Discovery Log Collection – Threat Check – Use this activity to work together with
the customer to complete the technical preparations required to complete the Cloud
Discovery activity as part of Threat Check.

The Data Collection phase spans weeks 2 to 4 of the Threat Protection Workshop engagement.

More details about the Data Collection phase can be found in section 12 Data Collection of this
document.

3.5 Exploration and Report Generation

The Exploration and Report Generation phase includes working together with the customer to
discover, analyze, and document threats detected as part of the engagement.

The Exploration and Report Generation phase includes the following activities:

 Threat Check - Exploration – Use this activity to work together with the customer to
discover and analyze threats detected as part of Threat Check.
 Endpoint Protection – Exploration [Optional Module] – Use this activity to work together
with the customer to discover and analyze threats and vulnerabilities detected as part of
the Endpoint Protection optional module.
 Hybrid Identity Protection – Exploration [Optional Module] – Use this activity to work
together with the customer to discover and analyze threats and vulnerabilities detected
as part of the Hybrid Identity Protection optional module.
 Threat Check - Report Generation – Use this activity to analyze the results from the Threat
Check threat exploration, the completed customer questionnaire, and any notes you
have gathered during the engagement so far, summarizing and documenting your
findings as part of the results presentation.
 Endpoint Protection - Report Generation [Optional Module] – Use this activity to analyze
the results from the Endpoint Protection exploration activity, the completed customer
questionnaire, and any notes gathered during the engagement so far, summarizing and
documenting your findings as part of the results presentation.
 Hybrid Identity Protection - Report Generation [Add-on Module] – Use this activity to
analyze the results from the Microsoft Defender for Identity exploration activity, the
completed customer questionnaire, and any notes gathered during the engagement so
far, summarizing and documenting your findings as part of the results presentation.

The Exploration and Report Generation phase is delivered in the beginning of week 5 of the
Threat Protection Workshop engagement.

13
More details about the Threat Exploration and Report Generation phase can be found in section
13 Exploration and Report Generation of this document.

3.6 Workshop Day

The Workshop Day phase is delivered as a full day of sessions that helps the customer assess
their security landscape, address their most pressing security goals and challenges, and provides
an immersive experience that brings Microsoft’s security vision and capabilities to life. It ends
with discussion and agreement on next steps that are about to be performed after the Threat
Protection Workshop engagement.

The Workshop Day phase includes the following activities:

 Threat Results Presentation - Gain visibility into threats to the customer’s cloud
environment across email, identity, and data to better understand, prioritize, and
mitigate potential vectors of cyberattacks against the customer’s organization. If
including the Endpoint Protection optional module, you will also gain visibility into
threats to Windows 10 endpoints to better understand what can be done to harden the
endpoint surface area.
 Customer Conversations - Deliver a presentation that showcases how to modernize
security operations and defend against threats.
 Microsoft Security Demos - Help customers understand how the relevant Microsoft
security products works, going through key scenarios that will help you land product
value and key differentiators.
 Next Steps Discussion - Present and discuss the overall findings from all modules
included in the Threat Protection Workshop. Agree on the next steps which will help the
customer increase their security posture based on the Threat Protection Workshop
findings.

The Workshop Day phase is delivered in week 5 of the Threat Protection Workshop
engagement.

More details about the Workshop Day phase can be found in section 14 Workshop Day of this
document.

3.7 Engagement Decommissioning

The Engagement Decommissioning phase includes working together with the customer to
remove all the configuration and resources created during Threat Protection Workshop, as well
as cancelling trial licenses and subscriptions in the customer tenant.

14
The Engagement Decommissioning phase is delivered towards the end of week 5 of the Threat
Protection Workshop engagement.

More details about Engagement Decommissioning phase can be found in section 15

Engagement Decommissioning of this document.

15
4. Engagement objectives
The objectives for the Threat Protection Workshop engagement are:

 Discover threats: Gain visibility into threats to the customer’s Microsoft 365 cloud
environment across email, identity, and data to better understand, prioritize, and
mitigate potential vectors of cyberattacks against the customer’s organization.
 Understand how to mitigate threats: Help the customer understand how Microsoft
365 security products can help mitigate and protect against the threats found during the
period of this engagement.
 Define security strategy: The customer will receive a documented security strategy for
their security teams and stakeholders.
 Accelerate the security journey: The customer will learn how they can accelerate their
security journey together with Microsoft.
 Define next steps: The customer will work together with the delivery resource to define
a list of next steps based on their needs, objectives, and results from the Threat
Protection Workshop.

4.1 Endpoint Protection [Optional Module]

Delivering the Endpoint Protection optional module to your customers will allow them to:

 Experience Microsoft Defender for Endpoint - Get hands-on experience and learn
how to deploy and configure Microsoft Defender for Endpoint.
 Discover and analyze threats using Microsoft Defender for Endpoint - Learn how to
use Microsoft Defender for Endpoint to get visibility into threats to their Windows 10
endpoints.
 Understand existing weaknesses to endpoints – Learn how to use Microsoft Defender
for Endpoint to understand existing endpoint weaknesses and what can be done to
harden the endpoint surface area.
 Plan next steps: Get the information required to build a business case for a production
deployment of Microsoft Defender for Endpoint.

4.2 Hybrid Identity Protection [Optional Module]

Delivering the Hybrid Identity Protection optional module to your customers will allow them to:

 Experience Microsoft Defender for Identity - Get hands-on experience and learn how
to deploy and configure Microsoft Defender for Identity.
 Discover and analyze threats using Microsoft Defender for Identity - Learn how to
use Microsoft Defender for Identity to get visibility into threats to their Active Directory.

16
 Understand existing security weaknesses of Active Directory - Learn how to use
Microsoft Defender for Identity to understand existing Active Directory security
weaknesses and what can be done to harden the Active Directory surface area.
 Plan next steps: Get the information required to build a business case for a production
deployment of Microsoft Defender for Identity.

17
5. Engagement effort
Important
Treat the standard scope and timeline as a template to use as guidance when creating your own
offering based on this toolkit. You must adjust the scope and timeline so that they match.

The table below provides high-level estimates of the effort for parts of Threat Protection
Workshop included in the standard scope of the engagement.

The numbers provided are to be considered as indicative and can change as a result of
customizing the delivery schedule and/or the individual activities.

Week 1 – Pre-engagement Preparation Delivery  

Pre-engagement Call 2 Hrs 1-2 Hrs
Prepare and send Threat Protection Workshop 1 Hrs 0 Hrs
Questionnaire
Fill in and send back Threat Protection Workshop 0 Hrs 0 Hrs
Questionnaire
Review Threat Protection Workshop Questionnaire 1 Hrs 0 Hrs
Week 2 – Engagement Setup Preparation Delivery  
Kick-off Meeting 1 Hrs 2 Hrs
Define Scope (Threat Check part) 1 Hrs 1 Hrs
Change Management 0 Hrs 0 Hrs
Threat Check - Configuration 1 Hrs 1 Hrs
Week 2-4 – Data Collection Preparation Delivery  
Log collection - Threat Check 1 Hrs 1 Hrs
Week 5 – Exploration and Report Generation Preparation Delivery  
Threat Check - Exploration 1 Hrs 4 Hrs
Threat Check - Report Generation 2 Hrs 0 Hrs
Week 5 – Workshop Day Preparation Delivery  
Threat Result Presentation 1 Hrs 2 Hrs
Customer Conversations 1 Hrs 1 Hrs
Microsoft Security Demos 1 Hrs 2 Hrs
Next Steps Discussion 1 Hrs 1 Hrs
Week 5 – Engagement Decommissioning Preparation Delivery  
Engagement Decommissioning 1 Hrs 1-2 Hrs +
16 Hrs 18-19 Hrs

The typical delivery effort for the Threat Protection Workshop engagement is estimated to be
~20 hours when using the example schedule and scope provided in this guide, excluding the
time needed for preparations. The estimates also do not include time for optional (external)

18
Project/Engagement management resources. If an (external) project/engagement manager is
required, additional hours should be added accordingly.

5.1 Endpoint Protection [Optional Module]

Important
The Endpoint Protection optional module has been created for you to customize. Feel free
to add additional components. You can, for example, also include:

 Onboard additional endpoints including Windows 7 SP1 and 8.1, macOS, iOS and
Android.
 Integration with an existing SIEM.

The time specified is the additional time required to deliver the Endpoint Protection
optional module.

Week 1-2 – Readiness (optional) Preparation Delivery

Microsoft Defender for Endpoint Overview 1 Hrs 1 Hrs
Week 2 – Engagement Setup Preparation Delivery
Define Scope (Endpoint Protection part) 1 Hrs 1 Hrs
Endpoint Protection - Configuration 1 Hrs 3 Hrs
Week 5 – Exploration and Report Generation Preparation Delivery
Endpoint Protection - Exploration 1 Hrs 3 Hrs
Endpoint Protection - Report Generation 2 Hrs 0 Hrs
6 Hrs 8 Hrs

Note that the Threat Protection Workshop engagement with Endpoint Protection optional
module can be considerably longer under certain conditions. For example, the following
conditions are likely to require additional time to be added to the engagement:

 The customer would like to add endpoints other than Windows 10.
 The customer would like to integrate Microsoft Defender for Endpoint with an existing
Security Information and Event Management (SIEM) tool.

We recommend that you discuss above conditions with the customer during the Pre-
engagement Call so that you can add additional time if required.

19
5.2 Hybrid Identity Protection [Optional Module]
Important
The Hybrid Identity Protection optional module has been created for you to customize. Feel
free to add additional components. You can, for example, also include:

 Integration with customers’ VPN solution.

 Configuration of “honeytoken” accounts.
 Set up notifications via email or Syslog.

The time specified is the additional time required to deliver the Hybrid Identity Protection
optional module.

Week 1-2 – Readiness (optional) Preparation Delivery

Microsoft Defender for Identity Overview 1 Hrs 1 Hrs
Week 2 – Engagement Setup Preparation Delivery
Define Scope (Hybrid Identity Protection part) 1 Hrs 1 Hrs
Hybrid Identity Protection – Configuration 1 Hrs 2 Hrs
Hybrid Identity Protection – Complete Sensor 0 Hrs 0 Hrs
Deployment
Week 5 – Exploration and Report Generation Preparation Delivery
Hybrid Identity Protection - Exploration 1 Hrs 3 Hrs
Hybrid Identity Protection - Report Generation 2 Hrs 0 Hrs
6 Hrs 7 Hrs

Note that the Threat Protection Workshop engagement with Hybrid Identity Protection optional
module can be considerably longer under certain conditions. For example, the following
conditions are likely to require additional time to be added to the engagement:

 The customer has significant amount of Active Directory servers in their AD forest and
would like to install Microsoft Defender for Identity sensors on all of them.
 The customer has multiple Active Directory forests and would like to install Microsoft
Defender for Identity sensors on selected or all Active Directory servers in some of these
Active Directory forests.
 The customer would like to integrate Microsoft Defender for Identity with an existing
Security Information and Event Management (SIEM) tool.

We recommend that you discuss above conditions with the customer during the Pre-
engagement Call so that you can add additional time if required.

20
6. Engagement scope
In scope
The standard scope of this part of the engagement includes:

 Deployment of Microsoft 365 trial licenses for Threat Check in the customer tenant.
 Configuration of Microsoft 365 Security tools (Microsoft 365 Defender, Azure Active
Directory Identity Protection, Microsoft Defender for Office 365 and Microsoft Cloud App
Security) to discover threats to customer’s identity, email, and data, as per guidance
provided in this document.
 Analysis of cloud applications used by users in the customer environment through the
Cloud Discovery part of Microsoft Cloud App Security and based on either Microsoft
Defender for Endpoint or based on a one-time manual upload of logs from a single on-
premises perimeter security device such as a firewall or proxy server.
 Detailed self-assessment of the customer’s security landscape and identification of top
priorities, main influences, and opportunities that will help to define the next steps.
 Security customer conversations covering an overview of Microsoft’s vision and
capabilities for security.
 Demonstration of how the Microsoft 365 Defender solutions work, going through key
scenarios that will help land product value and key differentiators.
 Decommissioning of configuration and licenses at the end of engagement.

Out-of-scope
The standard scope of this part of the engagement excludes anything that was not put in scope,
in particular:

 Configuration of Microsoft 365 Security tools beyond the guidance provided in this
document.
 Automatic upload of firewall or proxy server logs to Microsoft Cloud App Security
(through Log Collector).
 Deep analysis (investigation) of threats found during the engagement.
 Forensic analysis.
 Technical designs or implementations.
 Proof of Concept or Lab Deployment.

6.1 Endpoint Protection [Optional Module]

In scope
The standard scope of this part of the engagement includes:

21
  Gaining a mutual understanding of objectives and requirements.
 Deployment of the Microsoft Defender for Endpoint in the customer tenant.
 Onboarding of up to a maximum of 100 Windows 10 devices to Microsoft Defender for
Endpoint. We recommend onboarding a minimum of 50 Windows 10 devices to ensure
that you have enough data to analyze and report on as part of the engagement.
 Remediation of potential technical issues during the deployment.
 Threat exploration to discover threats actively attacking the customer.
 Mapping threats discovered to a recommended method of mitigation.
 Exploration of the Microsoft Defender for Endpoint Threat & Vulnerability Management
solution to highlight endpoint weaknesses and what can be done to harden the
endpoint surface area.

The standard scope for the technical features and capabilities can be found within the 04 –
Threat Protection Workshop - Scope Template.docx document.

Important

You will finalize the engagement scope and define the details of each included component as part
of 11.2 - Define scope.

Out-of-scope
The standard scope of this part of the engagement excludes:

 Configuring SIEM integration—integrating Microsoft Defender for Endpoint with a

SIEM is out-of-scope unless you also deliver the Azure Sentinel Workshop. If you include
the Azure Sentinel Workshop, we recommend that you also enable the Azure Sentinel
connector for Microsoft Defender for Endpoint.
 Endpoints other than Windows 10 devices—the standard scope includes up to a
maximum of 100 Windows 10 devices.
 Proof of Concept or Lab Deployment—the standard scope of the Endpoint Protection
optional module does not include deployment of Microsoft Defender for Endpoint in a
separate development or proof of concept environment.

6.2 Hybrid Identity Protection [Optional Module]

In scope
The standard scope of this part of the engagement includes:

 Gaining a mutual understanding of objectives and requirements.

 Deployment of Microsoft Defender for Identity in the customer tenant.

22
  Deployment of Microsoft Defender for Identity sensors on up to three of the customer’s
Active Directory servers (Active Directory Domain Controllers or Active Directory
Federation Services servers) from a single AD forest. We recommend that you then guide
the customer to complete the deployment of Microsoft Defender for Identity sensors on
the remaining Active Directory servers, as per scope agreed in 11.2 - Define scope
activity, to ensure that you have enough data to analyze and report on as part of the
engagement.
 Remediation of potential technical issues during the deployment.
 Threat exploration to discover threats actively attacking the customer.
 Mapping threats discovered to a recommended method of mitigation.
 Exploration of the Microsoft Defender for Identity’s Identity Security Posture solution to
highlight Active Directory security weaknesses and what can be done to harden the
Active Directory surface area.

The standard scope for the technical features and capabilities can be found within the 04 –
Threat Protection Workshop - Scope Template.docx document.

Important

You will finalize the engagement scope and define the details of each included component as part
of 11.2 - Define scope.

Out-of-scope
The standard scope of this part of the engagement excludes:

 Configuring SIEM integration—integrating Microsoft Defender for Identity with a SIEM

is out-of-scope unless you also include the Azure Sentinel Workshop. If you include the
Azure Sentinel Workshop, we recommend that you also enable the Azure Sentinel
connector for Microsoft Defender for Identity.
 Proof of Concept or Lab Deployment—the standard scope of the Hybrid Identity
Protection optional module does not include deployment of Microsoft Defender for
Identity in a separate development or proof of concept environment.

23
7. Customer requirements
Successful delivery of the engagement is dependent on the customer's involvement in all
aspects of the engagement. The customer must ensure that accurate and complete information
is provided in a timely fashion as needed, that appropriate resources are committed, and that
any activities are completed in a timely and effective manner.

NOTE: This section describes the customer requirements applicable to the overall engagement.
Additional requirements specific to the activities will be outlined in the individual sections below.

The customer will need to perform the tasks, provide the resources, and take ownership of the
following activities:

 The customer will need to provide adequate access to the necessary personnel needed
to successfully complete the engagement, including:
a) A customer project manager responsible for the overall coordination and for
scheduling logistics.
b) IT object owners for identity and security during all phases of the assessment.
c) An Executive Sponsor.
 The customer will provide the following to the delivery resource:
 Access to any relevant documentation.
 Network connectivity, adequate workspace, parking permits, building access,
and appropriate identification badges within the first day of the on-site
workshop.
 Appropriate-sized room with whiteboard and projector for knowledge transfer
sessions.

24
8. Recommended resources
8.1 Recommended customer resources
Executive Sponsor
 Owns the business case.
 Keeps project aligned with organization's strategy and portfolio direction.
 Governs project risk.
 Focuses on realization of benefits.
 Provides assurance.
 Suggested candidates: CSO, CISO, CEO, CFO, CIO or CTO.

Architects
 IT
 Security
 Network
 Server Infrastructure
 Identity, if including the Hybrid Identity Protection optional module

Administrators
 Security
 Network
 Server Infrastructure
 Identity, if including the Hybrid Identity Protection optional module

Microsoft 365 and Azure Tenant Administrators

 To enable access to the required engagement tools.

Security Operations
 To help define SIEM requirements and operational processes.

8.2 Recommended delivery resources

Security Architect
 Strong cybersecurity background and knowledge.
 Good understanding of Microsoft 365 and the security components of Microsoft 365.
 Good understanding of Azure and Azure Security Services.
 Has prior design experience with Microsoft security products, including:
o Azure Active Directory
o Azure Active Directory Identity Protection
o Microsoft Defender for Office 365
o Microsoft Cloud App Security
o Microsoft 365 Defender

25
  If including the Endpoint Protection optional module, has prior design experience with:
o Microsoft Defender for Endpoint
 If including the Hybrid Identity Protection optional module, has prior design experience
with:
o Microsoft Defender for Identity
o Active Directory

Security Consultant
 Strong cybersecurity background and knowledge.
 Good understanding of Microsoft 365 and the security components of Microsoft 365.
 Good understanding of Azure and Azure Security Services.
 Has hands-on deployment experience with Microsoft security products, including:
o Azure Active Directory
o Azure Active Directory Identity Protection
o Microsoft Defender for Office 365
o Microsoft Cloud App Security
o Microsoft 365 Defender
 If including the Endpoint Protection optional module:
o Has hands-on deployment experience with Microsoft Defender for Endpoint.
 If including the Hybrid Identity Protection optional module, has prior hands-on
deployment experience with:
o Microsoft Defender for Identity
o Active Directory

Project or Engagement Manager (optional)

 Basic understanding of cybersecurity.
 Basic understanding of Microsoft 365 security products.
 Experience managing security engagements.

26
9. Pre-engagement
9.1 Pre-engagement Call

The Pre-engagement Call typically is an online meeting organized

as the first step of the engagement. During this online meeting, the
Pre-Engagement
Call delivery resource will introduce the customer to the Threat
Protection Workshop engagement, discuss the upcoming activities,
align expectations, and establish timelines. For customers that have
had no prior exposure to the products and tools that will be used
Pre-engagement during the engagement, it is possible to include a high-level
Call introduction and demo explaining features and functionality. After
the Pre-engagement Call, the customer will be provided with the
Threat Protection Workshop questionnaire and asked to respond
to the questions in the week following the call.

Objectives
The objective for the Pre-engagement Call is to provide an overview of the engagement and
agree on the scope, schedule, and required resources, particularly the following:

 Introduce the team to the customer and set the stage for the project.
 Introduce the Threat Protection Workshop engagement.
 Describe and discuss upcoming activities.
 Align expectations and timelines.
 Allocate resources.
 Discuss the engagement scope.
 Confirm information about the customer’s requirements.

Format
Preferably delivered as online meeting but can also be delivered as an onsite workshop.

