📄️ Enable Microsoft Defender for Cloud Apps
Implementation Effort: Low
📄️ Discover Cloud Apps
Implementation Effort: Medium – Requires integration with network infrastructure (e.g., firewalls, proxies, Defender for Endpoint) and setup of log collection or API automation.
📄️ Enable App Governance
Implementation Effort: Low
📄️ Create File Policies with Microsoft Defender for Cloud Apps
Implementation Effort: Medium
📄️ Connect Apps to Microsoft Defender for Cloud Apps
Implementation Effort: High
📄️ Regulate apps with priority account consent
Implementation Effort Customer IT and Security Operations teams need to drive projects to set up and customize app governance policies based on organizational needs.
📄️ View the Cloud Discovery dashboard to see what apps are being used in your organization
Implementation Effort Customer IT and Security Operations teams need to drive projects to set up and configure the Cloud Discovery dashboard and manage ongoing monitoring and filtering of apps.
📄️ Create access policies - Microsoft Defender for Cloud Apps
Implementation Effort Creating access policies involves configuring multiple prerequisites, including licenses, onboarding apps, and setting up Conditional Access policies, which require ongoing management and monitoring.
📄️ Govern discovered apps - Microsoft Defender for Cloud Apps
Implementation Effort Customer IT and Security Operations teams need to drive projects to review, sanction, and unsanction apps, and potentially integrate with existing security appliances.
📄️ Get insights on and regulate access to sensitive content with app governance - Microsoft Defender for Cloud Apps
Implementation Effort This effort score was chosen because customer IT and Security Operations teams need to drive projects to customize policies and monitor app activities.
📄️ Block download of sensitive information with conditional access app control
Implementation Effort Customer IT and Security Operations teams need to implement programs that require ongoing time or resource commitment. This involves setting up and managing policies in Microsoft Defender for Cloud Apps and ensuring continuous monitoring and adjustments.
📄️ Conditional Access app control - Microsoft Defender for Cloud Apps
Implementation Effort Configuring Conditional Access app control requires setting up access and session policies, which involves project-level work by IT teams.
📄️ Create Defender for Cloud Apps anomaly detection policies
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage the anomaly detection policies effectively.
📄️ Microsoft Defender for Cloud Apps - EntraID Identity Protection integration and reporting
Implementation Effort Implementing visibility and control over cloud apps requires ongoing monitoring, configuration, and management by IT and Security Operations teams.
📄️ Require step-up authentication (authentication context) upon risky action
Implementation Effort This effort score is chosen because it involves creating and managing Conditional Access policies and session policies, which require ongoing time and resource commitment from IT and Security Operations teams.
📄️ App Discovery Policy in Microsoft Defender for Cloud Apps
Implementation Effort: Medium
📄️ Create policies to control OAuth apps - Microsoft Defender for Cloud Apps
Implementation Effort Creating an OAuth app policy involves configuring settings and permissions within the Microsoft Defender Portal, which requires project-level effort from IT teams.
📄️ Create session policies - Microsoft Defender for Cloud Apps
Implementation Effort Creating session policies requires configuring multiple settings and ensuring prerequisites are met, which involves project-level effort.
📄️ Integrate Microsoft Defender for Endpoint - Microsoft Defender for Cloud Apps
Implementation Effort Customer IT and Security Operations teams need to drive projects to integrate and configure the systems.
📄️ Deploy the Defender for Cloud Apps Log Collector on Your Firewalls and Other Proxies
Implementation Effort: Medium – This deployment requires IT teams to configure network devices (firewalls, proxies) and set up a log collector server, which involves coordination and testing.
📄️ SaaS Security Initiative - Microsoft Defender for Cloud Apps
Implementation Effort Customer IT and Security Operations teams need to drive projects to connect applications to Microsoft Defender for Cloud Apps and manage security recommendations.
📄️ Create a Custom Activity Policy to Get Alerts About Suspicious Usage Patterns
Implementation Effort: Low
📄️ Prepare to deploy Microsoft Defender for Endpoint
Implementation Effort: Medium – This deployment requires IT and Security Operations teams to coordinate licensing, tenant setup, network configuration, and onboarding tools, but it does not require ongoing programmatic changes.
📄️ Assign Roles and Permissions for Microsoft Defender for Endpoint
Implementation Effort: Medium – This requires IT and Security Operations teams to plan and configure role-based access control (RBAC) or Unified RBAC (URBAC), including defining roles, mapping them to Microsoft Entra groups, and managing access reviews.
📄️ Identify your architecture and select a deployment method for Defender for Endpoint
Implementation Effort: Medium
📄️ Onboard Devices to Microsoft Defender for Endpoint
Implementation Effort: Medium – This task requires IT teams to plan and execute onboarding across multiple device types and platforms using tools like Microsoft Intune, Group Policy, or local scripts.
