It began on a device. A process launched, a command executed, a file changed and a connection left the network.
Microsoft Defender for Endpoint gives defenders the telemetry needed to understand what happened on the endpoint, how the attacker moved and what evidence remains.
The Agent Foskett Defender for Endpoint Academy will teach endpoint security the practical way: one device, one process, one investigation and one response action at a time.
Learn Microsoft Defender for Endpoint from the ground up, covering device telemetry, endpoint investigations, EDR, attack surface reduction, vulnerability management, Live Response and practical endpoint threat hunting.
Understand Defender for Endpoint telemetry
Investigate process, file, registry and network activity
Use ASR, TVM and device control effectively
Respond with isolation, indicators and Live Response
Defender for Endpoint Academy roadmap
This new Academy series will build endpoint security knowledge progressively, from core Defender for Endpoint concepts through to device investigations, EDR response, vulnerability management and enterprise endpoint defence.
Module 1 — Endpoint FoundationsWhat Defender for Endpoint is, how devices are onboarded, how endpoint telemetry is collected and how alerts connect to Microsoft Defender XDR.
Module 4 — Attack Surface ReductionLearn ASR rules, controlled folder access, network protection, web protection, device control and hardening strategy.
Module 6 — Response ActionsUse device isolation, collect investigation packages, restrict app execution, manage indicators and perform Live Response safely.
Planned first lessons
These planned lessons will introduce Defender for Endpoint in a practical sequence for SOC analysts, administrators and Microsoft security engineers.
Lesson 1 — What is Microsoft Defender for Endpoint?Explain Defender for Endpoint, endpoint detection and response, onboarding, device inventory and how endpoint data flows into Defender XDR.
Lesson 2 — Understanding Device InventoryExplore DeviceInfo, device health, operating systems, exposure levels, sensor status and how to identify unmanaged risk.
Lesson 3 — Investigating DeviceProcessEventsInvestigate process creation, command lines, parent processes, LOLBins and suspicious execution patterns.
Lesson 4 — Investigating DeviceNetworkEventsTrack outbound connections, remote IPs, domains, ports, initiating processes and possible command-and-control activity.
Lesson 5 — Attack Surface Reduction BasicsUnderstand how ASR rules reduce attack paths and how to plan, audit, test and enforce them safely.
Lesson 6 — Live Response BasicsIntroduce Live Response, safe response workflows, evidence collection and operational precautions during endpoint incidents.
Related Agent Foskett resources
The Defender for Endpoint Academy builds directly on existing Agent Foskett endpoint investigations and Advanced KQL lessons.
Investigating DeviceProcessEventsUse Defender XDR process telemetry to investigate process execution, parent-child activity, command lines and suspicious endpoint behaviour.
Investigating DeviceNetworkEventsInvestigate network connections, remote IPs, RemoteUrl, ports and process-to-network pivots from endpoint telemetry.
Investigating DeviceFileEventsTrack file creation, modification, deletion, hashes, paths and suspicious file activity across endpoints.
Investigating DeviceRegistryEventsHunt registry changes, persistence mechanisms, run keys and suspicious endpoint configuration changes.
Building a Device TimelineCorrelate process, file, registry, logon and network events into a clear device investigation timeline.
Hunting LOLBinsUse existing hunting content to identify living-off-the-land binaries and suspicious endpoint execution patterns.
Skills this Academy will build
Defender for Endpoint is not only a detection tool. It is an endpoint investigation, hardening, response and exposure management platform.
Endpoint investigationFollow processes, files, registry changes, logons and network connections to understand what happened on a device.
EDR responseKnow when to isolate a device, collect evidence, manage indicators and use Live Response during an active incident.
Attack surface reductionUse ASR, device control and endpoint hardening controls to reduce the opportunities attackers can exploit.
Exposure managementPrioritise vulnerable software, missing patches and weak endpoint configurations with threat and vulnerability management.
Custom detection logicBuild endpoint-focused KQL hunts and custom detections that identify suspicious process and device behaviour.
Enterprise endpoint strategyScale endpoint security across thousands of devices with consistent investigation and response workflows.
Coming first
The first Defender for Endpoint lesson will introduce the platform and explain why endpoint telemetry is so important to modern Microsoft security investigations.
Lesson 1 — What is Microsoft Defender for Endpoint?Agent Foskett will explain Microsoft Defender for Endpoint as the endpoint security and EDR platform behind device investigations, threat hunting, response actions and endpoint hardening.
Why this mattersMost incidents leave evidence on the endpoint. Processes run, files change, registry keys appear, connections leave the device and logons occur. Defender for Endpoint helps analysts connect those clues into a clear story.
Final thought
Endpoint telemetry often shows the attack in motion. Learn to read it properly, and the device will tell you what happened.
Agent Foskett mindsetDo not treat endpoint alerts as isolated events. Build the process tree, follow the timeline, check the network activity and confirm what changed on the device.
New Academy SeriesThe Defender for Endpoint Academy expands Agent Foskett from KQL and XDR investigations into practical endpoint protection, EDR response and device security operations.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD
Microsoft Defender for Endpoint Academy by Agent Foskett
The Agent Foskett Microsoft Defender for Endpoint Academy teaches endpoint security, EDR, device investigations, attack surface reduction, vulnerability management, Live Response and practical Microsoft endpoint defence.
Learn Microsoft Defender for Endpoint security and investigations
This Defender for Endpoint learning path explains device telemetry, process investigations, file activity, registry changes, network events, endpoint response actions, ASR, TVM and enterprise endpoint protection.
Microsoft Defender for Endpoint training for SOC analysts
The Defender for Endpoint Academy builds on the Agent Foskett KQL Academy by showing defenders how to investigate device signals, respond to endpoint incidents and harden Microsoft endpoint environments.