Customer resources
 Executive Sponsor
 Security Team

Delivery resources
 Security Architect
 Engagement Manager

27
Supporting materials
 01 – Threat Protection Workshop - Pre-engagement Call.pptx

Preparation
Prior to delivering the Pre-engagement Call, the delivery resource leading the meeting will need
to familiarize themself with:

 The overall engagement format of the Threat Protection Workshop engagement.

 The customer and their organizational structure. Make sure you research any previous
engagements that your organization have delivered to the customer.
 The customer's requirements.
 The 01 - Threat Protection Workshop - Pre-engagement Call.pptx presentation content.

If a demo is included, the delivery resource should prepare for delivering the demo by using
either their own demo/lab environment or with the click-through demo. Additional information
on how to prepare and deliver a demo can be found in Appendix A -Readiness and Technical
Content

Important
It is important that you adapt the content for your audience. For example, if you are presenting
the pre-engagement presentation to a non-technical audience, such as customer stakeholders
and/or project/engagement managers, you can hide the slides demonstrating the tools used as
part of the engagement. If you have a subset of the customer team present at the Pre-engagement
Call, we also recommend that you start the on-site workshop with a kick-off meeting where you
go through the overview of the engagement with the entire team, using the Pre-engagement Call
presentation. This will ensure that all project team members understand the objectives and
contents of the engagement.

Pre-requisites
No Pre-requisites exist.

28
Deliverables
The deliverables of the Pre-engagement Call are defined as:

 Confirmed schedule with an attendee list for the engagement.

 Agreed date for the questionnaire to be completed.
 Record any design or configuration decisions within the 04 – Threat Protection Workshop
– Scope Template.docx document.
 Record any changes to the engagement scope in accordance with your change
management process.

Endpoint Protection [Optional Module]

 Agreed date for the Endpoint Protection requirements to be completed.

Hybrid Identity Protection [Optional Module]

 Agreed method of data collection to determine which of the customer’s Active Directory
servers (Active Directory Domain Controllers and Active Directory Federation Services
servers) to be included as part of the deployment scope of the Microsoft Defender for
Identity sensors.
 Agreed date for the Hybrid Identity Protection optional module requirements to be
completed.

These deliverables will serve as input to the next steps.

Guidance
Deliver the meeting using the speaker notes and guidance provided in the 01 – Threat
Protection Workshop - Pre-engagement Call.pptx presentation.

Endpoint Protection [Optional Module]

Microsoft Defender Antivirus and Microsoft Defender for Endpoint compatibility

To be able to showcase the best possible experience with Microsoft Defender for
Endpoint we need to consider the potential impact of running Microsoft Defender for
Endpoint side-by-side with existing non-Microsoft antivirus (AV) and/or Endpoint
Detection and Response (EDR) solutions. If the customer has non-Microsoft AV and/or
EDR solutions, we recommend that you discuss and agree on the best approach for the
Windows 10 devices to be included as part of the engagement, using below
recommendations.

Important
Dependent on the participants from the customer you might not be able to finalize a

29
decision on what to do with existing non-Microsoft Antivirus and/or Endpoint Detection
and Response solutions as part of the pre-engagement call. If this is the case, we
recommend that you ask the customer to consider the impact and recommendations and
be prepared to finalize a decision as part of the Define scope activity.
Existing customer Impact
solutions
AV solution: No impact.
Microsoft
Defender
Antivirus
EDR Solution:
None
AV solution: If you add Microsoft
Non-Microsoft Defender for Endpoint
product. together with a non-
Microsoft AV solution, then
EDR Solution: Microsoft Defender Antivirus
None goes into passive mode. This
means that real-time
protection and threats are
not remediated by Microsoft
Defender Antivirus.
Other Microsoft Defender for
Endpoint features including
Endpoint Detection and
Response, Threat &
Vulnerability Management
and Automated
Investigations and Response
are still available.
AV solution: It is not recommended to
Microsoft run Microsoft Defender for
Defender Endpoint in parallel with a
30
Recommendation
Windows 10 devices included as
part of the engagement can be
onboarded to Microsoft
Defender for Endpoint without
additional changes required.
This is the recommended
scenario, providing the full
capabilities of Microsoft
Defender Antivirus and
Microsoft Defender for
Endpoint.
If you would like to
demonstrate the full
functionality of Microsoft
Defender Antivirus and
Microsoft Defender for
Endpoint we recommend that
the customer uninstalls or
disables the existing non-
Microsoft AV solution and
enables Microsoft Defender
Antivirus on the Windows 10
devices included as part of the
engagement.
We recommend that the
customer uninstalls or disables
the existing non-Microsoft EDR
 Antivirus non-Microsoft EDR solution on the Windows 10 devices
due to potential endpoint included as part of the
EDR Solution: performance issues. engagement before onboarding
Non-Microsoft the devices to Microsoft
product. Defender for Endpoint.

AV solution: If you add Microsoft If you would like to

Non-Microsoft Defender for Endpoint
product. together with a non-
Microsoft AV solution, then
EDR Solution: Microsoft Defender Antivirus
Non-Microsoft goes into passive mode. This
product. means that real-time
protection and threats are
not remediated by Microsoft
Defender Antivirus.
It is not recommended to
run Microsoft Defender for
Endpoint in parallel with a
non-Microsoft EDR solution
due to potential endpoint
performance issues.
demonstrate the full
functionality of Microsoft
Defender Antivirus and
Microsoft Defender for
Endpoint we recommend that
the customer uninstalls or
disables the existing non-
Microsoft AV solution and
enables Microsoft Defender
Antivirus on the Windows 10
devices included as part of the
engagement.
We recommend that the
customer uninstalls or disables
the existing non-Microsoft EDR
on the Windows 10 devices
included as part of the
engagement before onboarding
the devices to Microsoft
Defender for Endpoint.

 During the pre-engagement call presentation, using the Microsoft Defender for Endpoint
Compatibility slide as support, discuss and if possible, agree on the best approach for
compatibility between Microsoft Defender for Endpoint and any existing non-Microsoft
AV and/or EDR solutions for the Windows 10 devices to be included as part of the
engagement.

Additional guidance on Microsoft Defender Antivirus and Microsoft Defender for

Endpoint compatibility with non-Microsoft AV and/or EDR solutions can be located here:
Microsoft Defender Antivirus compatibility with other security products | Microsoft Docs

31
Hybrid Identity Protection [Optional Module]

To be able to showcase the best possible experience with Microsoft Defender for Identity
you should very carefully consider which customer’s Active Directory servers (Active
Directory Domain Controllers and Active Directory Federation Services servers) can have
Microsoft Defender for Identity sensors deployed. These factors should be considered:
 If an Active Directory server has sufficient memory and CPU resources that would allow
the Microsoft Defender for Identity sensor (if installed on the server) to analyze volume
of the network traffic that this server
 If an Active Directory server has Microsoft .NET Framework version 4.7 or later installed. If
it does not, it will be installed during the deployment of Microsoft Defender for Identity
sensor, but the Active Directory server might require reboot. If reboot of the Active
Directory server is not acceptable for the customer, then the Active Directory server
should be put out of scope for this engagement.

To address these factors during the pre-engagement call presentation you should:

 Using the Microsoft Defender for Identity – Sizing Tool slide as support, discuss and if
possible, agree on the best approach for checking if customer’s Active Directory servers
(Active Directory Domain Controllers and Active Directory Federation Services servers)
have sufficient memory and CPU resources for deployment of Microsoft Defender for
Identity sensors.
The recommended approach involves running by the customer Microsoft Defender for
Identity Sizing Tool. The tool automates collection of the amount of traffic Microsoft
Defender for Identity sensor would need to monitor and automatically provides
supportability and resource recommendations for the deployment of sensors on Active
Directory Domain Controllers (AD DCs). The tool can be run from one of the Active
Directory Domain Controllers in each Active Directory forests or from a domain-joined
workstation that has network access to all the AD DCs on the following ports: TCP 135,
TCP 389, TCP 445 and TCP RPC Dynamic Ports. The tool should be run for 24 hours. If the
customer also has Active Directory Federation Services servers installed in their
environment, then the tool should be run manually on each of them. Results should be
passed by the customer to you together with filled-in Threat Protection Workshop
Questionnaire, as described in section 9.3 Fill in and send back the Threat Protection
Workshop Questionnaire.

You will provide detailed instructions on how to use the tool in the email sent afterwards
to the customer, based on template in the Appendix C -Action Required Email Template
in the 9.2 Prepare and send Threat Protection Workshop Questionnaire activity.

If the customer is against using the Microsoft Defender for Identity Sizing Tool in their
environment, they would need to collect appropriate data manually for each Active

32
 Directory server (Active Directory Domain Controller and Active Directory Federation
Services server), as per the guidance provided here:
Plan capacity for Microsoft Defender for Identity - Domain controller traffic estimation
and then they would need to verify manually if any adjustments might be needed to
amount of RAM or CPU cores of these servers, prior to the deployment of Microsoft
Defender for Identity sensors on them, as per guidance provided here:
Plan capacity for Microsoft Defender for Identity - Sensor sizing

 Using the Microsoft Defender for Identity – DotNetVersionLister Tool slide as support,
discuss and if possible, agree on the best approach for checking if customer’s Active
Directory servers (Active Directory Domain Controllers and Active Directory Federation
Services servers) have .NET version 4.7 or later installed.
The recommended approach involves running by the customer DotNetVersionLister tool.
The tool allows for remote collection of .NET version(s) installed on Active Directory
Domain Controllers (AD DCs). Using the set of PowerShell cmdlets provided in the email
sent to the customer afterwards based on template in the Appendix C -Action Required
Email Template, the customer can run the tool from one of the Active Directory Domain
Controllers in each Active Directory forests or from a domain-joined workstation that has
network access to all the AD DCs on the following ports: TCP 135 and TCP RPC Dynamic
Ports. If the customer also has Active Directory Federation Services servers installed in
their environment, then the tool should be run manually on each of them. Results should
be passed by the customer to you together with filled-in Threat Protection Workshop
Questionnaire, as described in section 9.3 Fill in and send back the Threat Protection
Workshop Questionnaire..

You will provide detailed instructions on how to use the tool in the email sent afterwards
to the customer, based on template in the Appendix C -Action Required Email Template
in the 9.2 Prepare and send Threat Protection Workshop Questionnaire activity.

If the customer is against using the DotNetVersionLister tool in their environment, they
would need to collect .NET version(s) manually for each Active Directory server (Active
Directory Domain Controller and Active Directory Federation Services server), as per the
guidance provided here:
Determine which .NET Framework versions are installed

If customer feels uncomfortable performing these activities on their own, you might propose
conducting additional activity following the Pre-engagement Call, but still in Pre-
engagement phase, to help the customer do that. However, in most cases information
provided during the Pre-engagement call, as well as in email sent to the customer
afterwards (based on template provided in the Appendix C -Action Required Email Template)
that.

33
If a demo is part of the Pre-engagement Call, refer to Appendix A - Readiness and Technical
Content for guidance and setup instructions.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
- Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 2 Hrs.
 Delivery 1-2 Hrs.

34
9.2 Prepare and send Threat Protection Workshop Questionnaire

To be able to prepare for the engagement activities, it is important

Prepare and send to have a good understanding of the customer’s production
Security Workshop environment. The Threat Protection Workshop toolkit comes with
Questionnaire
an Action Required email template and the questionnaire that the
customer will be asked to complete.

The questionnaire will be sent to the customer following the Pre-

Action Required
engagement Call.
email template

Customer
Questionnaire

Objectives
The objectives for these activities are:

 Customize and prepare Action Required email.

 Customize the Threat Protection Workshop questionnaire.
 Send the email with the questionnaire to the customer.

Delivery resources
 Security Architect
 Engagement Manager

Supporting materials
 05 - Threat Protection Workshop - Customer Questionnaire.docx
 Action Required email located in Appendix C -Action Required Email Template

Preparation
Prior to sending the questionnaire to the customer, the delivery resource should customize the
questions in the questionnaire based on the information obtained from the Pre-engagement
Call.

35
  Customize the 05 - Threat Protection Workshop - Customer Questionnaire.docx
questionnaire.
 If customer has agreed to a cost savings discussion, the questionnaire also includes
questions that allow you to customize the security cost savings calculations in the
“Streamline and Strengthen” conversation deck.
 Customize the Action Required email located in Appendix C -Action Required Email
Template.

Pre-requisites
The activities outlined in paragraph 9.1 Pre-engagement Call should be completed prior to
starting this activity.

Deliverables
 The Action Required email customized and sent to the customer.

Guidance
 Create an email using the template provided in Appendix C - Action Required Email
Template.
 If the Hybrid Identity Protection optional module is part of the engagement, dependent
on what you have agreed with the customer regarding the execution of the verification
tools, you should either:
o Include the instructions on how to run the verification tools as explained in 9.1
Pre-engagement Call if you agreed to having the customer run the verification
tools themselves.
o Remove the instructions on how to run the verification tools if you agreed to run
them together or if the customer preferred to collect the required data manually.
 Attach the updated and customized 05 - Threat Protection Workshop - Customer
Questionnaire.docx document.
 Send the email to the customer.

Duration and effort

 Preparation 1 Hrs.
 Delivery 0 Hrs.

36
9.3 Fill in and send back the Threat Protection Workshop
Questionnaire

Fill in and send back To be able to prepare for the engagement activities, it is important
Security Workshop to have a good understanding of the customer’s production
Questionnaire environment.

In this activity the customer should fill in and send back the Threat
Protection Workshop Questionnaire.
Customer
Questionnaire

Objectives
The objectives for these activities are:

 Fill in the Threat Protection Workshop Questionnaire.

 If the Hybrid Identity Protection optional module is part of the engagement, run the
verification tools against Active Directory servers (Active Directory Domain Controllers
and Active Directory Federation Services servers), as described in 9.1 Pre-engagement
Call.

Format
Completed by the customer.

Customer resources
As needed depending on scope of the engagement (included modules).

Delivery resources
 None.

Supporting materials
 05 - Threat Protection Workshop - Customer Questionnaire.docx

Preparation
None.

37
Pre-requisites
The activities outlined in paragraph 9.2 Prepare and send Threat Protection Workshop
Questionnaire should be completed prior to this activity.

Deliverables
 The 05 - Threat Protection Workshop - Customer Questionnaire.docx questionnaire
completed by the customer.

Guidance
 Guide the customer to fill in the 05 - Threat Protection Workshop - Customer
Questionnaire.docx and send it back to you.
 If the Hybrid Identity Protection optional module is part of the engagement, guide the
customer to run the verification tools against their Active Directory servers (Active
Directory Domain Controllers and Active Directory Federation Services servers), as per
the information you provided to them in the email based on the template in Appendix C
-Action Required Email Template, which you sent to them in the 9.2 Prepare and send
Threat Protection Workshop Questionnaire activity.

Duration and effort

 Preparation 0 Hrs.
 Delivery 0 Hrs.

38
9.4 Review Threat Protection Workshop Questionnaire

Review To be able to prepare for the engagement activities, it is

Security Workshop important to have a good understanding of the customer’s
Questionnaire production environment.

In this activity you should review the Threat Protection

Workshop Questionnaire which the customer filled in and sent
back.
Customer
Questionnaire

Objectives
The objectives for these activities are:

 Review the filled in Threat Protection Workshop Questionnaire from the customer.
 If the Hybrid Identity Protection optional module is part of the engagement, review the
results provided by the verification tools run by the customer against their Active
Directory servers (Active Directory Domain Controllers and Active Directory Federation
Services servers), as described in 9.1 Pre-engagement Call.

Delivery resources
 Security Architect
 Engagement Manager

Supporting materials
 05 - Threat Protection Workshop - Customer Questionnaire.docx

Preparation
None.

Pre-requisites
The activities outlined in paragraph 9.3 Fill in and send back the Threat Protection Workshop
Questionnaire should be completed prior to this activity.

39
Deliverables
 The 05 - Threat Protection Workshop - Customer Questionnaire.docx questionnaire
completed by the customer and with answers which need further clarification marked.

Guidance
 Review the filled in 05 - Threat Protection Workshop - Customer Questionnaire.docx. Mark
answers that require further clarification during the engagement.
 If the Hybrid Identity Protection optional module is part of the engagement, obtain and
briefly review the results provided by the verification tools run by the customer, as
described in 9.1 Pre-engagement Call.

Duration and effort

 Preparation 1 Hrs.
 Delivery 0 Hrs.

40
10. Readiness – Optional
10.1 Microsoft Defender for Endpoint - Overview
The Microsoft Defender for Endpoint - Overview activity
Microsoft Defender provides the customer with an overview of how the Microsoft
for Endpoint - Defender for Endpoint unified endpoint security platform
Overview provides preventative protection, post-breach detections,
automated investigations, and response capabilities.
Important.
Microsoft Defender Only deliver the readiness presentation if the customer needs to
for Endpoint get a basic level of understanding of Microsoft Defender for
Overview Endpoint.

Objectives
 Deliver following presentation:
o 06 – Threat Protection Workshop - Microsoft Defender for Endpoint Overview.pptx

Format
Can be delivered as an onsite or online workshop.

Customer resources
 Executive Sponsor
 Security Team

Delivery resources
 Security Architect
 Engagement Manager

Supporting materials
 06 – Threat Protection Workshop - Microsoft Defender for Endpoint Overview.pptx

41
Preparation
Prior to delivering the Microsoft Defender for Endpoint Overview presentation, the delivery
resource leading the meeting will need to familiarize themself with:

 The 06 – Threat Protection Workshop - Microsoft Defender for Endpoint Overview.pptx

presentation content.

Pre-requisites
The activities outlined in paragraphs 9.1 Pre-engagement Call and 9.2 Prepare and send Threat
Protection Workshop Questionnaire should be completed prior to starting this activity.

Deliverables
None.

Guidance
Deliver the meeting using the speaker notes and guidance provided in the 06 – Threat
Protection Workshop - Microsoft Defender for Endpoint Overview.pptx presentation.

 When presenting, be concise and stick to the facts.

 Allow the customer to draw their own conclusions.
 Make sure you reserve some time for Q&A.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 1 Hrs.

42
10.2 Microsoft Defender for Identity - Overview
The Microsoft Defender for Identity - Overview activity
Microsoft Defender provides the customer with an overview of how Microsoft
for Identity - Defender for Identity provides visibility into threats to Active
Overview
Directory and existing Active Directory security weaknesses.
Important.
Only deliver the readiness presentation if the customer needs to
get a basic level of understanding of Microsoft Defender for
Microsoft Defender
for Identity Overview Identity.

Objectives
 Deliver following presentation:
o 07 – Threat Protection Workshop - Microsoft Defender for Identity Overview.pptx

Format
Can be delivered as an onsite or online workshop.

Customer resources
 Executive Sponsor
 Security Team
 Identity Administrators

Delivery resources
 Security Architect
 Engagement Manager

Supporting materials
 07 – Threat Protection Workshop - Microsoft Defender for Identity Overview.pptx

43
Preparation
Prior to delivering the Microsoft Defender for Identity Overview presentation, the delivery
resource leading the meeting will need to familiarize themself with:

 The 07 – Threat Protection Workshop - Microsoft Defender for Identity Overview.pptx

presentation content.

Pre-requisites
The activities outlined in paragraphs 9.1 Pre-engagement Call and 9.2 Prepare and send Threat
Protection Workshop Questionnaire should be completed prior to starting this activity.

Deliverables
None.

Guidance
Deliver the meeting using the speaker notes and guidance provided in the 07 – Threat
Protection Workshop - Microsoft Defender for Identity Overview.pptx presentation.

 When presenting, be concise and stick to the facts.

 Allow the customer to draw their own conclusions.
 Make sure you reserve some time for Q&A.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 1 Hrs.

44
11. Engagement Setup
11.1 Kick-off Meeting

If you have a subset of the customer team present at the Pre-

engagement Call, we highly recommend that you start the
Kick-off Engagement Setup phase with a kick-off meeting where you go
through the overview of the engagement to the entire team using
the Pre-engagement Call presentation. This will ensure that all
project team members understand the objective and contents of
the engagement. During this meeting, the delivery team will
Pre-engagement
Call introduce the customer to the Threat Protection Workshop
engagement, discuss the upcoming activities, align expectations
and establish timelines. For customers that have had no prior
exposure to the products and tools that will be used during the
engagement, it is possible to include a high-level introduction and
demo explaining features and functionality.