📄️ Set up Device Discovery in Microsoft Defender for Endpoint
Implementation Effort: Low – Setup involves enabling a feature and selecting discovery mode in the Microsoft Defender portal, with minimal ongoing maintenance.
📄️ Set Microsoft Defender Antivirus to Active Mode
Implementation Effort: Medium – This requires IT or Security Operations teams to configure Group Policy, Microsoft Intune, or other management tools to enforce Defender Antivirus as the primary AV solution.
📄️ Configure Behavioral, Heuristic, and Real-Time Protection
Implementation Effort: Medium
📄️ Enable EDR in Block Mode
Implementation Effort: Medium – While the feature is enabled through a simple configuration, it often requires coordination with security teams to validate compatibility with existing antivirus solutions and ensure proper monitoring is in place.
📄️ Enable Cloud Protection
Implementation Effort: Low – This is a straightforward configuration that can be deployed quickly using Group Policy, Intune, or other endpoint management tools.
📄️ Turn on Tamper Protection
Implementation Effort: Medium – While enabling tamper protection is technically simple, deploying it across a diverse environment requires coordination with endpoint management, policy testing, and ensuring compatibility with existing security tools and processes.
📄️ Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface
Implementation Effort This feature can be enabled through targeted configuration changes using Group Policy or Intune, without requiring a broader program or ongoing resource commitment.
📄️ Prevent users from locally modifying Microsoft Defender Antivirus policy settings
Implementation Effort: Low
📄️ Enable Attack Surface Reduction Rules
Implementation Effort: High
📄️ Enable Application Control
Implementation Effort Requires ongoing management and monitoring by IT and Security Operations teams to ensure policies are correctly enforced and updated.
📄️ Device control in Microsoft Defender for Endpoint
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage device control policies using tools like Intune.
📄️ Turn on network protection
Implementation Effort Enabling network protection requires configuring endpoint security policies and potentially updating the Microsoft Defender anti-malware platform, which involves ongoing management and resource commitment.
📄️ Enable Web Protection in Microsoft Defender for Endpoint
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and maintain web protection settings.
📄️ Enable exploit protection
Implementation Effort Implementing exploit protection requires setting up monitoring for application crashes and hangs, enabling full user mode dump collection, and ensuring compatibility with existing applications. This involves ongoing resource commitment and careful deployment practices to avoid productivity outages
📄️ Review and Classify Your Critical Device Assets with Microsoft Security Exposure Management
Implementation Effort: Medium. Customer IT and Security Operations teams need to drive projects to classify and manage critical device assets.
📄️ Configure automated investigation and remediation capabilities
Implementation Effort Customer IT and Security Operations teams need to drive projects to set up device groups and configure automation levels.
📄️ Enable controlled folder access
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and deploy controlled folder access using various methods.
📄️ Resolve open incidents on devices
Implementation Effort Customer IT and Security Operations teams need to drive projects to investigate and resolve incidents using Microsoft Defender for Endpoint.
📄️ Prioritize vulnerability remediation with attack paths
Implementation Effort Customer IT and Security Operations teams need to drive projects to integrate and analyze data sources for attack path visualization.
📄️ Follow security recommendations to improve Endpoint Security initiative score
Implementation Effort Customer IT and Security Operations teams need to drive projects to review and implement security initiatives and recommendations.
📄️ Lay the Groundwork for Microsoft Defender for Identity
Implementation Effort: Medium — While the deployment requires planning and coordination across teams, it follows a well-documented process and can be phased in gradually.
📄️ Install Microsoft Defender for Identity (MDI) Sensors on All Domain Controllers
Implementation Effort: High
📄️ Configure sensors for AD FS, AD CS, and Microsoft Entra Connect
Implementation Effort Installing and configuring sensors across multiple services (AD FS, AD CS, Microsoft Entra Connect) requires significant planning, coordination, and ongoing management by IT and Security Operations teams.
📄️ Security Assessment: Ensure privileged accounts are not delegated
Implementation Effort Customer IT and Security Operations teams need to drive projects to review and configure privileged accounts.
📄️ Microsoft Defender for Identity monitored activities
Implementation Effort Customer IT and Security Operations teams need to drive projects to integrate and configure Defender for Identity with domain controllers.
📄️ Defender for Identity entity tags
Implementation Effort Customer IT and Security Operations teams need to drive projects to manually tag entities and configure settings in Microsoft Defender XDR.
📄️ Identity Inventory in Microsoft Defender for Identity
Implementation Effort Customer IT and Security Operations teams need to drive projects to integrate and manage identity data from various sources.
📄️ Microsoft LAPS Usage Assessment - Microsoft Defender for Identity
Implementation Effort Customer IT and Security Operations teams need to drive projects to implement and configure Microsoft LAPS across domain-joined computers.
📄️ Security Assessment: Dormant Entities in Sensitive Groups
Implementation Effort: Medium. Customer IT and Security Operations teams need to drive projects to identify and manage dormant entities.
📄️ Remove local admins on identity assets
Implementation Effort This effort score was chosen because it requires ongoing monitoring and remediation of privileged access rights across identity assets, which involves continuous resource commitment from IT and Security Operations teams.
📄️ Remove non-admin accounts with DCSync permissions
Implementation Effort Customer IT and Security Operations teams need to drive projects to identify and remove DCSync permissions from non-admin accounts.
📄️ Security assessment: Remove unnecessary replication permissions for Microsoft Entra Connect AD DS Connector Account
Implementation Effort Customer IT and Security Operations teams need to drive projects to review and adjust permissions for the AD DS Connector accounts.
📄️ Security assessment: Remove unsafe permissions on sensitive Entra Connect accounts
Implementation Effort This effort score is chosen because customer IT and Security Operations teams need to implement programs that require ongoing time or resource commitment, including continuous monitoring and adjustments.
📄️ Unsecure SID History attributes assessment - Microsoft Defender for Identity
Implementation Effort Removing unsecure SID history attributes requires ongoing monitoring and remediation efforts by IT and Security Operations teams to ensure the security posture is maintained.
📄️ Security assessment: Replace Enterprise or Domain Admin account for Entra Connect AD DS Connector account
Implementation Effort This effort score is chosen because it requires organizations to create or assign a lower-privileged account specifically for directory synchronization, which involves significant changes to existing configurations and ongoing monitoring.
📄️ Deceptive Defense: Best Practices for Identity-Based Honeytokens in Microsoft Defender
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage honeytoken accounts within Microsoft Defender.
📄️ Review and classify critical assets in Microsoft Security Exposure Management
Implementation Effort Customer IT and Security Operations teams need to drive projects to classify and manage critical assets using predefined and custom classifications.
📄️ Remediate risks and unblock users
Implementation Effort Customer IT and Security Operations teams need to drive projects to set up risk-based policies and configure self-remediation options.
📄️ Microsoft Defender for Identity Health Alerts
Implementation Effort: Medium. Customer IT and Security Operations teams need to drive projects to monitor and resolve health issues.
📄️ Tune Security Alerts
Implementation Effort: Medium - Customer IT and Security Operations teams need to drive projects to configure and manage security alerts within Microsoft Defender XDR.
📄️ Understand and investigate Lateral Movement Paths - Microsoft Defender for Identity
Implementation Effort Customer IT and Security Operations teams need to drive projects to continuously monitor and manage lateral movement paths.
📄️ Identity Security Initiative - Microsoft Defender for Identity
Implementation Effort: Medium
📄️ Troubleshoot Known Issues in Microsoft Defender for Identity
Implementation Effort: Medium
📄️ Configure Email Authentication
Implementation Effort: Medium – IT and Security teams must configure SPF, DKIM, and DMARC records, which involves DNS changes, Microsoft 365 configuration, and ongoing monitoring.
📄️ Review Configuration Analyzer in Microsoft Defender for Office 365
Implementation Effort: Low
📄️ Onboard Admin Users with Least Privilege Roles in Microsoft Defender for Office 365
Implementation Effort: Medium
📄️ Identify and Set Up Priority Accounts and User Tags in Microsoft Defender for Office
Implementation Effort: Medium
📄️ Set up Enhanced Filtering for Connectors (when using another email solution ahead of Defender for Office 365)
Implementation Effort: Medium – This setup requires coordination between email routing configurations, connector settings, and Defender for Office 365 policies, typically involving IT and Security teams.
📄️ Configure Antimalware Policies
Implementation Effort: Medium
📄️ Configure anti-phishing policies in Microsoft Defender for Office 365
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage anti-phishing policies in the Microsoft Defender portal.
📄️ Set up Anti-Spam Policies in Microsoft Defender for Office 365
Implementation Effort: Low
📄️ Create Quarantine Policies
Implementation Effort: Medium - Creating and configuring quarantine policies requires project-driven efforts by IT and Security Operations teams. This involves setting up different access levels, permissions, and notification settings
📄️ Set up Safe Attachments policies in Microsoft Defender for Office 365
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage Safe Attachments policies.
📄️ Set up Safe Links policies in Microsoft Defender for Office 365
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage Safe Links policies, including setting up permissions and using the Microsoft Defender portal or Exchange Online PowerShell.
📄️ User reported settings - Microsoft Defender for Office 365
Implementation Effort Customer IT and Security Operations teams need to implement programs that require ongoing time or resource commitment to configure and manage user reporting settings effectively.
📄️ Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365
Implementation Effort Customer IT and Security Operations teams need to drive projects to configure and manage ZAP and quarantine policies.