Objectives
The objective for the kick-off meeting is to provide an overview of the engagement and agree
on the scope, schedule and required resources, particularly the following:

 Introduce the team to the customer and set the stage for the project.
 Introduce the Threat Protection Workshop engagement.
 Describe and discuss upcoming activities.
 Align expectations and timelines.
 Allocate resources.
 Discuss the engagement scope.
 Confirm information about the customer’s requirements.

Format
Can be delivered as an onsite or online workshop.

Customer resources
 Executive Sponsor
 Security Team

Delivery resources
 Security Architect
 Engagement Manager

45
Supporting materials
 01 - Threat Protection Workshop - Pre-engagement Call.pptx

Preparation
Prior to delivering the Kick-off Meeting, the delivery resource leading the meeting will need to
familiarize themself with:

 The overall engagement format of the Threat Protection Workshop engagement.

 The customer and their organizational structure. Make sure you research any previous
engagements that your organization have delivered to the customer.
 The completed 05 - Threat Protection Workshop - Customer Questionnaire.docx
questionnaire
 The 01 - Threat Protection Workshop - Pre-engagement Call.pptx presentation content.

If a demo is included, the delivery resource should prepare for delivering the demo by using
either their own demo/lab environment or with the use of the click-through demo. Additional
information on how to prepare and deliver a demo can be found in Appendix A -Readiness and
Technical Content

Pre-requisites
The activities outlined in paragraph 9 Pre-engagement should be completed prior to starting this
activity.

Deliverables
The deliverables of the Kick-off Meeting are defined as:

 Confirmed schedule with attendee list for the engagement.

 Record any design or configuration decisions within the 04 – Threat Protection Workshop
– Scope Template.docx document.
 Record any changes to engagement scope in accordance with your change management
process.

These deliverables will serve as input to the next steps.

Guidance
Deliver the meeting using the speaker notes and guidance provided in the 01 – Threat
Protection Workshop - Pre-engagement Call.pptx presentation.

If a demo is part of the pre-engagement call refer to Appendix A -Readiness and Technical
Content for guidance and setup instructions.

46
Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant on-line learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 1-2 Hrs.

47
11.2 Define scope

Use this activity of the Threat Protection Workshop to work

together with the customer to define and finalize the engagement
Define Scope scope and required configuration settings for the engagement
tools.

Scope
Document

Objectives
 The objective is to finalize the scope and configuration of the engagement tools.

Format
Can be delivered as an onsite or online workshop.

Customer resources
 One or more representatives from the customer’s Security Team.
 Microsoft 365 and Azure Tenant Administrators.
 Identity Administrators, if including the Hybrid Identity Protection optional module

Delivery resources
 Security Architect
 Engagement Manager

48
Supporting materials
 04 – Threat Protection Workshop – Scope Template.docx

Preparation
The delivery resource will need to familiarize themself with:

 The completed 05 - Threat Protection Workshop - Customer Questionnaire.docx

questionnaire, noting incomplete and/or missing information that should be brought up
during the scoping discussion.
 The 04 – Threat Protection Workshop – Scope Template.docx document which will be used
to record engagement scope and configuration settings for the engagement tools.

If the Hybrid Identity Protection optional module is part of the engagement, the delivery
resource also needs to familiarize themself with the results provided by the verification tools run
by the customer against their Active Directory servers (Active Directory Domain Controllers and
Active Directory Federation Services servers), as described in 9.1 Pre-engagement Call.

Pre-requisites
The activities outlined in paragraph 11.1 Kick-off Meeting should be completed prior to starting
this activity.

Deliverables
The deliverables are defined as:

 Scope and configuration settings recorded within the 04 – Threat Protection Workshop –
Scope Template.docx document.

These deliverables will serve as input to the next steps.

Guidance
Step through the topics within the 04 – Threat Protection Workshop – Scope Template.docx
document, discuss and record scope and configuration settings as you work through the
document together with the customer.
NOTE: The 04 – Threat Protection Workshop – Scope Template.docx document has been pre-
populated with the engagement scope as defined as part of section 6 Engagement scope.

49
Hybrid Identity Protection [Optional Module]

If the Hybrid Identity Protection optional module is part of the engagement, use following
components as input to this activity to determine the scope for the Microsoft Defender for
Identity deployment:

 The results provided by the verification tools run by the customer against their Active
Directory servers (Active Directory Domain Controllers and Active Directory
Federation Services servers), as described in 9.1 Pre-engagement Call.
 The completed 05 - Threat Protection Workshop - Customer Questionnaire.docx
questionnaire.

Use the guidelines below to select which Active Directory servers to include as part of the
sensor deployment:

 If the customer has multiple Active Directory forests, then select a single forest using
following guidelines:
o Select the Active Directory forest containing the largest number of Active
Directory servers that fulfill the criteria for the deployment of the Microsoft
Defender for Identity sensor, i.e. have:
 Sufficient memory and CPU resources.
 Microsoft .NET 4.7 or later installed.
 If the customer has a single Active Directory forest, or if you have selected a single
forest as per previous point, then select Active Directory servers to include as part of
the sensor deployment based on following guidelines:
o First exclude Active Directory servers that have insufficient memory and CPU
resources.
o Then discuss with the customer if they want to include Active Directory
servers that do not have Microsoft .NET 4.7 or later installed.
NOTE: if an Active Directory server does not have Microsoft .NET 4.7 or
later installed, it might require a reboot during the installation of the
Microsoft Defender for Identity sensor, which might not be acceptable to
the customer.
o Out of the remaining Active Directory servers, include servers based on
following guidelines:
 If the selected Active Directory forest has multiple Active Directory
domains, then select Active Directory servers from more than one
domain (ideally from all of them).
 If the customer has Active Directory servers running different versions
of Windows OS, then include servers with different Windows OS

50
 versions (ideally include servers running all available Windows OS
versions).
o The size of the customer environment also has an impact on the number of
servers you choose to include as part of the engagement. Select Active
Directory servers to include based on the size of the customer environment
using following guidance:
 For customer environments with a small number of Active Directory
servers (less than 10), aim to include all remaining Active Directory
servers.
 For customer environments with a medium number of Active
Directory servers (between 10 and 100), aim to include between 10
and 20 of the remaining Active Directory servers.

 For customer environments with many Active Directory servers (more

than 100), aim to include no less than 20% of the remaining Active
Directory servers.

Use the guidelines below to select up to three Active Directory servers to be deployed
together with the customer in the 11.6 Hybrid Identity Protection - Configuration
[Optional module] activity:
 If the selected Active Directory forest has multiple Active Directory domains, then
select Active Directory Domain Controllers from more than one domain.
 If the customer has Active Directory Domain Controllers running different versions of
Windows OS, then include servers with different Windows OS versions).
 If the customer selected Active Directory Federation Services servers to be included
in the engagement, then select at least one of them.

Feel free to make changes to the scope and/or add additional components, considering any
impact to the engagement timeline.
If the customer does not have change management (change control) processes in their
organization, then you can proceed with the activities in the Readiness – Optional and
Engagement Setup phases of the engagement.

If the customer has change management (change control) processes in their organization, then
at the end of this activity, together with customer:
 review the 04 – Threat Protection Workshop – Scope Template.docx document
highlighting these changes that would be done to their environment in this
engagement, which in light of their change management policies require change
management approvals,
 formulate requests for these change management approvals.

51
While waiting for approvals for change management requests, you can proceed with activities in
Readiness – Optional phase of the engagement. Once change management requests are
approved, you can proceed with activities in Engagement Setup phase of the engagement.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant on-line learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 1 Hrs.

52
11.3 Change Management (optional)

In this activity of the Threat Protection Workshop the customer

Change
Management goes through their change management processes to obtain
the required approvals for the deployment of the engagement
tools as per agreed engagement scope.

Scope
Document

Objectives
The objectives for these activities are:

 Obtain necessary approvals for the deployment of the engagement tools as per agreed
engagement scope.

Format
Completed by the customer.

Customer resources
As needed depending on the scope of the engagement (included modules).

Delivery resources
 None.

Supporting materials
 04 – Threat Protection Workshop – Scope Template.docx

Preparation
None.

Pre-requisites
The activities outlined in paragraph 11.2 Define scope should be completed prior to this activity.

53
Deliverables
 Approvals (if necessary, with dates selected) for the deployment of the engagement
tools as per agreed engagement scope.

Guidance
 Guide the customer to obtain necessary approvals for the deployment of the
engagement tools as per agreed engagement scope recorded in the 04 – Threat
Protection Workshop – Scope Template.docx.
 If necessary, make sure that the customer, as part of the approval process selects dates
for the deployment of engagement tools as per agreed the engagement scope.

Duration and effort

 Preparation 0 Hrs.
 Delivery 0 Hrs.

54
11.4 Threat Check - Configuration

Use this activity of the Threat Protection Workshop to work

together with the customer to deploy Threat Check trial licenses
Threat Check
Configuration and configure the Microsoft 365 security tools.

Scope
Document

Delivery Guide

Objectives
The objective is to configure the Threat Check components in the customer tenant, particularly
the following:

 Deploy the Microsoft 365 for Threat Check trial licenses required for the Microsoft 365
security tools and services used during the engagement in the customer tenant.
 Configure the Microsoft 365 security tools required for Threat Check in the customer
tenant.

Format
Can be delivered as an onsite or online workshop.

Customer resources
 A representative from the customer’s Security Team delegated to overlook configuration
of Threat Check.
 Microsoft 365 Tenant Administrator.

Delivery resources
 Security Consultant

55
Supporting materials
 04 – Threat Protection Workshop – Scope Template.docx
 05 – Threat Protection Workshop – Customer Questionnaire.docx

Preparation
The delivery resource will need to familiarize themself with:

 The completed 04 – Threat Protection Workshop – Scope Template.docx document.

 The completed 05 - Threat Protection Workshop - Customer Questionnaire.docx
questionnaire.

Pre-requisites
 The delivery resource leading the workshop will need to acquire two signup URLs for
activation of the Microsoft 365 for Threat Check trial licenses that are required for the
Microsoft 365 security tools and services used during the engagement.

NOTE: The two signup URLs needed to activate the Microsoft 365 for Threat Check trial
licenses can be obtained in the Microsoft Cloud Accelerator Portal. Once your
engagement has been approved for funding, Microsoft 365 for Threat Check trial
licenses will be available in the dashboard under the “Obtain Promotional SKU” header.
Please consult the portal Step-by-Step guide for more details on this process.

Important

Obtain signup URLs prior to starting the delivery of the Threat Protection Workshop.

 The activities outlined in paragraph 11.2 Define scope and optionally also in paragraph
11.3 Change Management (optional) should be completed prior to starting this activity.

Deliverables
The deliverables are defined as:

 Microsoft 365 for Threat Check trial licenses deployed in the customer tenant.
 The Microsoft 365 security tools in the customer tenant configured for the Threat Check.

These deliverables will serve as input to the next steps.

Guidance

Important
Threat Check was designed to have no impact to users’ experiences or to their devices. This
means that:

56
 • The Microsoft 365 security tools used in Threat Check will be configured in a way that
does not change users’ experiences (e.g. no links re-writes in emails, etc.).

• Nothing will be installed on end users’ devices.

• No active protection mechanisms will be enabled as part of the configuration of the

Microsoft 365 security tools used in Threat Check.

• No policies for automatic response will be set up as part of the configuration of the
Microsoft 365 security tools used in Threat Check.

Be very careful when taking any steps beyond those listed in this Delivery Guide or you risk
having unwanted impact, either during or after the engagement

Follow these steps using the scope recorded in the 04 – Threat Protection Workshop – Scope
Template.docx document.

 Deploy the Microsoft 365 for Threat Check trial licenses:

o Open a new incognito/private web browser session and sign in to the Microsoft
365 admin center of the customer’s Microsoft 365 tenant:
http://admin.microsoft.com
o In a new tab of the existing web browser session, paste the first signup URL , for
the Microsoft 365 E3 for Threat Check trial license, which you received from the
Cloud Accelerator Portal.
o The following page will be presented:

o Click on “Yes, add it to my account” and accept all other prompts that follow
(there will be no more selections to make).
o Repeat the steps above for the second signup URL, for the Microsoft 365 E5
Security for Threat Check trial license, which you received from the Cloud
Accelerator Portal.

57
 Important

Do not assign the Microsoft 365 for Threat Check trial licenses to any users.

 Configure the Microsoft 365 security tools that will be used in Threat Check:

Turn on auditing:

o Open a new incognito/private web browser session and sign in to the Microsoft
365 admin center of the customer’s Microsoft 365 tenant:
http://admin.microsoft.com
o Open a new tab in the web browser session and follow the guidelines below to
turn on auditing search (if it is not already turned on):
Turn auditing on or off - Microsoft 365 Compliance | Microsoft Docs

Microsoft 365 Defender:

o Open a new tab in the web browser session and go to the Microsoft 365 security
center:
https://security.microsoft.com
o Use the following guidance to onboard to the Microsoft 365 Defender service:
Turn on Microsoft 365 Defender in the Microsoft 365 security center | Microsoft
Docs
o Use the following guidance to confirm that the Microsoft 365 Defender service is
on:
Turn on Microsoft 365 Defender in the Microsoft 365 security center | Microsoft
Docs

Azure Active Directory Identity Protection:

o There’s no specific configuration necessary for Azure Active Directory Identity

Protection.
o Open a new tab in the web browser session and verify if you can access Azure
Active Directory Identity Protection:
https://portal.azure.com/#blade/Microsoft_AAD_IAM/IdentityProtectionMenuBlad
e/Overview

58
Cloud App Security:

o Open a new tab in the web browser session and go to the Microsoft Cloud App
Security portal:
http://portal.cloudappsecurity.com
o Under Settings in the Cloud App Security Portal, choose “Files”, select “Enable file
monitoring” and then “Save”:

o Use the following steps to Connect Office 365 to Microsoft Cloud App Security:
Connect Office 365 to Cloud App Security | Microsoft Docs
NOTE: Select all Office 365 components:

59
o Use the following steps to Connect Microsoft Azure to Microsoft Cloud App
Security:
Connect Azure to Cloud App Security | Microsoft Docs
o Go to Control à Policies menu, locate the policy called “Malware detection
[Disabled]”, click on the button on the right with three vertical dots, then select
“Enable” from the menu and accept any additional prompts that follow:

60
 o If, during the scoping activities performed as per section 11.2 Define scope, a
decision was made to use Microsoft Defender for Endpoint to provide
information about cloud applications and services accessed by the customer’s
users, then use the following steps to integrate Microsoft Defender for Endpoint
with Microsoft Cloud App Security:
Integrate Microsoft Defender for Endpoint with Cloud App Security | Microsoft
Docs
Then, under Settings in the Cloud App Security Portal, choose “Microsoft
Defender for Endpoint”, verify that “Enforce app access” checkbox is not checked. If
necessary, uncheck it and then click “Save”:

o If, during the scoping activities performed as per section 11.2 Define scope, a
decision was made to use logs from the customer’s on-premises perimeter
security device such as a firewall or proxy server to provide information about
cloud applications and services accessed by the customer’s users, then make sure
that these logs will be collected and made available by the customer for upload
to Microsoft Cloud App Security and the creation of a snapshot Cloud Discovery
report. Logs should be collected in FTP format and stored in files which should
not exceed 1 GB per file. For more details see here:
Create snapshot reports of Cloud Discovery cloud app use | Microsoft Docs
NOTE: in production environments, the automatic upload of logs to Microsoft
Cloud App Security is highly recommended, but this is out-of-scope for the
Threat Check engagement.

Microsoft Defender for Office 365:

Important

61
To avoid any risk of impact to users, we will only create a Microsoft Defender for Office 365
Safe Attachment policy in Monitoring mode, scoped for up to a maximum of 15 users (due
to limitations of the Microsoft 365 for Threat Check trial licenses). Make sure you only add
15 users to the scoped Microsoft Defender for Office 365 Safe Attachment policy to avoid
any impact to users.

o Open a new tab in the web browser session and go to the Microsoft 365 Admin
Center, Groups:
https://admin.microsoft.com/Adminportal/Home?source=applauncher#/groups
o Add a new group, using the Distribution group type and then add the users (up
to 15) that you selected as part of the 11.2 Define scope activity.
o Open a new tab in the web browser session and go to the Microsoft 365 security
center:
https://security.microsoft.com
o Navigate to Policies & rules in Email & collaboration section, then select Threat
Policies and then Safe Attachments.
o Click on Global settings and make sure that the “Turn on Defender for Office 365
for SharePoint, OneDrive, and Microsoft Teams” and “Turn on Safe Documents for
Office clients” options are turned Off.
o Click the +Create to add a new Safe Attachment policy.
o Enter a name
o In Users and domains, add the group you created in earlier.
o In Settings, under the “Safe attachments unknown malware response”, select the
“Monitor - Deliver the message if malware is detected and track scanning results”.
o Uncheck the “Apply the Safe Attachments detection response if malware scanning
can’t complete (timeout or errors)”.
o Click Submit to save the policy.

Important

Do NOT use any other unknown malware response option other than “Monitor - Deliver
the message if malware is detected and track scanning results” as this can have an impact
on users.

Do not create any other policies, including a Safe Links policy.

We will only use a single Safe Attachment policy as part of the engagement.

62
 o If, during the scoping activities performed as per section 11.2 Define scope, a
decision was made to use Microsoft Defender for Office 365 Evaluation Mode,
then use the following steps to enable it in customer’s tenant:
Evaluate Microsoft Defender for Office 365 - Get started with the evaluation |
Microsoft Docs
Alternatively, in Microsoft 365 Defender portal https://security.microsoft.com go
to Policies & rules (in the Email & Collaboration group)  Threat policies 
Evaluation mode and enable Microsoft Defender for Office 365 Evaluation Mode
there.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 1 Hrs.

63
11.5 Endpoint Protection - Configuration [Optional module]

Use this activity of the Endpoint Protection optional module to

work together with the customer to:
Endpoint Protection -
Configuration  Complete the Microsoft Defender for Endpoint tenant
configuration in the customer’s production tenant.
 Onboard the Windows 10 devices to be included as part
of the engagement.
Important.
Scope
Document Prior to starting this activity the customer must have:
- Selected the Windows 10 devices to be included as part of the
engagement.
- Uninstalled or disabled existing 3rd party AV and/or EDR
products if required as per the guidance in section 9 Pre-
Delivery Guide engagement.

Objectives
The objective is to create and configure the initial deployment of Microsoft Defender for
Endpoint in the customer’s production tenant, particularly the following:

 Complete the Microsoft Defender for Endpoint tenant configuration in the customer’s
production tenant.
 Onboard the Windows 10 clients to be included as part of the engagement.

Format
Can be delivered as an onsite or online workshop.

Customer resources
 A representative from the customer’s Security Team delegated to overlook deployment
and configuration of Microsoft Defender for Endpoint.
 Microsoft 365 Tenant Administrator.

Delivery resources
 Security Consultant

64
Supporting materials
 04 – Threat Protection Workshop – Scope Template.docx

Preparation
The delivery resource will need to familiarize themselves with:

 The completed 05 – Threat Protection Workshop – Customer Questionnaire.docx

questionnaire.
 The completed 04 – Threat Protection Workshop – Scope Template.docx document.

Pre-requisites
 The activities outlined in paragraph 11.2 Define scope should be completed prior to
starting this activity.
 The included Windows 10 devices must have been selected and existing 3 rd party AV
and/or EDR products on these devices must have been disabled or uninstalled, if
required.

Deliverables
The deliverables are defined as:

 Microsoft Defender for Endpoint tenant configuration in the customer’s production

tenant completed.
 Windows 10 clients to be included as part of the engagement onboarded.

These deliverables will serve as input to the next steps.

Guidance
Follow these steps using the scope recorded in the 04 – Threat Protection Workshop – Scope
Template.docx document.