📄️ Attack Simulation Training in Microsoft Defender for Office 365
Implementation Effort: High - Customer IT and Security Operations teams need to drive projects to set up and manage simulations.
📄️ Manage Allows and Blocks in the Tenant Allow/Block List
Implementation Effort: Medium
📄️ Configure Outbound Spam Policy
Implementation Effort: Medium
📄️ Automated investigation and response (AIR) in Microsoft Defender for Office 365
Implementation Effort Customer IT and Security Operations teams need to drive projects to integrate AIR capabilities into their existing security workflows and ensure audit logging is enabled.
📄️ Roles and permissions in Microsoft Sentinel
Implementation Effort Customer IT and Security Operations teams need to drive projects to set up and manage Azure RBAC roles within Microsoft Sentinel.
📄️ Design log analytics workspace architecture
Implementation Effort: Medium This effort score was chosen because designing a Log Analytics workspace architecture requires customer IT and Security Operations teams to drive projects that involve evaluating multiple criteria and configuring workspaces accordingly.
📄️ Prioritize data connectors for Microsoft Sentinel
Implementation Effort Customer IT and Security Operations teams need to drive projects to determine which data connectors are relevant and set up custom and partner connectors.
📄️ Understand and plan Sentinel costs
Implementation Effort Customer IT and Security Operations teams need to drive projects to understand and optimize costs using the pricing calculator and other methods.
📄️ Enable Unified Security Operations Platform
Implementation Effort: Low
📄️ Enable Microsoft Sentinel
Implementation Effort: Low
📄️ Connect Your First Party Data Sources to Microsoft Sentinel Using Data Connectors
Implementation Effort: Medium – This requires IT and Security Operations teams to install solutions from the Content Hub, configure connectors, and ensure prerequisites are met for each data source.
📄️ Set up third-party data connectors in Microsoft Sentinel
Implementation Effort: Medium – Setting up third-party connectors typically requires IT or SecOps teams to configure ingestion pipelines using Syslog, CEF, REST APIs, or custom connectors, which involves moderate project work and coordination with external systems.
📄️ Creating Microsoft Sentinel custom connectors
Implementation Effort Creating custom connectors involves significant development work, including programming and configuration, which requires ongoing time and resource commitment.
📄️ Configure Interactive and Long-Term Data Retention in Microsoft Sentinel
Implementation Effort: Medium
📄️ Set up analytics rules in Microsoft Sentinel
Implementation Effort: Medium – Setting up analytics rules requires IT and security teams to design KQL queries, configure rule logic, and manage rule lifecycle, but it doesn’t require ongoing user involvement.
📄️ Correlate Data with Watchlists
Implementation Effort: Medium
📄️ Streamline Data Analysis with UEBA in Microsoft Sentinel
Implementation Effort: Medium – Enabling UEBA in Microsoft Sentinel requires configuring data connectors, ensuring proper log ingestion, and tuning analytics rules, which involves a project-driven effort by IT and security teams.
📄️ Integrate MDTI Feeds to Microsoft Sentinel
Implementation Effort: Medium
📄️ Turn on Auditing and Health Monitoring in Microsoft Sentinel
Implementation Effort: Low — This feature requires administrators to enable built-in monitoring and auditing settings in Microsoft Sentinel, which is a targeted configuration task with minimal ongoing resource needs.
📄️ Custom Data Ingestion and Transformation in Microsoft Sentinel
Implementation Effort: High
📄️ Normalize Microsoft Sentinel Data with the Advanced Security Information Model (ASIM)
Implementation Effort: Medium – This requires IT and security teams to configure and maintain ASIM parsers and schemas, and potentially refactor existing analytics rules and queries to align with normalized data models.
📄️ Understand Sentinel Security Coverage by the MITRE ATT&CK® Framework
Implementation Effort: Medium
📄️ View and Manage SOC Optimization Recommendations in Microsoft Sentinel
Implementation Effort: Medium
📄️ Create and use Microsoft Sentinel automation rules to manage response
Implementation Effort: Medium
📄️ Automate Threat Responses with Sentinel Playbooks
Implementation Effort: Medium – Setting up playbooks requires configuring Azure Logic Apps, defining automation rules, and coordinating with SOC processes, but it doesn’t require continuous manual effort once deployed.
📄️ Set up Microsoft Sentinel Workbooks
Implementation Effort: Medium
📄️ Hunt for Threats and Investigate Incidents
Implementation Effort: Medium - This requires ongoing time and resource commitment from security operations teams to create hypotheses, conduct hunts, and act on findings.
📄️ Follow security recommendations to improve BEC, CIS Foundations, and Ransomware Protection Initiative Scores
Implementation Effort: Medium - Customer IT and Security Operations teams need to drive projects to manage and improve the security posture against BEC attacks.
📄️ 001: Header
Implementation Effort: High