Note

The included guidance contains the minimum configuration needed when including the Endpoint
Protection optional module as part of the Threat Protection Workshop engagement. Any
additional configuration, including the addition of onboarding non-Windows 10 devices is likely to
have an impact on the engagement schedule.

Complete the Microsoft Defender for Endpoint tenant configuration

Complete following steps in order:

1. First time set up of Microsoft Defender for Endpoint.

2. Configure Microsoft Defender for Endpoint:

65
 a. Alert notifications
b. Advanced features
c. Permissions
d. Device groups
3. Onboard the Windows 10 devices to be included as part of the engagement.
4. Verify your configuration using a simulated attack.

First time set up of Microsoft Defender for Endpoint

The first time you access Microsoft Defender Security Center you will be greeted by a set up
wizard which will guide you through some initial steps.

Important
The user who logs in to the Microsoft Defender Security Center for the first time must
either have the Global Administrator or Security Administrator role assigned to them. This
user will automatically be granted full access rights to Microsoft Defender for Endpoint and
is then able to give additional users access using the basic permissions or by enabling role-
based access control (RBAC) for Microsoft Defender for Endpoint if required.

During the first-time setup, pay special attention to the Data Storage Location option
which determines where the customer prefers their data to be hosted. Once you have
decided the storage location, you cannot change location or transfer existing data to a
different location.

Discuss and agree what the appropriate data retention configuration should be for the
engagement. The default data retention is 6 months but can be set to the lowest period (30
days) for the engagement if the customer would like to ensure that data from their
endpoints will be removed from Microsoft Defender for Endpoint as soon as possible after
the engagement.

Unless Microsoft Defender for Endpoint has already been setup previously, we recommend that
you perform these steps together with the customer to allow you to explain the various options.

 Ask the customer to open Microsoft Defender Security Center and then log in with the
account to be assigned full access to Microsoft Defender Security Center as per the
scoping template and complete the initial first time set up.

Additional details on the initial set up can be located here:

Set up Microsoft Defender for Endpoint deployment | Microsoft Docs

66
Configure Microsoft Defender for Endpoint
Next you need to configure Microsoft Defender for Endpoint for the engagement. This is also an
opportunity for you to guide the customer through the configuration, explaining each option
and its recommended configuration for the engagement.

Alert notifications
You can configure Microsoft Defender for Endpoint to send email notifications to
specified recipients for new alerts. This feature enables you to identify a group of
individuals who will immediately be informed and can act on alerts based on their
severity.

 Using the account with full access rights to Microsoft Defender for Endpoint,
open Microsoft Defender Security Center and under Settings, General, Alert
notifications, add required notification rules as per the scoping template.

Additional details on alert notifications can be located here:

Configure alert notifications in Microsoft Defender for Endpoint | Microsoft Docs

Advanced Features

Advanced features in Microsoft Defender for Endpoint includes settings to configure

integration with Microsoft security products as well as various features designed to get
better protection from potentially malicious files and gain better insight during security
investigations.

Important
To align with the guiding principle of the Threat Protection Workshop to avoid any
potential impact on users and devices we recommend leaving the automated
investigations option enabled and using a device group for the devices included as part of
the engagement set to “Semi - require approval for any remediation”.

Additional advanced features can be configured but be aware of the potential impact to
the engagement timeline.

 Using the account with full access rights to Microsoft Defender for Endpoint,
open Microsoft Defender Security Center and under Settings, General, Advanced
features make sure that following features have been enabled:
o Automated investigations
o Live Response
o Show user details
o Office 365 Threat Intelligence connection
o Microsoft Cloud App Security

67
Additional details on advanced features can be located here:
Configure advanced features in Microsoft Defender for Endpoint | Microsoft Docs

Permissions

Important
Configuring additional permissions is not required for this engagement and should only be
completed if the customer would like to experience how Microsoft Defender for Endpoint
can allow them to configure granular control to the Microsoft Defender Security Center. Be
aware that the implementation of complex role-based access control scenarios is likely to
have an impact on the engagement timeline.

Permissions to access the Microsoft Defender Security Center can be granted using the
basic permissions management which will allow you to assign users with one of the
following levels of permissions:

 Full access (Read and Write)

 Read-only access

If the customer has implemented a tier-based model for their security operations team
and would like to see how this would work in Microsoft Defender for Endpoint you also
have a choice of demonstrating this by enabling role-based access controls. If this is the
case, skip to the Role-based access controls section below.

 Using the account with full access rights to Microsoft Defender for Endpoint,
open Microsoft Defender Security Center and under Settings, Permissions, Roles
configure the required roles as per the scoping template, using the guidance
below:
Use basic permissions to access Microsoft Defender Security Center | Microsoft
Docs

Role-based access controls

Using role-based access control (RBAC), you can create roles and groups within
the security operations team to grant appropriate access to the Microsoft
Defender Security Center. Based on the roles and groups created, you have fine-
grained control over what users with access to the portal can see and do.

We recommend you work with the customer to understand and implement their
existing tier or role-based model using the role-based access controls, based on
the least privilege security principle. This will allow you to demonstrate how
Microsoft Defender for Endpoint will function in their production environment

68
 with the existing roles responsible for managing a future Microsoft Defender for
Endpoint deployment.

 Using the account with full access rights to Microsoft Defender for Endpoint,
open Microsoft Defender Security Center and under Settings, Permissions, Roles
configure the required roles as per the scoping template, using the guidance
below:
Use role-based access control to grant fine-grained access to Microsoft Defender
Security Center | Microsoft Docs

Device Groups

In Microsoft Defender for Endpoint, you can create device groups and use them to:

 Limit access to related alerts and data to specific Azure AD user groups with
assigned RBAC roles.
 Configure different auto-remediation settings for different sets of devices.
 Assign specific remediation levels to apply during automated investigations.
 In an investigation, filter the Devices list to just specific device groups by using
the Group filter.

We recommend creating a single device group containing the Windows 10 devices to be

included as part of the engagement. To avoid any potential impact on users and/or
devices we recommend setting the Automation level for the device group to “Semi -
require approval for any remediation”. This will ensure that you can review the
recommended response together with the customer before deciding to remediate the
issue.

 Using the account with full access rights to Microsoft Defender for Endpoint,
open Microsoft Defender Security Center and under Settings, Permissions, Device
groups configure the required device groups as per the scoping template, using
the guidance below:
Create and manage device groups in Microsoft Defender for Endpoint | Microsoft
Docs

Network configuration, if needed (proxy configuration)

If the customer organization does not require the endpoints to use a Proxy to access the
Internet, skip this section.

69
 The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP services
(WinHTTP) to report sensor data and communicate with the Microsoft Defender for
Endpoint service.

WinHTTP configuration setting is independent of the Windows Internet (WinINet)

internet browsing proxy settings and can only discover a proxy server by using the
following discovery methods:

Auto-discovery methods:

 Transparent proxy
 Web Proxy Auto-discovery Protocol (WPAD)

If either of above have been implemented, there is no need for special configuration
settings. If you need to manually configure proxy settings you have following two
alternatives:

 Registry based configuration

 WinHTTP configured using netsh command – Suitable only for desktops in a
stable topology (for example: a desktop in a corporate network behind the same
proxy)

Additional details on how to configure proxy servers can be located here:

Configure device proxy and Internet connection settings | Microsoft Docs

Onboard the Windows 10 devices to be included as part of the engagement

You can deploy Microsoft Defender for Endpoint using various management tools. Following
deployment tools and methods are supported:

 Group policy
 Microsoft Endpoint Configuration Manager
 Mobile Device Management tools (e.g. Microsoft Intune)
 Local script

Important
The engagement trial license will allow you to add up to a maximum of 100 Windows 10
devices.

 Work together with the customer to onboard the included Windows 10 devices (up to a
maximum of 100 devices) using the selected onboarding option as per the scoping
template, using the guidance below:
Onboarding tools and methods for Windows 10 devices | Microsoft Docs

70
After you have onboarded the included Windows 10 devices, you should verify their onboarding
status on the Device Configuration page here:
https://securitycenter.windows.com/configuration-management

In addition, you can choose to run a detection test to verify that the device is properly
onboarded to the service using the guidance located here:
Run a detection test on a newly onboarded Microsoft Defender for Endpoint device | Microsoft
Docs

Verify your configuration using a simulated attack

Once you have configured the customer’s Microsoft Defender for Endpoint tenant and
configuration you can test and make sure everything works, including alert notifications, by
running a simulated attack in Microsoft Defender for Endpoint.

Additional details on how to complete simulated attacks in Microsoft Defender for Endpoint can
be located here:
Experience Microsoft Defender for Endpoint through simulated attacks | Microsoft Docs

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 4 Hrs.

71
11.6 Hybrid Identity Protection - Configuration [Optional module]

Hybrid Identity Use this activity of the Hybrid Identity Protection optional module to
Protection - work together with the customer to:
Configuration  Complete the Microsoft Defender for Identity instance
configuration in the customer’s production tenant.
 Deploy Microsoft Defender for Identity sensors on up to three
of the customer’s Active Directory servers.
Scope Important.
Document Prior to starting this activity, it must be determined which Active
Directory servers are to be included in the engagement, as per the
guidance in section 11.2 Define scope.

Delivery Guide

Objectives
The objective is to create and configure the initial deployment of Microsoft Defender for Identity
in the customer’s production tenant, particularly the following:

 Complete the Microsoft Defender for Identity instance configuration in the customer’s
production tenant.
 Deploy Microsoft Defender for Identity sensors on up to three of the customer’s Active
Directory servers.

Format
Can be delivered as an onsite or online workshop.

Customer resources
 A representative from the customer’s Security Team delegated to overlook deployment
and configuration of Microsoft Defender for Identity.
 Microsoft 365 Tenant Administrator.
 Identity Administrators.

Delivery resources
 Security Consultant

72
Supporting materials
 04 – Threat Protection Workshop – Scope Template.docx

Preparation
The delivery resource will need to familiarize themselves with:

 The completed 05 – Threat Protection Workshop – Customer Questionnaire.docx

questionnaire.
 The completed 04 – Threat Protection Workshop – Scope Template.docx document.

Pre-requisites
 The activities outlined in paragraph 11.2 Define scope should be completed prior to
starting this activity.

Deliverables
The deliverables are defined as:

 Microsoft Defender for Identity instance configuration in the customer’s production

tenant completed.
 Microsoft Defender for Identity sensors deployed on up to three customer’s Active
Directory servers.

These deliverables will serve as input to the next steps.

Guidance
Follow these steps using the scope recorded in the 04 – Threat Protection Workshop – Scope
Template.docx document.

Note

The included guidance contains the minimum configuration needed when including the Hybrid
Identity Protection optional module as part of the Threat Protection Workshop engagement. Any
additional configuration is likely to have an impact on the engagement schedule.

Complete following steps in order:

1. Create an Active Directory account for Microsoft Defender for Identity sensors
2. Configure Microsoft Defender for Identity to make remote calls to SAM
3. Create the Microsoft Defender for Identity instance
4. Connect Microsoft Defender for Identity to Active Directory forest
5. Verify the enablement of integration between Microsoft Defender for Identity and
Microsoft Cloud App Security

73
 6. Enable integration between Microsoft Defender for Identity and Microsoft Defender for
Endpoint [optional]
7. Download the Microsoft Defender for Identity sensor setup package
8. Deploy Microsoft Defender for Identity sensors on an initial set of Active Directory
Domain Controllers
9. Deploy Microsoft Defender for Identity sensors on initial set of Active Directory
Federation Services servers
10. Verify that the Microsoft Defender for Identity sensors are connected to the Microsoft
Defender for Identity instance
11. Validate the Microsoft Defender for Identity deployment using a simulated
reconnaissance activity

Create an Active Directory account for Microsoft Defender for Identity sensors
Microsoft Defender for Identity sensors (which will be deployed in the Deploy Microsoft Defender
for Identity sensors on an initial set of Active Directory Domain Controllers configuration step)
require an Active Directory account that allows them to retrieve data about users and computers
in the customer’s Active Directory forest. The account and its credentials are transferred by the
Microsoft Defender for Identity cloud service to the Microsoft Defender for Identity sensors over
a secure communication channel after the sensors have been deployed on the included Active
Directory servers.

For simplicity and due to the short duration of the engagement, we recommend using a
dedicated standard Active Directory user account, with a username and password for the
Microsoft Defender for Identity sensors. We recommend that you do not use a group Managed
Service Account (gMSA) in this engagement. The use of a gMSA is recommended for a long-
term production deployment of Microsoft Defender for Identity, but it would require additional
configuration and might impact the timeline of this engagement. Although an existing Active
Directory standard user account could be used, we recommend creating a dedicated account for
security reasons, as it will be granted additional access rights in the Configure Microsoft Defender
for Identity to make remote calls to SAM configuration step. The dedicated Active Directory
standard user account should be created with a username that clearly identifies its purpose, e.g.
MDIuser and should have a strong password.

Use the Active Directory Users and Computers console to add the user to the Active Directory
domain. Make sure that you check “Password never expires” and uncheck “User must change
password at next logon”.

More information about requirements for the Active Directory account for Microsoft Defender
for Identity can be found here:
Microsoft Defender for Identity prerequisites - Before you start

74
Configure Microsoft Defender for Identity to make remote calls to SAM
Microsoft Defender for Identity can detect lateral movement paths. It relies on queries that
identify local administrators on specific machines. These queries are performed with the SAM-R
protocol, using the Active Directory account created in the Create an Active Directory account for
Microsoft Defender for Identity sensors configuration step.

To allow the Microsoft Defender for Identity sensor to use this Active Directory account to make
remote calls to SAM on remote machines, follow the guidance provided here:
Configure Microsoft Defender for Identity to make remote calls to SAM

Create the Microsoft Defender for Identity instance

The first time you access Microsoft Defender for Identity (https://portal.atp.azure.com) you will
be greeted by a set up wizard which will guide you through some initialization steps in the
customer’s tenant. The creation of the Microsoft Defender for Identity instance is the first of
these initialization steps.

Important
The user who logs in to the Microsoft Defender for Identity for the first time must either
have the Global Administrator or Security Administrator role assigned to them. This user
will automatically be granted full access rights to Microsoft Defender for Identity. If
required, this user is then able to give additional users access to Microsoft Defender for
Identity leveraging three dedicated Azure AD security groups which in turn provide role-
based access control (RBAC) for Microsoft Defender for Identity. For more information
please see:
Microsoft Defender for Identity role groups

To create the Microsoft Defender for Identity instance in the customer’s environment, follow the
guidance provided here:
Create your Microsoft Defender for Identity instance

You only need to perform the first step of the wizard, i.e. the creation of the Microsoft Defender
for Identity instance. We recommend that you then stop using the wizard, as rest of the
Microsoft Defender for Identity configuration will be performed manually with the intention of
explaining each configuration step to the customer.

Connect Microsoft Defender for Identity to Active Directory forest

To connect Microsoft Defender for Identity to the customer’s Active Directory, use the Active
Directory account created earlier in the Create an Active Directory account for Microsoft Defender

75
for Identity sensors configuration step and follow the guidance provided here:
Connect to your Active Directory forest

Verify the enablement of integration between Microsoft Defender for Identity and
Microsoft Cloud App Security
Using Microsoft Defender for Identity with Microsoft Cloud App Security offers activity analysis
and alerts based on User and Entity Behavior Analytics (UEBA), identifying the riskiest behaviors,
providing a comprehensive investigation priority score, as well as activity filtering and
customizable activity policies. It is thus a recommended way of analysis of Microsoft Defender
for Identity alerts.

To verify if the integration between Microsoft Defender for Identity and Microsoft Cloud App
Security is enabled, follow the guidance provided here:
Microsoft Defender for Identity integration with Microsoft Cloud App Security

NOTE: Integration between Microsoft Defender for Identity and Microsoft Cloud App Security is
automatically enabled for any new Microsoft Defender for Identity instance created after March
15th 2020 (as of Azure ATP release 2.112).

In some cases, customers might have created a Microsoft Defender for Identity instance prior to
this date, and it is still active, but did not enable the integration between Microsoft Defender for
Identity and Microsoft Cloud App Security. In such cases you must be enable the integration
manually, following the guidance provided here:
Microsoft Defender for Identity integration with Microsoft Cloud App Security
In these cases, it may take up to 12 hours until the integration takes effect.

Enable integration between Microsoft Defender for Identity and Microsoft Defender for
Endpoint [optional]
Microsoft Defender for Identity enables you to integrate Microsoft Defender for Identity with
Defender for Endpoint, for an even more complete threat protection solution. While Microsoft
Defender for Identity monitors the traffic on your domain controllers, Microsoft Defender for
Endpoint monitors your endpoints, together providing a single interface from which you can
protect your environment.

If the customer is using Microsoft Defender for Endpoint or if the Microsoft Defender for
Endpoint is deployed as part of the Endpoint Protection [Optional Module] of this engagement,
to enable integration between Microsoft Defender for Identity and Microsoft Defender for
Endpoint, follow the guidance provided here:
Integrate Microsoft Defender for Identity with Microsoft Defender for Endpoint

76
Download the Microsoft Defender for Identity sensor setup package
The Microsoft Defender for Identity sensor package will be used to deploy sensors to Active
Directory servers in the engagement. To download the Microsoft Defender for Identity sensor
package, follow the guidance provided here:
Download the Microsoft Defender for Identity sensor setup package

We recommend that you store the Microsoft Defender for Identity sensor package in a shared
folder which can be accessed from Active Directory servers in the customer environment. The
sensor setup package is in the form of a ZIP file, which contains the installer executable and the
configuration file with the required information to connect to the Microsoft Defender for
Identity cloud service. Extract the ZIP file to the same shared folder.

Also, copy the access key from the web page and put it in a plain text file stored in the same
shared folder. The access key is a one-time-password for sensor deployments, after which all
communication is performed using certificates for authentication and TLS encryption.

All these preparation steps will help you quickly deploy Microsoft Defender for Identity sensors
in subsequent steps of the engagement.

Deploy Microsoft Defender for Identity sensors on an initial set of Active Directory
Domain Controllers
You can deploy Microsoft Defender for Identity sensors on Active Directory Domain Controllers
interactively or using management tools such as Microsoft Endpoint Configuration Manager. We
recommend interactively deploying Microsoft Defender for Identity sensors on initial set of
Active Directory Domain Controllers included in this engagement, as per scoping template.

To install the Microsoft Defender for Identity sensor interactively, from an Active Directory
Domain Controller, access the shared folder described in the Download the Microsoft Defender
for Identity sensor setup package configuration step. Run the installation executable extracted to
the shared folder (do not run it from ZIP file). When the installation process asks you for the
access key, open the text file which you stored in the shared folder, and copy & paste the access
key.

NOTE: you can also copy files from shared folder to the Active Directory Domain Controllers and
run installation executable on them locally.

Work together with the customer to deploy Microsoft Defender for Identity sensor on up to a
maximum of three Active Directory Domain Controllers, using the selected options as per the
scoping template.

If the customer does not allow direct Internet access from the Active Directory Domain
Controllers, the proxy connectivity option must be used to allow the Microsoft Defender for

77
Identity sensor to communicate with the Microsoft Defender for Identity cloud-based service
(instance). We recommend configuring Internet access via proxy during the deployment of the
Microsoft Defender for Identity sensors on Active Directory Domain Controllers. Using this
approach, Internet access via proxy is opened only for the Microsoft Defender for Identity
sensors and not for other processes running on the Active Directory Domain Controllers.

To configure Internet access via proxy, using command line parameters with the Microsoft
Defender for Identity sensor installation executable, follow the guidance provided here::
Configure proxy server using the command line

NOTE: the Microsoft Defender for Identity sensor service can also leverage alternative methods
to configure a proxy server on Active Directory Domain Controllers, but they can open
connectivity to the Internet for other processes running on the Active Directory Domain
Controllers through the proxy server, which might be undesirable.

If you prefer to deploy the Microsoft Defender for Identity sensors non-interactively, without
being asked for parameters or access key, follow this guideline to start the installation
executable in silent mode:
Microsoft Defender for Identity sensor silent installation

More information about the deployment of Microsoft Defender for Identity sensors can be
found here:
Install the Microsoft Defender for Identity sensor

Deploy Microsoft Defender for Identity sensors on initial set of Active Directory
Federation Services servers
We recommend interactively deploying the Microsoft Defender for Identity sensors on initial set
of Active Directory Federation Services servers included in this engagement, as per as per the
scoping template.

To deploy the Microsoft Defender for Identity sensors on Active Directory Federation Services
servers, follow the guidance provided in the Deploy Microsoft Defender for Identity sensors on an
initial set of Active Directory Domain Controllers configuration step.

Then, after you've completed the installation of Microsoft Defender for Identity sensors on
Active Directory Federation Services servers, follow this guidance:
Post-installation steps for AD FS servers

NOTE: if Active Directory Federation Services servers are not able to access the shared folder
described in the Download the Microsoft Defender for Identity sensor setup package configuration
step, then download the sensor setup package directly to the servers from the Microsoft

78
Defender for Identity portal, using the following guidance:
Download the Microsoft Defender for Identity sensor setup package

Verify that the Microsoft Defender for Identity sensors are connected to the Microsoft
Defender for Identity instance
Verify that the Microsoft Defender for Identity sensors are connected to the Microsoft Defender
for Identity cloud based service (the instance), using the following guidance:
Domain controller status

NOTE: even if the guidance only talks about Active Directory Domain Controllers, it also applies
to Active Directory Federation Services servers.

All Active Directory servers on which you had deployed Microsoft Defender for Identity sensors
should show “Service Status” as “Running”.

Validate the Microsoft Defender for Identity deployment using a simulated

reconnaissance activity
Once you have configured the customer’s Microsoft Defender for Identity instance and
deployed Microsoft Defender for Identity sensors on the selected Active Directory servers, you
can verify its functionality, by running a simulated reconnaissance activity.

Important
The simulated reconnaissance activity is requesting a DNS domain listing (AXFR query)
and is completely harmless. It is intended to generate the activities in Microsoft Defender
for Identity and Microsoft Cloud App Security consoles, to verify that all configurations
have been applied correctly. No alarms will be raised.

Follow this guidance to validate the Microsoft Defender for Identity deployment using a
simulated reconnaissance activity:
Validate the Microsoft Defender for Identity deployment

79
Then, in the Microsoft Defender for Identity console, search for the device from you which
conducted the reconnaissance activities. You should see that AXFR queries were detected and
refused - something like this:

Then, in Microsoft Cloud App Security console, go to the Investigate  Activity log menu. Apply
following filters “App: Active Directory” and “Activity type: DNS Query”. You should see that
AXFR queries were detected and refused - something like this:

80
NOTE: if you had to manually enable the integration as described in the Verify the enablement of
integration between Microsoft Defender for Identity and Microsoft Cloud App Security
configuration step, which may take up to 12 hours until the integration takes effect, your
validation activities might not be logged in the Microsoft Cloud App Security console.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 4 Hrs.

81
11.7 Hybrid Identity Protection - Complete Sensor Deployment
[Optional module]

Hybrid Identity In this this activity of the Hybrid Identity Protection optional module,
Protection – Complete the customer will complete the Microsoft Defender for Identity sensor
Sensor Deployment deployment on remaining Active Directory servers that are in included
in the engagement.

Scope
Document

Objectives
The objective is to deploy Microsoft Defender for Identity sensors on remaining Active Directory
servers that are in included in the engagement.

Format
Completed by the customer.

Customer resources
 A representative from the customer’s Security Team delegated to overlook the
deployment and configuration of Microsoft Defender for Identity.
 Microsoft 365 Tenant Administrator.
 Identity Administrators.

Delivery resources
 None.

82
Supporting materials
 04 – Threat Protection Workshop – Scope Template.docx

Preparation
The customer will need to familiarize themselves with:

 The completed 04 – Threat Protection Workshop – Scope Template.docx document.

Pre-requisites
 The activities outlined in paragraph 11.6 Hybrid Identity Protection - Configuration
[Optional module] should be completed prior to starting this activity.

Deliverables
The deliverables are defined as:

 Microsoft Defender for Identity sensors deployed on remaining Active Directory servers
that are in included in the engagement.

These deliverables will serve as input to the next steps.

Guidance
Guide the customer to follow these configuration steps using the scope recorded in the 04 –
Threat Protection Workshop – Scope Template.docx document.
1. Deploy Microsoft Defender for Identity sensors on remaining Active Directory Domain
Controllers
2. Deploy Microsoft Defender for Identity sensors on remaining Active Directory Federation
Services servers
3. Verify that the Microsoft Defender for Identity sensors are connected to the Microsoft
Defender for Identity instance

Deploy Microsoft Defender for Identity sensors on remaining Active Directory Domain
Controllers
The customer can deploy remaining Microsoft Defender for Identity sensors on Active Directory
Domain Controllers interactively or using management tools such as Microsoft Endpoint
Configuration Manager.

If the customer decides to interactively deploy Microsoft Defender for Identity sensors on
remaining Active Directory Domain Controllers included in this engagement, as per scoping
template, then provide them with the guidance based on the Deploy Microsoft Defender for
Identity sensors on an initial set of Active Directory Domain Controllers configuration step in 11.6
Hybrid Identity Protection - Configuration [Optional module] activity.

83
If the customer decides to use a management tool such as Microsoft Endpoint Configuration
Manager to deploy Microsoft Defender for Identity sensors on remaining Active Directory
Domain Controllers included in this engagement, as per the scoping template, guide them to
follow this guidance to start the installation executable in silent mode:
Microsoft Defender for Identity sensor silent installation

Additionally, if the customer needs to configure Internet access via proxy for the Microsoft
Defender for Identity sensors, guide them to start the installation executable with appropriate
command line parameters which specify the proxy configuration (as per the scoping template),
as per guidance provided here:
Configure proxy server using the command line

When using Microsoft Endpoint Configuration Manager to deploy Microsoft Defender for
Identity sensors, guide the customer to use following guidance to create an application in
Microsoft Endpoint Configuration Manager:

 Use Create Application wizard as per Manually specify application information

 Use Create Deployment Type wizard as per Manually specify the deployment type
information specifying the installation executable source path, installation executable
name and command-line parameters.

Once the application has been created in Microsoft Endpoint Configuration Manager, the
customer can deploy it to remaining Active Directory Domain Controllers.

Deploy Microsoft Defender for Identity sensors on remaining Active Directory Federation
Services servers
Typically, the number of deployed Active Directory Federation Services servers in a customer’s
environment are low. Because of this we recommend that you guide the customer to
interactively deploy the Microsoft Defender for Identity sensors on the remaining Active
Directory Federation Services servers included in this engagement, as per the scoping template.
Provide the customer with the guidance based on the Deploy Microsoft Defender for Identity
sensors on initial set of Active Directory Federation Services servers configuration step in the 11.6
Hybrid Identity Protection - Configuration [Optional module] activity.

Make sure that the customer understands that after they have completed the installation of the
Microsoft Defender for Identity sensors on remaining Active Directory Federation Services
servers, they follow this guidance:
Post-installation steps for AD FS servers

84
Verify that the Microsoft Defender for Identity sensors are connected to the Microsoft
Defender for Identity instance
Guide the customer to verify that the Microsoft Defender for Identity sensors are connected to
the Microsoft Defender for Identity cloud based service (the instance), using the following
guidance:
Domain controller status

NOTE: even if the guidance only talks about Active Directory Domain Controllers, it also applies
to Active Directory Federation Services servers.

All Active Directory servers on which you have deployed Microsoft Defender for Identity sensors
should show “Service Status” as “Running”.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 0 Hrs.
 Delivery 0 Hrs.

85
12. Data Collection
12.1 Cloud Discovery Log Collection

Use this activity of the Threat Protection Workshop to work

Cloud Discovery
together with the customer to upload logs from the customer’s on-
Log Collection premises perimeter security device such as a firewall or proxy
server to Microsoft Cloud App Security, if during the scoping
activities performed as per section 11.2 Define scope, a decision
was made to use logs from such device.
NOTE: if during the scoping activities performed as per section 11.2
Delivery Guide
Define scope the decision was made to use Microsoft Defender for
Endpoint as a source of the cloud discovery logs and integrated
with Microsoft Cloud App Security, then the activities described in
this section don’t need to be performed.
Important.
Activities described in this section should be performed towards the
end of the Data Collection period, but at least 24 hours prior to
activities described in section 13 Exploration and Report Generation
in order to allow Microsoft Cloud App Security enough time to
analyze uploaded logs.
Objectives
The objective is to create snapshot cloud discovery report(s) in Microsoft Cloud App Security by
uploading files with logs from the customer’s on-premises perimeter security device such as a
firewall or proxy server that were collected and stored in FTP format during the Data Collection
period.

Format
Preferably delivered online, but can also be delivered as an onsite workshop.

Customer resources
 A representative from the customer’s Security Team delegated to overlook configuration
of Threat Check.
 Microsoft 365 Tenant Administrator.

Delivery resources
 Security Consultant

86
Supporting materials
 04 – Threat Protection Workshop – Scope Template.docx

Preparation
The delivery resource will need to familiarize themself with:

 The completed 04 – Threat Protection Workshop – Scope Template.docx document.

Pre-requisites
The activities outlined in 11.4 Threat Check - Configuration must be completed prior to starting
this activity.

Deliverables
The deliverables are defined as:

 Snapshot Cloud Discovery report being generated by Microsoft Cloud App Security.

These deliverables will serve as input to the next steps.

Guidance

Follow these steps using the scope recorded in the 04 – Threat Protection Workshop – Scope
Template.docx document.
o Open a new incognito/private web browser session and sign in to the Microsoft
Cloud App Security portal of the customer’s Microsoft 365 tenant:
http://portal.cloudappsecurity.com
o Use the following steps to create snapshot cloud discovery report(s) in Microsoft
Cloud App Security:
Create snapshot reports of Cloud Discovery cloud app use | Microsoft Docs
by uploading files with logs that were collected and stored in FTP format during
the Data Collection period, as outlined in 11.4 Threat Check - Configuration.
NOTE: If there were more than 100 files with logs stored, then you would
need to create several separate snapshot Cloud Discovery reports.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant on-line learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 1 Hrs.

87
13. Exploration and Report Generation
13.1 Threat Check - Exploration

This activity will allow you to work together with the

customer to discover and analyze threats detected in the
Threat Check - Threat Check.
Exploration Important
It is important to stay within the scope of this activity while
analyzing the findings and identified threats. Unless
exceptional, high impact threats are identified that require
immediate action, the activities for this step should be
limited to analysis and not extend to mitigation or
Delivery Guide corrective action. If corrective action or mitigation is
required, this should be discussed with and approved by the
customer prior to engaging on these out-of-scope activities.
The objective of the Threat Check is to highlight threats to
the customer’s organization and to understand, learn, and
advise on what can be done to mitigate these threats.

Objectives
The objective is work together with the customer to analyze and document threats found in the
Threat Check, particularly the following:

 Exploration of threats discovered by Azure Active Directory Identity Protection, Microsoft

Defender for Office 365, and Microsoft Cloud App Security, allowing you to showcase
these Microsoft 365 Security tools and specifically how to use Microsoft 365 Defender to
investigate incidents raised by alerts from these tools.
 Discovery by Microsoft Cloud App Security of cloud applications used by the customer’s
users which might pose additional threats to the customer organization.
 Documentation of threats found.

Format
Can be delivered as an onsite or online workshop.

Customer resources
 A representative from the customer’s Security Team delegated to overlook the
exploration of the findings of the Threat Check.
 Microsoft 365 Tenant Administrator.

88
Delivery resources
 Security Consultant

Supporting materials
No supporting materials exist.

Preparation
The delivery resource will need to familiarize themself with:

 The completed 05 - Threat Protection Workshop - Customer Questionnaire.docx

questionnaire.

Pre-requisites
The activities outlined in 11.4 Threat Check - Configuration and 12.1 Cloud Discovery Log
Collection must be completed prior to starting this activity.

Deliverables
The deliverables are defined as:

 Threat Check threat exploration results documented as part of the 02 – Threat Protection
Workshop – Results and Next Steps.pptx presentation

These deliverables will serve as input to the next steps.

Guidance
Important
We recommend that you first make a general assessment to get an overview of the threats
discovered during the engagement. The overview will help you understand the primary vector of
the types of cyberattacks directed to the customer’s organization. You should then focus on the
threats deemed to be the most impactful to the customer. The term “most impactful” is kept
intentionally vague here, as it might mean different things depending on the situation faced by
the specific customer organization.

Here are a few examples of “most impactful” threats:

o Threat to the identity of one of the tenant administrators.

o Threat to the identity of one of the CxO users.
o Threat to email across the entire or a large portion of the organization.
o Threat to data (files) deemed to be “business critical”.
The customer should be able to provide guidance on threats they consider to be “most impactful”
for their organization.

89
Work together with the customer resource/s to:

 Explore incidents in Microsoft 365 Defender:

NOTE: Microsoft 365 Defender will be raising incidents based on alerts triggered by
other Microsoft 365 Security tools used in the Threat Check. We recommend starting
exploration from these incidents, as they might be indication of very serious threats
to customer identity, email, or data.

o Open a new incognito/private web browser session and sign in to the Microsoft 365
admin center of the customer’s Microsoft 365 tenant:
http://security.microsoft.com
and from menu choose go to the “Incidents” dashboard of Microsoft 365 Defender.
o Explore and prioritize Microsoft 365 Defender incidents, making a note of the “most
impactful” incidents that you would like to highlight as part of the results
presentation, following the guidelines provided here:
Prioritize incidents in Microsoft 365 Defender | Microsoft Docs
o Utilizing Microsoft 365 Defender investigation capabilities, dive deeper into selected
“most impactful” incidents, following the guidelines provided here:
Investigate incidents in Microsoft 365 Defender | Microsoft Docs
and further explore selected threats (alerts) triggered by the Microsoft 365 security
products used in the Threat Check, using the corresponding Microsoft 365 security
product dashboards to get additional information about the threat.
o As the “most impactful” incidents are found and explored in Microsoft 365 Defender,
take screenshots of them, as you will need them later, as described in the 13.4 Threat
Check - Report Generation section of this document.

 Explore the risk level of users detected by Azure Active Directory Identity Protection:
NOTE: Azure Active Directory Identity Protection can detect risky activities related to
a user’s identity that by themselves won’t necessarily raise incidents in Microsoft 365
Defender or alerts in Microsoft Cloud App Security. However, these can be a prelude
to potential attacks, and because of that, Azure Active Directory Identity Protection
continuously monitors them and classifies the risk level of users (as well as the risk
level of sign ins), which is worth exploring in the Threat Check.

90
o Open a new tab in the web browser session, go to the Azure Portal:
http://portal.azure.com and open the Azure Active Directory Identity Protection
blade.
o Get an overall understanding of risky users and risky sign-ins in “Security
Overview” dashboard, following the guidelines provided here:
Azure Active Directory Identity Protection security overview | Microsoft Docs
o Then, review users on the “Risky Users” blade that have been detected as risky.
With help from the customer, try to identify the user to whom identity threats
would be “most impactful”, following the guidelines provided here:
Investigate risk Azure Active Directory Identity Protection | Microsoft Docs
Once you select a user, as shown on a screenshot below, walk through various
tabs, paying special attention to user role, location, amount of detected threats,
and where their threats came from:

For example, in the screenshot above, a threat to the identity of user “Alain
Charon” was identified as potentially “most impactful” since this user is CFO of
the company; compromise of his credentials could have very significant
consequences for the customer’s organization.

o As the identity threats to “most impactful” users are found and explored in Azure
Active Identity Protection, take screenshots of them, as you will need them later,
as described in the 13.4 Threat Check - Report Generation section of this
document.

91
 Explore threats discovered by Microsoft Defender for Office 365:
NOTE 1: Microsoft Defender for Office 365 can detect email threats that by
themselves won’t necessarily raise incidents in Microsoft 365 Defender. However,
these can be a prelude to potential attacks and because of that Microsoft Defender
for Office 365 reports are worth exploring in the Threat Check.

NOTE 2: Microsoft Defender for Office 365 reports explored will also include threats
detected by Exchange Online Protection.

o Open a new tab in the web browser session, go to the Microsoft 365 Defender
portal:
https://security.microsoft.com
and then choose Reports  “Email & collaboration reports” and select “Threat
protection status” report.
o Then, in the “Threat protection status” report select “Filters” and provide the start
and end dates of the Threat Check engagement.

Important
By default, each report from Reports  “Email & collaboration reports” shows only
the past 7 days. Make sure you enter the appropriate period every time you open
any report from the dashboard.

o By looking at the “Top protection status” report you can get an overall
understanding of the type of threats have been detected by Microsoft Defender
for Office 365 during the period of the Threat Check engagement:

Then, try to identify the period and the users from the customer organization to
whom threats targeted via emails were “most impactful” to the customer’s
organization.

In the example shown above, it is clear that there were three short periods when
the customer’s organization was targeted by phishing and malware emails. It is

92
 also clear that the customer received a certain number of email threats on the
24th of May and in the period between the 19th and 20th of May, which might
indicate that a dedicated email phishing campaign was launched against the
customer’s organization during these dates.

NOTE: the “Threat protection status” report provides an aggregated count of

unique email messages with malicious content, such as files or website addresses
(URLs) that were blocked by various detection and protections mechanisms
offered in Office 365, such as the anti-malware engine, zero-hour auto purge
(ZAP), and Microsoft Defender for Office 365 features like Safe Links, Safe
Attachments, and anti-phishing capabilities.

For more information about these features and recommendations on how to

analyze threats using the “Threat protection status” report, please refer to:
View Defender for Office 365 reports in the Reports dashboard - Office 365 |
Microsoft Docs

o Continue the exploration by examining the different types of threats in more

detail, using two other options from the “View data by” menu located in the top
right corner of the “Threat protection status” report. You should first look at
“Email à Phish” and later at “Email à Malware”.

NOTE: since the integration with SharePoint, OneDrive, and Microsoft Teams was
not turned on for Microsoft Defender for Office 365, the menu “Content à
Malware” will be empty.

These two views will give you information about the Office 365 features used to
detect and potentially block phishing or malicious content found in the emails
sent to the customer’s organization. Please pay careful attention to cases in which
features such as zero-hour auto purge (Malware ZAP) from Exchange Online
Protection, and Microsoft Defender for Office 365 Safe Attachments (File
Detonation) were used. These are cases where Office 365 can provide an
additional level of protection compared with what the typical “known malware”
or “signature-based malware” detection and protection features can provide.
These cases might be worth noting and pointing out to the customer, as
described in the 13.4 Threat Check - Report Generation section of this document.

NOTE: Only the users assigned to the Microsoft Defender for Office 365 Safe
Attachment Policy, which will be enabled to have their email attachments
detonated by Microsoft Defender for Office 365, might appear on the “Threat
protection status” reports.
Other users covered by the Microsoft Defender for Office 365 Evaluation Mode (if

93
 it was enabled as part of the engagement) won’t show up on these reports.
Threats to these users can be explored through the Microsoft Defender for Office
365 Evaluation Mode report, as described later.
Also, because you have configured the Microsoft Defender for Office 365 Safe
Attachment Policy in Monitoring mode and by the nature of Microsoft Defender
for Office 365 Evaluation Mode, there will be no impact to any users.

o Below graphs of “Email à Phish” and “Email à Malware” views of “Threat

Protection status” report you will see a table listing all threats targeting the
organization's users (displayed in the “Recipients” column) with some additional
information such as where the email threat originated from and which Office 365
feature detected it. With help from the customer, try to identify the users to
whom threats sent via emails would classify as the “most impactful” threats to the
customer's organization.

NOTE: you can use “Filters” on the right side to further define the scope of your
exploration in this table.

o Once you have finished exploring the “Threat protection status” reports, open
and analyze the results from the Microsoft Defender for Office 365 file types and
Microsoft Defender for Office 365 message disposition report:

NOTE: After you open each of the reports, remember to change the “Start date”
and “End date” in “Filters”, as by default, each report from the Reports à “Email &
collaboration reports” shows only the past 7 days (excluding “today”).

94
 o If Microsoft Defender for Office 365 Evaluation Mode was enabled as part of the
engagement, then explore threats discovered by this mechanism.
In the Microsoft 365 Defender portal https://security.microsoft.com go to Policies
& rules (in the Email & Collaboration group)  Threat policies  Evaluation mode
and review the reports which can be found there:

o To obtain more detailed information about threats discovered by Microsoft

Defender for Office 365 Evaluation Mode, click on the Export button. The user
who was logged in to Microsoft 365 Defender portal will get an email allowing to
download the CSV file with detailed information about discovered threats.
NOTE: it might take several hours to generate the detailed report of threats
discovered by the Microsoft Defender for Office 365 Evaluation Mode.
o As the “most impactful” email threats are found and explored in Microsoft
Defender for Office 365, take screenshots of them, since you will need them later
as described in the 13.4 Threat Check - Report Generation section of this
document.
o If you have time, you can also open Threat Explorer for further exploration of
threats found during the engagement. For example, if Microsoft Defender for
Office 365 detected unknown malware, you can search for the attachment file
name or SHA256 checksum to verify all the recipients of the email. Additional
guidance on how to use Threat Explorer can be found using the link below:
Threat Explorer and Real-time detections - Office 365 | Microsoft Docs

 Explore alerts raised by Microsoft Cloud App Security:

NOTE: Microsoft Cloud App Security can detect risky activities related to user identity
and data that by themselves won’t necessarily raise incidents in Microsoft 365
Defender. However, these can be prelude to potential attacks, and because of that,
Microsoft Cloud Application Security alerts are worth exploring in the Threat Check.

95
o Open a new tab in the web browser session, go to the Microsoft Cloud App
Security:
https://portal.cloudappsecurity.com
and get an overall understanding of what is being shown on the main
“Dashboard”. For more information see here:
Working with the Cloud App Security dashboard | Microsoft Docs
o Continue the exploration by looking at alerts in the “Alerts” menu, using filtering
capabilities (especially “Severity”, “App”, and “User Name” from the above list of
alerts). Try to find a few alerts that are “most striking”.
For more information on alerts in Microsoft Cloud App Security, see here:
Manage alerts raised in Cloud App Security | Microsoft Docs

NOTE 1: when exploring Microsoft Cloud App Security alerts, there’s no need to
look for or prove correlation between them. If such correlation exists, it will likely
be revealed in Microsoft 365 Defender in the form of an incident containing all
correlated alerts. However, when exploring Microsoft Cloud App Security alerts,
try to find commonalities (e.g. same user, same service, same file, same type of
malware), and decide if they signify threats to identity or data (or both).

For example, in the screenshot examples below, the “striking” element is based
on the fact that these two alerts are related to the same user, who also happens
to be the administrator of the customer’s Office 365 tenant:

NOTE 2: if the alert was included in the Microsoft 365 Defender incident, it will be
mentioned in the upper right corner of the alert details page.

96
 You might have already included it in the results of exploration of Microsoft 365
Defender incidents done earlier.

o As the “most impactful” alerts are found and explored in Microsoft Cloud App
Security, take screenshots of them, as you will need them later, as described in the
13.4 Threat Check - Report Generation section of this document.

 Explore use of cloud applications discovered by Microsoft Cloud App Security:

NOTE 1: Microsoft Cloud Application can discover use of cloud applications that by
itself might not yet indicate a security threat. However, correlation with potential
security threats found in the exploration earlier can provide additional evidence
about security threats to the customer organization.
For example, if the identity of a certain user was found to be likely compromised as
indicated by a Microsoft 365 Defender incident or the level of user risk evaluated by
Azure Active Directory Identity Protection, and the Cloud Discovery performed by
Microsoft Cloud App Security revealed that the user performed massive data upload
to a cloud application that is unapproved (unsanctioned) by the customer’s
organization and has a low security score, then it can be suspected that an identity
security threat was followed by data leakage.

NOTE 2: for more information on how to explore use of cloud applications delivered
by Microsoft Cloud App Security, go to:
Working with discovered apps in Cloud App Security | Microsoft Docs

97
o Open a new tab in the web browser session, go to the Azure Portal:
https://portal.cloudappsecurity.com
and choose “Cloud Discovery” option from “Discovery” menu on the right.
o If, during scoping activities performed as per section 11.2 Define scope, a decision
was made to use Microsoft Defender for Endpoint in the Threat Check to provide
information about cloud applications and services accessed by the customer’s
users, then from the menu in the upper right corner of the “Cloud Discovery”
dashboard, select “Windows 10 Endpoint Users” from “Continuous reports”.
o If, during scoping activities performed as per section 11.2 Define scope, a decision
was made to use logs from the customer’s on-premises perimeter security device
such as firewall or proxy server in the Threat Check to provide information about
cloud applications and services accessed by customer’s users, then from the
menu in the upper right corner of the “Cloud Discovery” dashboard, select the
name of the report that you provided when logs from that on-premises perimeter
security device were uploaded as described in 12.1 Cloud Discovery Log Collection
section of this document.
o In the “Discovered apps” tab, sanction the cloud applications and services that
are officially approved in the customer’s organization, and unsanction the cloud
applications and services that are unapproved for use or known to be blocked in
the customer’s environment. Information about approved and unapproved cloud
applications should have been provided by the customer in the “Threat
Protection Workshop Customer Questionnaire”.
o First, explore traffic from the sanctioned cloud applications and services. It is
expected that the sanctioned cloud applications and services traffic should
constitute a significant majority of the overall traffic mix analyzed by Microsoft
Cloud App Security and shown in the Cloud Discovery report, in any of the
available categories.

NOTE: the use of “sanctioned” cloud applications and services should be

investigated for “unusual” or “unexpected” peaks of their usage (vs.
“usual/typical” or “expected” level), as these situations, if unexplained, might
indicate security breaches. In any case, try to highlight these situations, and
recommend that the customer perform further investigation.

EXAMPLE: a sanctioned cloud mail application XYZ, fully approved by the

customer organization typically generates traffic of 2 GB daily. However, on a
certain day of the week, it is observed that the traffic spiked to 10 GB, and
most of this traffic comes from a single IP address. This could mean either full
re-synchronization of a single mailbox (e.g. when a new device is provisioned
for the first time) or it might mean the unauthorized download of that user’s
emails. In any case, such “anomalies” should be investigated.

98
o Then explore traffic from unsanctioned cloud applications and services, if any (in
theory - there should be no such traffic). Try to work with the customer to
understand who, when, and how much traffic is generated towards such cloud
applications and services. Is it a single user, a small group from the same
department, or is it used “across the board” within the organization? Was it used
occasionally or is it used permanently? Was the traffic insignificant or heavy? A
single or many transactions?

NOTE: the use of “unsanctioned” cloud applications and services isn’t

necessarily an indication of a security threat, although in some cases it might
be. Highlight these situations in your final Discovery report and try to
investigate them for possible explanation.

EXAMPLE: the customer declared in the “Threat Protection Workshop

Customer Questionnaire” that cloud storage application XYZ is unapproved in
their organization and access to it is blocked on their proxies. However, Cloud
Discovery reports from two out of five customer regions show a certain
number of transactions towards cloud storage application XYZ. Further
investigation reveals that blocking filters were incorrectly set in firewalls of
the first region. Thus, the recommendation here is to correct the
configuration of the firewalls in that region. In the case of the second region,
the investigation shows that guest Wi-Fi access to the Internet is provided
through the same firewalls as access to the Internet from the
production/internal network. While accessing the cloud storage application
XYZ is legitimate from the guest Internet Wi-Fi, the recommendation here is
to further exclude traffic from IP ranges dedicated to guest Internet Wi-Fi in
in the Microsoft Cloud App Security reports.

o Finally, explore traffic from “unknown” cloud applications and services. Try to
work with the customer to understand who, when, and how much traffic has been
generated towards unknown cloud applications and services. Is it a single user, a
small group from the same department, or is it used “across the board” within the
organization? Was it used occasionally or is it used permanently? Was the traffic
insignificant or heavy? Single or many transactions? Finally, has it triggered any
Microsoft Cloud App Security alerts?

NOTE: use of “unknown” cloud applications and services isn’t necessarily an

indication of security threats. It is more likely to be a case of “Shadow IT”
activity from users who are not aware of “approved” cloud applications or
services or are missing training on how to use them. Or it might be certain
users or even departments that are legitimately using certain cloud
applications or services to conduct their business (e.g. sharing information

99
 with business partners using their cloud application or services) and these are
fully justified activities. Try to investigate these cases and highlight the ones
that you find no good explanation for.

EXAMPLE: Cloud Discovery shows a significant number of transactions

towards cloud collaboration (chat) services XYZ that are very popular in China.
Further investigation reveals that it is being legitimately used to conduct
business communication (chat) with Chinese business partners since the
cloud collaboration services used globally by the customer do not provide
federation capabilities to the collaboration cloud service XYZ. The likely
recommendation here is to sanction the use of this cloud collaboration
service XYZ in Microsoft Cloud App Security, with a comment that it should
still be monitored as it is expected that transactions towards this service are
coming mostly (or only) from the customer’s network in China.

o As the “most impactful” examples of use of cloud applications are found and
explored in Microsoft Cloud App Security, take screenshots of them, as you will need
them later, as described in the 13.4 Threat Check - Report Generation section of this
document.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 4 Hrs.

100
13.2 Endpoint Protection - Exploration [Optional Module]

The delivery resource will work together with the customer to

Endpoint Protection
discover and analyze threats detected by Microsoft Defender for
- Exploration Endpoint and explore the Microsoft Defender for Endpoint Threat
& Vulnerability Management solution to demonstrate how to use
Microsoft Defender for Endpoint and its features to detect and
respond to threats and increase endpoint security posture.
Important.
Delivery Guide
It is important to stay within the scope of this activity while
analyzing the findings and identified threats. Unless exceptional,
high impact threats are identified that require immediate action,
the activities for this step should be limited to analysis and not
extend to mitigation or corrective action. If corrective action or
mitigation is required, this should be discussed with and approved
by the customer prior to engaging on these out-of-scope activities.

Objectives
The objective is to work together with the customer to analyze and document threats found
using Microsoft Defender for Endpoint, particularly the following:

 Exploration of Microsoft 365 Defender security incidents containing security alerts from
Microsoft Defender for Endpoint, allowing you to showcase how to use Microsoft 365
Defender to investigate and respond to incidents containing security alerts from
Microsoft Defender for Endpoint.
 Exploration of the Microsoft Defender for Endpoint Threat & Vulnerability solution,
allowing you to explore endpoint security weaknesses and provide recommendations on
how to harden endpoint surface areas.
 Optional – Proactive threat hunting, finding IOCs (Indicators of Compromise) across all
data ingested into Microsoft Defender for Endpoint, documenting your findings as part
of the results presentation.

Format
Can be delivered as an onsite or online workshop.

Customer resources
 One or more representatives from the customer’s security operations team, assigned to
operate Microsoft Defender for Endpoint.

101
Delivery resources
 Security Consultant

Supporting materials
No supporting materials exist.

Preparation
The delivery resource will need to familiarize themself with:

 How to use Microsoft Defender for Endpoint to investigate incidents and alerts and
provide recommended mitigation actions.
 How to use Microsoft Defender for Endpoint to explore endpoint security weaknesses
and provide recommendations on how to harden endpoint surface areas.
 Optional - How to use Microsoft Defender for Endpoint to hunt for IOCs across all
ingested data.

Pre-requisites
The activities outlined in 11.5 Endpoint Protection - Configuration [Optional module] must be
completed prior to starting this activity.

Deliverables
The deliverables are defined as:

 Endpoint Protection threat exploration notes, highlighting the threats you would like to
include as part of the results presentation. You will use the notes when documenting the
results as part of the results presentation in 13.5 Endpoint Protection - Report Generation
[Optional Module].
 Endpoint Protection threat & vulnerabilities management notes, highlighting the security
gaps and recommendations you would like to include as part of the results presentation.
You will use the notes when documenting the results as part of the results presentation
in 13.5 Endpoint Protection - Report Generation [Optional Module].
 Optional - Endpoint Protection threat hunting notes, highlighting the threats and
abnormalities you would like to include as part of the results presentation. You will use
the notes when documenting the results as part of the results presentation in 13.5
Endpoint Protection - Report Generation [Optional Module].

These deliverables will serve as input to the next steps.

Guidance
Work together with the customer resource/s to:

102
 o Using the Microsoft 365 Defender portal, explore Microsoft 365 Defender security
incidents containing security alerts from Microsoft Defender for Endpoint, making a note
and capture any required screenshots of the threats you would like to include as part of
the results presentation. Guidance on how to use Microsoft 365 Defender to investigate
incidents can be located here:
Investigate incidents in Microsoft 365 Defender | Microsoft Docs

Important
We recommend you first make a general assessment to get an overview of the threats
discovered during the engagement. The overview will help you understand the primary
vector of the types of cyberattacks directed to the customer’s organization. You should then
focus on the threats deemed to be the most impactful to the customer. The term “most
impactful” is kept intentionally vague here, as it might mean different things depending on
the situation faced by the specific customer organization.

Here are a few examples of “most impactful” threats:

o Threat to an endpoint used by a privileged administrative account such as an Active

Directory domain administrator and/or an Office 365 tenant administrator.
o Threat to an endpoint used by a CxO user.
o Threat to an endpoint containing data deemed to be “business critical”.

The customer should be able to provide guidance on threats they consider to be the “most
impactful” for their organization.

o Using the Microsoft 365 Defender portal, explore the Microsoft Defender for Endpoint
threat & vulnerability management solution, making a note and capture any required
screenshots of security gaps and recommendations you would like to include as part of
the results presentation. Guidance on how to use the Microsoft Defender for Endpoint
threat & vulnerability management solution can be located here:
Threat and vulnerability management | Microsoft Docs

Optional - If you have decided to also perform threat hunting using Microsoft Defender for
Endpoint advanced hunting queries, explore found threats, make a note and capture any
required screenshots of the threats you would like to include as part of the results presentation:
Overview of advanced hunting in Microsoft Defender for Endpoint | Microsoft Docs

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

103
Duration and effort
 Preparation 1 Hrs.
 Delivery 3 Hrs.

104
13.3 Hybrid Identity Protection - Exploration [Optional Module]

The delivery resource will work together with the customer to

Hybrid Identity discover and analyze threats detected by Microsoft Defender for
Protection - Identity and explore the Microsoft Defender for Identity’s identity
Exploration
security posture assessment to demonstrate how to use Microsoft
Defender for Identity and its features to detect and respond to
threats and increase the customer’s identity security posture.
Important.
Delivery Guide
It is important to stay within the scope of this activity while
analyzing the findings and identified threats. Unless exceptional,
high impact threats are identified that require immediate action,
the activities for this step should be limited to analysis and not
extend to mitigation or corrective action. If corrective action or
mitigation is required, this should be discussed with and approved
by the customer prior to engaging on these out-of-scope activities.

Objectives
The objective is to work together with the customer to analyze and document threats found
using Microsoft Defender for Identity, particularly the following:

 Exploration of Microsoft Defender for Identity security alerts using the Microsoft Cloud
App Security portal, allowing you to showcase how to use the Microsoft Cloud App
Security portal to investigate and respond to Microsoft Defender for Identity security
alerts.
 Exploration of Microsoft 365 Defender security incidents containing security alerts from
Microsoft Defender for Identity, allowing you to showcase how to use Microsoft 365
Defender to investigate and respond to incidents containing security alerts from
Microsoft Defender for Identity.
 Exploration of the Microsoft Defender for Identity’s identity security posture assessment
using the Microsoft Cloud App Security portal, allowing you to explore identity security
weaknesses and provide recommendations on how to increase identity security posture.

Format
Can be delivered as an onsite or online workshop.

Customer resources
 One or more representatives from the customer’s security operations team, assigned to
operate Microsoft Defender for Identity.

105
  Identity Administrators

Delivery resources
 Security Consultant

Supporting materials
No supporting materials exist.

Preparation
The delivery resource will need to familiarize themself with:

 How to use Microsoft Cloud App Security to investigate security alerts from Microsoft
Defender for Identity and provide recommended mitigation actions.
 How to use Microsoft 365 Defender to investigate security incidents and provide
recommended mitigation actions.
 How to use the Microsoft Defender for Identity’s identity security posture assessment as
part of Microsoft Cloud App Security to explore identity related security weaknesses and
provide recommendations on how to harden identity surface areas.

Pre-requisites
The activities outlined in 11.6 Hybrid Identity Protection - Configuration [Optional module] must
be completed prior to starting this activity.

Deliverables
The deliverables are defined as:

 Microsoft Defender for Identity threat exploration notes, highlighting the threats you
would like to include as part of the results presentation. You will use the notes when
documenting the results as part of the results presentation in 13.6 Hybrid Identity
Protection - Report Generation [Optional Module].
 Microsoft Defender for Identity’s identity security posture assessment notes, highlighting
the security gaps and recommendations you would like to include as part of the results
presentation. You will use the notes when documenting the results as part of the results
presentation in 13.6 Hybrid Identity Protection - Report Generation [Optional Module].

These deliverables will serve as input to the next steps.

Guidance
Work together with the customer resource/s to:

o Explore Microsoft Defender for Identity security alerts, using the Microsoft Cloud App
Security portal, making a note and capture any required screenshots of the threats you

106
 would like to include as part of the results presentation. Guidance on how to use the
Microsoft Defender for Identity security alerts capabilities can be located here:
Working with security alerts in Microsoft Defender for Identity
o Explore Microsoft 365 Defender security incidents containing security alerts from
Microsoft Defender for Identity, making a note and capture any required screenshots of
the threats you would like to include as part of the results presentation. Guidance on
how to use Microsoft 365 Defender to investigate incidents can be located here:
Investigate incidents in Microsoft 365 Defender - Microsoft 365 security

Important
We recommend you first make a general assessment to get an overview of the threats
discovered during the engagement. The overview will help you understand the primary
vector of the types of cyberattacks directed to the customer’s organization. You should then
focus on the threats deemed to be the most impactful to the customer. The term “most
impactful” is kept intentionally vague here, as it might mean different things depending on
the situation faced by the specific customer organization.

Here are a few examples of “most impactful” threats:

o Threat to privileged administrative accounts such as an Active Directory domain

administrators and/or an Office 365 tenant administrators.
o Threat to the identity of a CxO user.
o Threat to identities of users performing sensitive business functions such as research
and development tasks”.

The customer should be able to provide guidance on threats they consider to be the “most
impactful” for their organization.

o Explore the Microsoft Defender for Identity’s identity security posture assessment using
the Microsoft Cloud App Security portal, making a note and capture any required
screenshots of security gaps and recommendations you would like to include as part of
the results presentation. Guidance on how to use the Microsoft Defender for Identity’s
identity security posture assessment can be located here:
Microsoft Defender for Identity's identity security posture assessments

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 1 Hrs.

107
 Delivery 3 Hrs.

108
13.4 Threat Check - Report Generation

The delivery resource will analyze the results from the Threat
Threat Check
Exploration, the completed customer questionnaire, and any notes
- Report Generation gathered during the engagement so far, summarizing and
documenting findings as part of the results presentation.
Important
It is important to stay within the scope of this activity while
Results and Next analyzing the findings and identified threats. Unless exceptional,
Steps high impact threats are identified that require immediate action, the
activities for this step should be limited to analysis and not extend to
mitigation or corrective action. If corrective action or mitigation is
required, this should be discussed with and approved by the
customer prior to engaging on these out-of-scope activities. The
objective of the Threat Protection Workshop is to highlight threats to
the customer’s organization and to understand, learn, and advise on
what can be done to mitigate these threats.

Objectives
The objective is to update the 02 – Threat Protection Workshop – Results and Next Steps.pptx
with your findings from the engagement.

Customer resources
Customer resources not required.

Delivery resources
 Security Architect
 Engagement Manager

Supporting materials
 02 – Threat Protection Workshop – Results and Next Steps.pptx

Preparation
The delivery resource will need to familiarize themself with:

 The 02 – Threat Protection Workshop – Results and Next Steps.pptx presentation.

Pre-requisites
The activities outlined in 13.1 Threat Check must be completed prior to starting this activity.

109
Deliverables
The deliverables are defined as:

 Completion of the 02 – Threat Protection Workshop – Results and Next Steps.pptx

presentation.

These deliverables will serve as input to the next steps.

Guidance
 Customize and update the 02 – Threat Protection Workshop – Results and Next Steps.pptx
presentation. Replace the example screenshots in the results presentation using data
(screenshots) from Microsoft 365 Defender incidents, alerts from Microsoft 365 security
tools used in the engagement, and results from the discovery of cloud applications,
collected as per the guidance in section 13.1 Threat Check.
 Additional guidance can be found in the speaker notes and hidden slides of the 02 –
Threat Protection Workshop – Results and Next Steps.pptx presentation.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 2 Hrs.
 Delivery 0 Hrs.

110
13.5 Endpoint Protection - Report Generation [Optional Module]

In this activity, the delivery resource will analyze the results from
Endpoint Protection
the Endpoint Protection exploration activity, the completed
- Report Generation customer questionnaire, and any notes gathered during the
engagement so far, summarizing and documenting your findings
as part of the results presentation.
Important
Results and Next It is important to stay within the scope of this activity while
Steps analyzing the findings and identified threats. Unless exceptional,
high impact threats are identified that require immediate action, the
activities for this step should be limited to analysis and not extend to
mitigation or corrective action. If corrective action or mitigation is
required, this should be discussed with and approved by the
customer prior to engaging on these out-of-scope activities. The
objective of the Threat Protection Workshop is to highlight threats to
the customer’s organization and to understand, learn, and advise on
what can be done to mitigate these threats.

Objectives
The objective is to update the 02 – Threat Protection Workshop – Results and Next Steps.pptx
with your findings from the engagement.

Customer resources
Customer resources not required.

Delivery resources
 Security Architect
 Engagement Manager

Supporting materials
 02 – Threat Protection Workshop – Results and Next Steps.pptx

Preparation
The delivery resource will need to familiarize themself with:

 The 02 – Threat Protection Workshop – Results and Next Steps.pptx presentation.

Pre-requisites
The activities outlined in 13.2 Endpoint Protection - Exploration [Optional Module] must be
completed prior to starting this activity.

111
Deliverables
The deliverables are defined as:

 Completion of the 02 – Threat Protection Workshop – Results and Next Steps.pptx

presentation.

These deliverables will serve as input to the next steps.

Guidance
 With the assistance of the notes and screenshots you captured as part of the 13.2
Endpoint Protection - Exploration [Optional Module] activity, customize and update
the Endpoint Protection Optional Module section within the 02 – Threat Protection
Workshop – Results and Next Steps.pptx presentation.
 Additional guidance can be found in the speaker notes and hidden slides of the 02 –
Threat Protection Workshop – Results and Next Steps.pptx presentation.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 2 Hrs.
 Delivery 0 Hrs.

112
13.6 Hybrid Identity Protection - Report Generation [Optional
Module]

In this activity, the delivery resource will analyze the results from
Hybrid Identity the Microsoft Defender for Identity exploration activity, the
Protection completed customer questionnaire, and any notes gathered during
- Report Generation
the engagement so far, summarizing and documenting your
findings as part of the results presentation.
Important
Results and Next It is important to stay within the scope of this activity while
Steps analyzing the findings and identified threats. Unless exceptional,
high impact threats are identified that require immediate action, the
activities for this step should be limited to analysis and not extend to
mitigation or corrective action. If corrective action or mitigation is
required, this should be discussed with and approved by the
customer prior to engaging on these out-of-scope activities. The
objective of the Threat Protection Workshop is to highlight threats to
the customer’s organization and to understand, learn, and advise on
what can be done to mitigate these threats.

Objectives
The objective is to update the 02 – Threat Protection Workshop – Results and Next Steps.pptx
with your findings from the engagement.

Customer resources
Customer resources not required.

Delivery resources
 Security Architect
 Engagement Manager

Supporting materials
 02 – Threat Protection Workshop – Results and Next Steps.pptx

113
Preparation
The delivery resource will need to familiarize themself with:

 The 02 – Threat Protection Workshop – Results and Next Steps.pptx presentation.

Pre-requisites
The activities outlined in 13.3 Hybrid Identity Protection - Exploration [Optional Module] must be
completed prior to starting this activity.

Deliverables
The deliverables are defined as:

 Completion of the 02 – Threat Protection Workshop – Results and Next Steps.pptx

presentation.

These deliverables will serve as input to the next steps.

Guidance
 With the assistance of the notes and screenshots you captured as part of the 13.3
Hybrid Identity Protection - Exploration [Optional Module] activity, customize and
update the Hybrid Identity Protection optional module section within the 02 – Threat
Protection Workshop – Results and Next Steps.pptx presentation.
 Additional guidance can be found in the speaker notes and hidden slides of the 02 –
Threat Protection Workshop – Results and Next Steps.pptx presentation.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 2 Hrs.
 Delivery 0 Hrs.

114
14. Workshop Day
14.1 Threat Results Presentation

Present and discuss the threat results of the Threat Protection

Threat Results
Workshop engagement. If appropriate, formulate and document
Presentation any recommendations or next steps which will be presented as part
of the Next Steps Discussion later during the workshop day.

Results and Next

Steps

Objectives
Deliver the 02 – Threat Protection Workshop – Results and Next Steps.pptx presentation.

Format
Can be delivered as an onsite or online workshop.

Customer resources
 Executive Sponsor
 Security Team

Delivery resources
 Security Architect
 Engagement Manager

Supporting materials
 02 – Threat Protection Workshop – Results and Next Steps.pptx presentation

115
Preparation
The delivery resource will need to familiarize themself with:

 02 – Threat Protection Workshop – Results and Next Steps.pptx presentation

Pre-requisites
The activities outlined in 13 Exploration and Report Generation must be completed prior to
starting this activity.

Deliverables
The deliverables are defined as:

 Threat results presented and discussed.

 If appropriate, updated 02 – Threat Protection Workshop – Results and Next Steps.pptx
presentation.

Guidance
Present the 02 – Threat Protection Workshop – Results and Next Steps.pptx presentation
completed earlier in 13 Exploration and Report Generation.

 Remove or hide the “Endpoint Protection Optional Module Results” section if you are not
including the Endpoint Protection optional module as part of the engagement.
 Remove or hide the “Hybrid Identity Protection Optional Module Results” section if you
are not including the Hybrid Identity Protection optional module as part of the
engagement.
 When presenting threats, be concise and stick to the facts.
 Do not attempt to use all the slides. They are only provided as examples.
 Focus on the “most impactful threats” found in the engagement.
 Highlight key insights and, where appropriate, provide recommended actions.
 Allow the customer to draw their own conclusions.
 If, during the discussion of threats, any next steps or recommendations are formulated
and agreed upon, make sure to document them in Next Steps Discussion section of the
02 – Threat Protection Workshop – Results and Next Steps.pptx presentation.
 Make sure you reserve some time for Q&A.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 2 Hrs.

116
14.2 Customer Conversations

This activity will allow you to present Microsoft’s vision for

security. Microsoft Security offers an integrated security solution
Customer
Conversations
that provides broad protection while using the intelligence that
comes from Microsoft’s massive amounts of security-related
signals and insights.

Modernize your
security operations
and defend against
threats

Objectives
 Deliver the Modernize your security operations and defend against threats.pptx
presentation.
 Define and agree with the customer on next steps in terms of follow-up activities and/or
engagements.

Format
Can be delivered as an onsite or online workshop.

Customer resources
 Executive Sponsor
 Security Team

Delivery resources
 Security Architect
 Engagement Manager

Supporting materials
 Modernize your security operations and defend against threats.pptx.

Pre-requisites
The activities outlined in 14.1 Threat Results Presentation must be completed prior to starting
this activity.

117
Deliverables
The deliverables are defined as:

 Next steps defined and agreed with the customer (follow up engagements).

Guidance
Deliver the module by presenting the Customer Conversations presentation.

 When presenting, be concise and stick to the facts.

 Allow the customer to draw their own conclusions.
 Make sure that you discuss, define, and agree with the customer on next steps in terms
of follow up activities and/or engagements. If possible, identify owners from both the
customer and the delivery team, along with expected timeline and resources needed.
 Make sure you reserve some time for Q&A.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 1 Hrs.

118
14.3 Customer Cost Savings Conversation [Optional Module]
You may choose to use the customer conversation time allocation to
Customer Cost focus specifically on customer cost savings. This guidance is to help
Savings Conversation you understand the purpose and method of delivering a cost savings
module of the Microsoft Threat Protection Workshop.

Organizations look to use digital transformation as a way to

modernize, but they need solutions that do more than just increase
Customer Cost
Savings Conversation productivity; they should maximize Return on Investment (ROI). As the
global macroeconomy changes due to Covid-19, organizations are
looking for cost savings and business value from their purchasing
decisions. Microsoft Security helps customers maximize productivity
and digital transformation, while providing cost savings across 4 of the
6 cost savings categories: vendor license cost consolidation, IT admin
and deployment, reduced total cost of risk, and automation and
process improvement savings. This content provides customers with
the tools and resources they need to understand how to manage
costs, feel confident in meeting their ROI obligations, and ensure they
are gaining the greatest value.
The focus will be exploring how Microsoft Security can help customers during economic
uncertainty we are facing at this moment in time.

Partners benefit from the Customer Cost Savings delivery as it creates better relationship with
customers at higher levels(C-level). As we know CFO’s (Chief Financial Officers) and CPO (Chief
Procurement Officers) are the ones who manage the budget and need to eventually be
convinced of the ROI. Partners also benefit from stronger business opportunities with customer
and deeper engagement alongside Microsoft. Partners use cost savings to help close deals with
customers and then can add value on top of the sale, and doing this with Microsoft helps
customers understand the relationship both have with each other.

Cost savings estimates come from Forrester Research who provide methods to measure cost
benefits across Microsoft Security. Forrester has created a collection of Total Economic Impact
studies, to determine the value Microsoft Security delivers compared to existing security
solutions. The Forrester estimates are what make up the calculations in the calculation
spreadsheet. The “Streamline and Strengthen” deck calculations use real customer data to show
the ROI that your customer can achieve with Microsoft solutions.

The Security Cost Savings worksheet offers you the ability to update calculations based on
information from the customer’s environment, as discovered in the pre-engagement
questionnaire. The calculation workbook is designed to help you hold an initial conversation
introducing the customer to potential cost savings areas based on the cost categories. You can

119
also run the module using the example calculations already within the “Streamline and
Strengthen” customer conversation deck.

The cost savings module is not required, but if you choose to run the workshop, the session will
take 30 to 60 minutes of total time commitment.

Objectives
 Deliver the “Streamline and Strengthen Security” customer conversation presentation,
customized using information from customer questionnaire and calculations in the
Security Cost Savings value calculator worksheet.
o Alternately, the Security Cost Savings value calculator worksheet can be
completed in real-time with the customer on the Workshop Day.
 Define and agree with the customer on next steps in terms of follow-up activities and/or
engagements. This can include a deeper cost savings analysis run by a Microsoft partner
or field personnel.

Format
Can be delivered as part of an onsite or online workshop.

Customer resources
 Executive Sponsor
 Security Team

Delivery resources
 Security Architect
 Engagement Manager

Supporting materials
 05 - Threat Protection Workshop - Customer Questionnaire.docx
 Security Cost Savings value calculator
 Customer Conversation Deck 3: Streamline and Strengthen Security

Pre-requisites
The activities outlined in 14.2 Customer Conversations must be completed prior to starting this
activity.

120
Deliverables
The deliverables are defined as:

 Next steps defined and agreed with the customer (follow up engagements).

Guidance
 Use the pre-engagement customer questionnaire to collect customer information to
customize cost savings calculations.
 Use the questionnaire information to update the calculations in the Security Cost Savings
value calculator worksheet.
 Use the updated calculations from the Security Cost Savings value calculator worksheet
to customize the slides in the “Customer Conversation Deck 3: Streamline and Strengthen
Security” customer conversation deck.
 Deliver the “Customer Conversation Deck 3: Streamline and Strengthen Security”
presentation.
o Alternately, the Security Cost Savings value calculator worksheet can be
completed in real-time with the customer on the Workshop Day.
 When presenting, be concise and stick to the facts.
 Allow the customer to draw their own conclusions.
 Make sure that you discuss, define, and agree with the customer on next steps in terms
of follow up activities and/or engagements. If possible, identify owners from both the
customer and the delivery team, along with expected timeline and resources needed.
 Make sure you reserve some time for Q&A.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 1 Hrs.

121
14.4 Microsoft Security Demos

Demonstrate relevant Microsoft security products using one or more

Microsoft Security
of following interactive guides available on the CDX platform:
Demos
 Reduce risk with Threat & Vulnerability Management
 Protect your organization with M365 Defender
 Safeguard your organization w/ Defender for O365
 Detect threats & manage alerts w/ MCAS
Interactive Guides  Discover and manage cloud app usage with MCAS
 Attack Response: Microsoft Defender for Identity
 Detect suspicious activity w/Defender for Identity
 Investigate threats with Defender for Endpoint

Objectives
 Demonstrate how the relevant Microsoft security products work, going through key
scenarios that will help you land product value and key differentiators. Define and agree
with the customer on next steps in terms of follow-up activities and/or engagements.

Format
Can be delivered as an onsite or online workshop.

Customer resources
 Executive Sponsor
 Security Team

Delivery resources
 Security Architect
 Engagement Manager

Supporting materials
 Please download the latest interactive guides available in the CDX platform. The
interactive guides relevant to the engagement are:
o Reduce risk with Threat & Vulnerability Management
o Protect your organization with M365 Defender
o Safeguard your organization w/ Defender for O365
o Detect threats & manage alerts w/ MCAS
o Discover and manage cloud app usage with MCAS
o Attack Response: Microsoft Defender for Identity
o Detect suspicious activity w/Defender for Identity

122
 o Investigate threats with Defender for Endpoint

Preparation
The delivery resource will need to familiarize themself with:

 Please download the latest interactive guides available in the CDX platform.

Pre-requisites
The activities outlined in 14.2 Customer Conversations must be completed prior to starting this
activity.

Deliverables
The deliverables are defined as:

 Next steps defined and agreed with the customer (follow up engagements).

Guidance
Deliver the module using one or more interactive guides that are relevant to the customer and
the engagement. Please download and present one or more of following interactive guides,
available in the CDX platform:
 Reduce risk with Threat & Vulnerability Management
 Protect your organization with M365 Defender
 Safeguard your organization w/ Defender for O365
 Detect threats & manage alerts w/ MCAS
 Discover and manage cloud app usage with MCAS
 Attack Response: Microsoft Defender for Identity
 Detect suspicious activity w/Defender for Identity
 Investigate threats with Defender for Endpoint

General guidance:
 When presenting, be concise and stick to the facts.
 Allow the customer to draw their own conclusions.
 Make sure that you discuss, define, and agree with the customer on next steps in terms
of follow up activities and/or engagements. If possible, identify owners from both the
customer and the delivery team, expected timeline, and resources needed.
 Make sure you reserve some time for Q&A.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

123
Duration and effort
 Preparation 1 Hrs.
 Delivery 2 Hrs.

124
14.5 Next Steps Discussion

Use this activity of the Threat Protection Workshop to discuss and

Next Steps
agree on next steps together with the customer.
Discussion

Results and Next

Steps

Objectives
 Deliver the 02 – Threat Protection Workshop – Results and Next Steps.pptx presentation.
 Define and agree with the customer on next steps in terms of follow-up activities and/or
engagements.

Format
Can be delivered as an onsite or online workshop.

Customer resources
 Executive Sponsor
 Security Team

Delivery resources
 Security Architect
 Engagement Manager

Supporting materials
 02 – Threat Protection Workshop – Results and Next Steps.pptx presentation

Preparation
The delivery resource will need to familiarize themself with:

 02 – Threat Protection Workshop – Results and Next Steps.pptx presentation

Pre-requisites
The activities outlined in 14.2 Customer Conversations must be completed prior to starting this
activity.

125
Deliverables
The deliverables are defined as:

 Next steps defined and agreed with the customer (follow up engagements).

Guidance
Deliver the module by presenting the 02 – Threat Protection Workshop – Results and Next
Steps.pptx presentation completed earlier in 13 Exploration and Report Generation.

 When presenting, be concise and stick to the facts.

 Allow the customer to draw their own conclusions.
 Make sure that you discuss, define, and agree with the customer on next steps in terms
of follow up activities and/or engagements. If possible, identify owners from both the
customer and the delivery team, expected timeline, and resources needed.
 Make sure you reserve some time for Q&A.

At the end of the meeting, officially share the engagement deliverables including the 02 –
Threat Protection Workshop – Results and Next Steps.pptx presentation and any additional
deliverables from add-on or optional modules with the customer.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 1 Hrs.

126
15. Engagement Decommissioning

Use this activity of the Threat Protection Workshop to work

Engagement
together with the customer to remove all the configuration and
Decommissioning resources created during Threat Protection Workshop, and to
cancel trial licenses and subscriptions in the customer tenant.

Delivery Guide

Objectives
The objective is to remove all the configuration and resources created during Threat Protection
Workshop in the customer tenant, particularly the following:

 Threat Check
o Disable Microsoft 365 Defender.
o Disable integration between Microsoft Defender for Endpoint and Microsoft
Cloud App Security (if configured).
o Remove Cloud Discovery data from Microsoft Cloud App Security.
o Cancel Microsoft 365 for Threat Check trial licenses.

Format
Can be delivered as an onsite or online workshop.

Customer resources
 Azure Tenant Administrator.
 Office 365 Tenant Administrator.
 Network Administrator.
 Server Infrastructure Administrator.

Delivery resources
 Security Consultant

Supporting materials
No supporting materials exist.

127
Preparation
The delivery resource will need to familiarize themself with:

 The completed 04 – Threat Protection Workshop – Scope Template.docx document

Pre-requisites
The activities outlined in 14 Workshop Day must be completed prior to starting this activity.

Deliverables
No deliverables exist.

Guidance

Important
We strongly recommend decommissioning all the deployment and configuration changes
made to the customer tenant at the end of the Threat Protection Workshop engagement.

The Threat Protection Workshop engagement was designed to be a short and timeboxed
engagement that achieves its objectives by demonstrating Microsoft security products and
features using data from the customer production tenant. It is not meant to be a production
deployment of any of the included products in the customer tenant. Certain simplified
methods and approaches (such as setting up “broad” privileges to the Threat Protection
Workshop trial subscription) were thus used in the delivery guidance of this engagement.
Additionally, the Microsoft 365 for Threat Check trial licenses were meant to be used only
during the period of the Threat Protection Workshop engagement. Should the customer and
the delivery team make a decision to keep the configuration created during the Threat
Protection Workshop and use it for a production deployment of any of the included
Microsoft security products, the recommended approach would be to:

 Threat Check:
o Obtain paid Microsoft 365 licenses that are equivalent to Microsoft 365 for Threat
Check trial licenses, or other paid Microsoft licenses which cover the security
features used in the Threat Check.

The below steps should be used for decommissioning all the deployment and configuration
changes made to the customer tenant at the end of the Threat Protection Workshop
engagement:

128
 Decommissioning of changes made in the Endpoint Protection optional module:
Use below guidance to assist the customer with the offboarding of the included
Windows 10 devices:
Offboard devices from the Microsoft Defender for Endpoint service | Microsoft Docs

Important
Offboarded devices will remain in the portal until retention period for the device's
data expires. The status will be switched to 'Inactive' 7 days after offboarding.

 Decommissioning of changes made in the Hybrid Identity Protection optional

module:
o Uninstall the Microsoft Defender for Identity sensors from all Active Directory
servers in scope of this engagement, using the guidance provided here:
Uninstall a sensor from a domain controller
o Revert the changes made in the Configure Microsoft Defender for Identity to make
remote calls to SAM configuration step of the 11.6 Hybrid Identity Protection -
Configuration [Optional module] activity.
o Remove the Active Directory account created in the Create an Active Directory
account for Microsoft Defender for Identity sensors configuration step of the 11.6
Hybrid Identity Protection - Configuration [Optional module] activity.
o Open a new incognito/private web browser session and sign in to the Microsoft
Defender for Identity instance of the customer’s Microsoft 365 tenant:
https://portal.atp.azure.com
o In the Microsoft Defender for Identity instance go to Configuration  Delete
Instance menu, click ”Delete” and confirm that you want to delete the instance.

129
 Decommissioning of changes made in Threat Check module:
o Open a new incognito/private web browser session and sign in to the Microsoft
365 admin center of the customer’s Microsoft 365 tenant:
http://security.microsoft.com
o Open a new tab in the web browser session and go to the Microsoft Cloud App
Security portal:
http://portal.cloudappsecurity.com
o Go to Control à Policies menu, locate the policy called “Malware detection”, click
on the button on the right with three vertical dots, then select “Disable” from the
menu and accept any additional prompts that follow.
o Under Settings in the Cloud App Security Portal, choose “Files”, and de-select
“Enable file monitoring” and then click “Save”.
o Use the following guidance to change components of Office 365 connection to
Microsoft Cloud App Security to only “Azure AD Users and groups”:
Connect Office 365 to Cloud App Security | Microsoft Docs
NOTE: currently there’s no supported way to completely remove the connection
between Office 365 and Microsoft Cloud App Security. However, by minimizing
that data passed through this connection to “Azure AD Users and groups” only,
and then later, after Microsoft 365 for Threat Check licenses are cancelled, the
connection effectively becomes decommissioned.

o If during the scoping activities performed as per section 11.2 Define scope, a
decision was made to use Microsoft Defender for Endpoint to provide
information about cloud applications and services accessed by the customer’s
users, then revert the configuration steps made earlier to integrate Microsoft
Defender for Endpoint with Microsoft Cloud App Security as per this guidance:
Integrate Microsoft Defender for Endpoint with Cloud App Security | Microsoft
Docs
Then, under Settings in the Cloud App Security Portal, choose “Microsoft
Defender for Endpoint”, check “Enforce app access” and then click “Save”.
o Use the following steps to delete Cloud Discovery data that was stored in
Microsoft Cloud App Security:
Deleting Cloud Discovery data | Microsoft Docs
o If during the scoping activities performed as per section 11.2 Define scope, a
decision was made to use Microsoft Defender for Office 365 Evaluation Mode,
then in Microsoft 365 Defender portal https://security.microsoft.com go to
Policies & rules (in the Email & Collaboration group)  Threat policies 
Evaluation mode, click on Settings and then click on Turn off evaluation.
o Remove the Microsoft Defender for Office 365 Safe Attachment policy and then
remove the distribution group used to scope the policy.

130
 o There’s no need to take any specific actions to decommission Azure Active
Directory Identity Protection.
o If the auditing was turned on as part of this engagement, then turn it off, as per
this guidance:
Turn auditing on or off - Microsoft 365 Compliance | Microsoft Docs
o Open a new tab in a previously opened web browser session, go to the Microsoft
365 admin center of the customer’s Microsoft 365 tenant:
http://admin.microsoft.com
choose Billing à Your products from the menu on the left side.
o Select “Microsoft 365 E5 Security Trial” and select “Cancel subscription”.
o Repeat the step above for “Microsoft 365 E3 trial”.
Important
Be sure you are canceling Microsoft 365 for Threat Check trial licenses, and not
any other customer licenses.

Background reading
To prepare for the delivery of the Threat Protection Workshop engagement, refer to Appendix A
-Readiness and Technical Content for links to relevant online learning content.

Duration and effort

 Preparation 1 Hrs.
 Delivery 1-2 Hrs.

131
Appendix A - Readiness and Technical Content
This appendix contains recommended learning material that each delivery resource should go
through before delivering the Threat Protection Workshop engagement.

Threat Protection Workshop general readiness content

Recommended learning materials that each delivery resource should go through before
delivering the Threat Protection Workshop engagement are:

 Explore and get familiar with the content in the Trust Center.
 Explore and get familiar with the content in the Microsoft Secure site.
 Get the latest Microsoft security updates from the Microsoft Secure Blog.

Threat Check readiness content

Recommended learning materials that each delivery resource should go through before
delivering the Threat Check module are:

 Explore and get familiar with the content listed in the

Microsoft 365 technical training - Security & Compliance web page, with specific focus
on readiness materials on Microsoft 365 security products and features that are used as
tools used in Threat Check engagement:
o Microsoft 365 Defender
o Azure Active Directory
o Microsoft Defender for Office 365
o Microsoft Cloud App Security

NOTE: Also visit the “Intermediate Security Training” document found towards the
bottom of the page, or directly at:
https://www.microsoft.com/microsoft-365/partners/resources/intermediate-security-
training

Ignite 2020 Sessions:

 Microsoft Defender | Bringing Microsoft 365 Azure and all of your security signal
 Microsoft 365 Defender: Stop attacks and reduce security operations workload by 50%
 Ask the Expert: Microsoft 365 Defender: Stop attacks and reduce security

132
  Microsoft 365 Defender documentation:
https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-threat-
protection
 Azure Active Directory Identity Protection documentation:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview
 Microsoft Defender for Office 365 documentation:
https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-atp
 Microsoft Cloud App Security documentation:
https://docs.microsoft.com/en-us/cloud-app-security/

Endpoint Protection optional module readiness content

Recommended learning materials that each delivery resource should go through before
delivering the Endpoint Protection module are:

Ignite 2019 Sessions:

 Microsoft Defender for Endpoint in 20 minutes

 Security in overdrive: best practices for configuring Microsoft Defender for Endpoint
 Endpoint security management with Microsoft Defender for Endpoint and Microsoft
Endpoint Manager
 Unleash the hunter in you: Advanced hunting in Microsoft Defender for Endpoint
 Giving you the upper hand in combating web threats with Microsoft Defender for
Endpoint
 What’s new in Microsoft Defender for Endpoint

Microsoft Defender Endpoint videos:

https://www.youtube.com/playlist?list=PL3ZTgFEc7LysX3dP-2WrxCSjOfz2uymRW

Microsoft Defender for Endpoint webinar: End-to-end security for your endpoints
https://www.youtube.com/watch?v=U7jWbXx_bmE

Microsoft Defender for Endpoint Security Administrator and Operations training content:
https://techcommunity.microsoft.com/t5/microsoft-defender-atp/become-a-microsoft-
defender-atp-ninja/ba-p/1515647

Microsoft Defender for Endpoint product documentation:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-
atp/microsoft-defender-advanced-threat-protection

133
Hybrid Identity Protection optional module readiness content
Recommended learning materials that each delivery resource should go through before
delivering the Hybrid Identity Protection optional module are:

What is Microsoft Defender for Identity?

Microsoft Defender for Identity architecture

Defender for Identity introductory video (25 minutes)- Full

Defender for Identity deep dive video (75 minutes)- Full

Bolster your security posture with Microsoft Defender for Identity - Microsoft Tech Community

Incident Investigation with Microsoft Defender for Identity - Microsoft Tech Community

Microsoft Defender for Identity Webinars

Microsoft Defender for Identity documentation

Demo Environments
We recommend that you create a demo environment and explore the Microsoft 365 Security
features as preparation for the engagement. Options for creating demo environments:

 Microsoft Demos
 Customer Immersion Experiences

These demo environments can be accessed through http://cdx.transform.microsoft.com

134
Appendix B - Threat Protection Workshop toolkit
The table below lists the files that are part of the Threat Protection Workshop toolkit.

File name Type

00 - Threat Protection Workshop - Delivery Guide (this

Word Document
document)

01 - Threat Protection Workshop - Pre-engagement Call PowerPoint Presentation

02 - Threat Protection Workshop - Results and Next Steps PowerPoint Presentation

03 - Threat Protection Workshop - Top Threats Document Word Document

04 - Threat Protection Workshop - Scope Template Word Document

05 - Threat Protection Workshop - Customer Questionnaire Word Document

06 - Threat Protection Workshop - Microsoft Defender for

PowerPoint Presentation
Endpoint Overview

07 - Threat Protection Workshop - Microsoft Defender for

PowerPoint Presentation
Identity Overview

99 - Threat Protection Workshop - Supporting Illustrations Visio

135
Appendix C - Action Required Email Template

Hello [CUSTOMER_NAME],

Thank you for taking the time to join the Pre-engagement Call for the Threat Protection Workshop
engagement. As an important step for the success of the engagement, please read this email, complete
the pre-requisite tasks as soon as possible, and let us know if you need any assistance.

[DELIVERY_ORGANIZATION] has been engaged by [CUSTOMER_NAME] to deliver the Threat

Protection Workshop.

Threat Protection Workshop Overview

The Microsoft Threat Protection Workshop is an engagement that helps you assess your security
landscape, address your most pressing security goals and challenges, and provide an immersive
experience that brings the Microsoft security vision and capabilities to life.

As part of the workshop, you will:

 Receive a documented security strategy for your teams and stakeholders.

 Better understand, prioritize, and mitigate potential threats.
 Work together with us to define a list of next steps based on your needs, objectives, and results
from the Threat Protection Workshop.
 Learn how you can accelerate your security journey together with Microsoft.

The delivery includes activities such as:

• Discover threats, gain visibility into threats to your Microsoft 365 cloud and on-premises environments
across email, identity and data in order to better understand, prioritize and mitigate potential
cyberattack vectors.

136
• Understand how to mitigate threats, help you understand how Microsoft 365 and Azure security
products can help you mitigate and protect against the threats found during the period of this
engagement.

[Remove if the Endpoint Protection optional module is not included in the engagement

Endpoint Protection Optional Module Overview

The Endpoint Protection optional module of the Threat Protection Workshop uses Microsoft Defender for
Endpoint to discover threats and security vulnerabilities affecting Windows 10 devices. Microsoft Defender
for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent,
detect, investigate, and respond to advanced threats.

In addition to the results of the Threat Protection Workshop and Threat Check, the Endpoint Protection
optional module will also allow you to:

 Better understand the features and benefits of Microsoft Defender for Endpoint.
 Better understand existing endpoint weaknesses and what can be done to harden the endpoint
surface area.
 Have defined next steps based on their needs and objectives.

[Remove if the Hybrid Identity Protection optional module is not included in the engagement

Hybrid Identity Protection optional module Overview

The Hybrid Identity Protection optional module of the Threat Protection Workshop uses Microsoft
Defender for Identity to discover threats and security vulnerabilities related to Active Directory. Microsoft
Defender for Identity (formerly Azure Advanced Threat Protection) is a cloud-based security solution that
leverages Active Directory signals to identify, detect, and investigate advanced threats, compromised
identities, and malicious insider actions directed at your organization.

In addition to the results of the Threat Protection Workshop and Threat Check, the Hybrid Identity
Protection optional module will also allow you to:

 Better understand the features and benefits of Microsoft Defender for Identity.
 Better understand how to prioritize and mitigate potential threats found during the engagement.
 Better understand existing Active Directory security weaknesses and what can be done to harden
its surface area.
 Have defined next steps based on their needs and objectives.

137
Agenda and Participants

Please ensure your stakeholders are confirmed to participate in the Kick-off Meeting and sessions in the
Workshop Day phase.

[ADD AGENDA]

ACTION: Complete pre-requisites

Listed below are some important items your organization needs to complete prior to the next step of the
engagement:

Project Management

• Resource (team members, vendors) availability and schedule.

• Completion of the attached 05 – Threat Protection Workshop - Customer Questionnaire.docx.

Technical Requirements – Threat Check

The following requirements must be considered by your organization prior to the start of the
engagement:

1. Access to Microsoft 365 (Office 365) and Azure tenants

• Please assign a person from your organization with Global Admin role in your Microsoft 365
(Office 365) and Azure tenants the task of working with us in Configuration and Threat
Exploration activities.
2. Obtaining logs for Cloud Discovery including network firewalls and/or proxy servers
• If your organization leverages Microsoft Defender for Endpoint and uses devices with Windows
10 (minimum version 1709), then this would be the best way of gathering logs for Cloud
Discovery.
• Logs could also be gathered from the on-premises firewall or web proxy during the period of
the Data Collection phase and then uploaded for Cloud Discovery analysis. You need to assure
that logs are collected and stored in FTP format, which typically requires sending them from
firewall or web proxy to external storage, which you’d need to provide. Up to 1 source of logs
gathered in this way is in scope for the Threat Check.
• Please consider which option you prefer. We will then discuss and finalize where to get the
Cloud Discovery logs from as part of the Define Scope activity.

[Remove if the Endpoint Protection optional module is not included in the engagement

Technical Requirements – Endpoint Protection Optional Module

3. Windows 10 devices

138
 • Up to a maximum of 100 Windows 10 devices can be onboarded to Microsoft Defender for
Endpoint as part of the engagement. Please prepare a list of Windows 10 devices you would
like to include as part of the engagement. We will then discuss and finalize the selected
Windows 10 devices as part of the Define Scope activity.

Important
It is not recommended to run Microsoft Defender for Endpoint in parallel with a non-Microsoft EDR
solution due to potential endpoint performance issues. We recommend you either uninstall or
disable any existing non-Microsoft EDR on the Windows 10 devices included as part of the
engagement before onboarding the devices to Microsoft Defender for Endpoint.

We recommend onboarding a minimum of 50 Windows 10 devices to ensure that you have enough
data to analyze and report on as part of the engagement.

[Remove if the Hybrid Identity Protection optional module is not included in the engagement

Technical Requirements – Hybrid Identity Protection optional module

4. Active Directory server specifications

• Active Directory servers can be either physical or virtual and can reside on-premises or in
public/private clouds.
• Active Directory servers should be running supported Windows Server OS versions as per
following article:
https://docs.microsoft.com/en-us/defender-for-identity/prerequisites#general
• Active Directory servers should have sufficient CPU and memory resources:
• 2 cores and 6 GB RAM are minimal requirements, as per this:
https://docs.microsoft.com/en-us/defender-for-identity/prerequisites#server-
specifications
• IMPORTANT! To function properly, the Microsoft Defender for Identity sensor might
require more CPU cores and/or RAM, depending on the volume of network traffic that
the Active Directory server sends/receives. To verify if your Active Directory servers might
require more CPU cores or RAM prior to the deployment of Microsoft Defender for
Identity sensors on them, please use the following approach:
1. Sign to an Active Directory Domain Controller or to a domain-joined workstation
with the credentials of a user who is a member of the “Domain Admins” group.
2. Download the Microsoft Defender for Identity Sizing Tool from:
https://github.com/microsoft/ATA-AATP-Sizing-Tool/blob/master/README.md
3. Run the tool to collect the CPU, memory and network traffic statistics data from
all Active Directory Domain Controllers using this command:
TriSizingTool.exe -UseCurrent=Forest

4. If you have Active Directory Federation Services servers in your environment, then
execute above steps on them all, using this command to run the tool:
TriSizingTool.exe

139
 5. If you have multiple Active Directory forests in your environment, then repeat
above steps in all Active Directory forests.
6. Allow the tool to run for 24 hours.
7. Collect the Excel spreadsheet(s) with results produced by the tool from all the
Active Directory servers or domain-joined workstation where it was running. Send
them to us together with the Threat Protection Workshop questionnaire.
• Active Directory servers must have the Microsoft .NET Framework 4.7 or later deployed.
• IMPORTANT! When deploying the Microsoft Defender for Identity sensor on the Active
Directory server, the installation package will install Microsoft .NET Framework 4.7 if
necessary. However, installing this might require a reboot of the Active Directory server,
which might be undesirable. To verify if your Active Directory servers requires the
installation of the Microsoft .NET Framework 4.7 (and thus might require a reboot) during
the deployment of Microsoft Defender for Identity sensor, please use the following
approach:
1. Sign-in to an Active Directory Domain Controller or to a domain-joined Windows
10 workstation with the credentials of a user who is a member of the “Domain
Admins” group.
2. If you are using a domain-joined Windows 10 workstation, then install the RSAT
Active Directory Domain Services and Lightweight Directory Services Tools from
Settings à Apps & features à Optional features.
3. Open a Windows PowerShell window.
4. Get a list of all Active Directory Domain Controllers in your environment:

$allDC = (Get-ADForest).Domains | %{ Get-ADDomainController

-Filter * -Server $_ } | Select -ExpandProperty Hostname

5. Execute these PowerShell cmdlets to temporarily allow the execution of unsigned

scripts:
$oldExecuctonPolicy = Get-ExecutionPolicy -Scope CurrentUser
$oldExecuctonPolicy
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope
CurrentUser -Force

6. Install the DotNetVersionLister module from PowerShell Gallery

https://www.powershellgallery.com/packages/DotNetVersionLister
and import it into the current PowerShell session using these cmdlets:

Install-Module -Name DotNetVersionLister -Scope CurrentUser -Force

Import-Module DotNetVersionLister

NOTE: the DotNetListener module is an easy-to-install version of the

DotNetVersionLister script available here:
https://github.com/EliteLoser/DotNetVersionLister
7. Get a list of the Microsoft .NET Framework versions installed on your Active
Directory Domain Controllers and save it to a CSV file using this cmdlet:
Get-DotNetVersion -ComputerName $allDC -ContinueOnPingFail
-ExportToCSV | Format-Table

140
 8. If you have Active Directory Federation Services servers in your environment, then
execute the commands in step 5 and 6 on them, and get the version of the
Microsoft .NET Framework using this cmdlet:
Get-DotNetVersion -ComputerName ADFSServerName -ContinueOnPingFail
-ExportToCSV | Format-Table

9. Revert the changes you had made using these cmdlets:

Remove-Module -Name DotNetVersionLister
UnInstall-Module -Name DotNetVersionLister
Set-ExecutionPolicy -ExecutionPolicy $oldExecuctonPolicy -Scope
CurrentUser -Force

10. If you used a domain-joined Windows 10 workstation, then uninstall the RSAT
Active Directory Domain Services and Lightweight Directory Services Tools from
Settings à Apps & features à Optional features.
11. If you have multiple Active Directory forests in your environment, then repeat
above steps in all Active Directory forests.
12. Collect the CSV file(s) with the results produced by the DotNetListener module
from all the Active Directory servers or domain-joined workstation where you
created them. Send them to us together with the Threat Protection Workshop
questionnaire.

5. Network connectivity
• For the Microsoft Defender for Identity sensors to connect to and register with the Microsoft
Defender for Identity cloud-based service, perform auto-updates, as well as to be able to
connect to endpoint devices in your network, the sensors must have access to the following
network resources, including the port numbers and domains:
https://docs.microsoft.com/en-us/defender-for-identity/prerequisites#ports
(Internet ports, Internal ports and Localhost ports parts of the table)
NOTE: if you prefer that Microsoft Defender for Identity sensors connect to and register with
the Microsoft Defender for Identity cloud-based service through your proxy service, and if it
needs to be configured to allow such access, then in addition to the above, please follow this
guidance:
https://docs.microsoft.com/en-us/defender-for-identity/configure-proxy#enable-access-to-
defender-for-identity-service-urls-in-the-proxy-server
• For the Microsoft Defender for Identity sensors to be able to properly conduct Network Name
Resolution (i.e. resolve names of devices in your network based on raw IPs in captured network
traffic), they must have access to the following network resources, including the port numbers:
https://docs.microsoft.com/en-us/defender-for-identity/prerequisites#ports
(NNR ports part of the table)
NOTE: For more information on Network Name Resolution performed by Microsoft Defender
for Identity sensors please see:
https://docs.microsoft.com/en-us/defender-for-identity/nnr-policy

6. Account rights needed during the engagement:

• Account with Administrator privileges for the installation of the Microsoft Defender for Identity
sensors on the included Active Directory servers.

141
 • Standard Active Directory account with read access to all Active Directory objects in the Active
Directory forest in which Microsoft Defender for Identity sensors will be deployed during the
engagement.
]

If there are any issues with the above, please let me know as soon as possible so we can provide
assistance.

[SIGNATURE]

142