Endpoint Security Foundations

0.1 What endpoint security engineering is

Every M365 E5 tenant has Defender for Endpoint deployed. Almost none have configured it beyond the defaults. The AV runs with default cloud protection levels. The EDR collects telemetry nobody hunts through. ASR rules sit in audit mode or are not deployed at all. The endpoint security stack is installed but not engineered.

That distinction — deployed versus engineered — defines whether your endpoints survive contact with an attacker who knows what they are doing. Deployment means the agent is running. Engineering means the hardening baselines reduce the attack surface, the ASR rules block known techniques in block mode, the detection rules catch what prevention misses, the response procedures contain incidents in minutes, and the forensic telemetry preserves evidence that survives legal scrutiny. This course teaches you to build the second from the first.

The gap is not hypothetical. At Northgate Engineering, Defender for Endpoint is onboarded on 780 of 865 endpoints. The sensor collects telemetry. But zero ASR rules are in block mode. Zero custom detection rules exist. No compliance policies enforce device health through Conditional Access. No PowerShell ScriptBlock logging is configured. No Sysmon is deployed. The EDR is running — and the attacker who compromised NE's environment operated for three weeks without generating a single alert that anyone investigated. MDE was installed. It was not engineered.

This module establishes why traditional AV fails against modern attack chains, how the five-layer endpoint security stack works, what metrics measure endpoint security health, where NE's gaps are, and how the phased deployment methodology prevents the production outages that cause security projects to stall. The module does not require a lab environment — it builds the assessment framework and deployment methodology that every subsequent module depends on.

0.2 What you will learn

Ten sections, each building a layer of the endpoint security engineering foundation.

Section 0.1 — Why Traditional AV Fails. The evolution from signature-based AV through EPP, EDR, and XDR. What each generation adds and where each falls short. Why having Defender for Endpoint deployed is not the same as having endpoint security configured. The generation assessment query that tells you where your environment operates today.

Section 0.2 — Modern Attack Chains on Endpoints. A multi-phase endpoint attack mapped phase by phase — initial access through execution, persistence, privilege escalation, lateral movement, and objective completion. Which layer of the security stack intercepts each phase. Where a default MDE deployment fails and where an engineered deployment stops the attacker.

Section 0.3 — The Endpoint Security Stack. The five interdependent layers: hardening, prevention, detection, response, and forensic readiness. What each layer contributes, what breaks when one is missing, and why the layers are cumulative. The most common forensic readiness gap — PowerShell ScriptBlock logging.

Section 0.4 — Key Metrics. The four metrics that define endpoint security health: ASR rule coverage percentage, custom detection rule coverage, mean time to containment, and device compliance score. How to measure each, what target values look like, and why engineering metrics drive progress while vanity metrics do not.

Section 0.5 — The Microsoft Ecosystem View. How MDE, Intune, Sentinel, Entra ID, and Defender XDR integrate. Which signals flow where. The data flow from endpoint sensor to Advanced Hunting to Sentinel. The retention model difference (30 days vs configurable) and the cost implications of streaming telemetry to Sentinel.

Section 0.6 — The NE Endpoint Landscape. Northgate Engineering's 865 endpoints assessed layer by layer. MDE at 90% onboarding, everything else at default. Zero ASR rules in block mode. Zero custom detections. No compliance enforcement. The compound risk of multiple simultaneous gaps and the specific attack chain that exploited them.

Section 0.7 — The Deployment Sequence. The phased methodology: onboard → AV tuning → ASR audit → graduated enforcement → detection → forensic readiness. Why sequence matters — what breaks when you deploy controls in the wrong order. The safe-set ASR rules that can go to block mode immediately. Emergency exception handling during active incidents.

Section 0.8 — The Blast Radius Problem. Why testing before enforcement is not optional. Direct, indirect, and reputational blast radius. Real examples of ASR rules breaking legitimate applications. The evidence-based promotion methodology — audit data → exclusion analysis → pilot → fleet. How to classify exclusions by security risk.

Section 0.9 — The Endpoint Security Maturity Model. Five levels from default configurations to continuously improved, validated defenses. Why the model is cumulative — advanced detections on an unprotected endpoint are sophisticated locks on an open door. Per-layer scoring for NE. The realistic timeline for a solo practitioner or two-person team.

Section 0.10 — The Attacker's Perspective. What adversaries check in the first 60 seconds after landing on an endpoint. AMSI status, Credential Guard, PowerShell logging, ASR rules, EDR presence. How the reconnaissance output shapes the attacker's tradecraft decisions. The contrast between NE's current Level 1 endpoint and the Level 4 target.

0.3 Why the Microsoft stack is ideal for endpoint security

Defender for Endpoint is simultaneously the prevention engine, the EDR sensor, and the richest source of endpoint telemetry available on any platform. Every process creation, file write, registry modification, network connection, and authentication event is recorded in Advanced Hunting tables — DeviceProcessEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceLogonEvents — queryable in KQL within minutes of occurrence.

ASR rules operate at the OS level, intercepting specific attack techniques before execution. These are not signature matches — they are behavioral rules that block known attack patterns: Office applications creating child processes, credential theft from LSASS, executable content from email clients, script execution via WMI. When tuned from audit to block mode with evidence-based exclusions, they eliminate entire classes of initial access and execution techniques.

Intune delivers the configuration at scale. Security baselines, ASR rule assignments, compliance policies, and remediation scripts deploy to thousands of endpoints through a single policy framework. The same console that manages the endpoint configuration also enforces Conditional Access integration — a non-compliant device is automatically blocked from corporate resources until remediation completes.

Sentinel and Defender XDR connect endpoint telemetry to the broader security architecture. An alert from Defender for Endpoint correlates with identity signals from Entra ID and email signals from Defender for Office 365 into a single incident. The detection rules you build in this course fire in both Advanced Hunting and Sentinel Analytics — the same KQL, the same logic, different enforcement points.

0.4 How to get the best from this module

Work through the sections in order. Each builds on the previous — the AV failure analysis (0.1) explains why defaults are not enough, the attack chain mapping (0.2) shows what attackers actually do, the security stack (0.3) defines the defenses, and the maturity model (0.9) gives you the framework for measuring progress.

Sections 0.2 (attack chains) and 0.3 (security stack) are the conceptual core. Every module from ES2 onward references these attack phases and defensive layers — if you understand how a credential theft attack flows through the five layers, the ASR rules in ES4, the detection rules in ES8, and the response procedures in ES10 will make immediate sense. If you skip these sections, the later modules will feel like arbitrary configuration steps rather than targeted countermeasures.

Section 0.10 (attacker perspective) is the section experienced practitioners should not skip. Even if you know the Microsoft stack well, understanding what an attacker checks first on a compromised endpoint reshapes your defensive priorities in ways that vendor documentation does not cover.

Estimated total time: 3 to 4 hours. Two to three sections per session produces consistent progress.

0.5 Module structure

• Section 0.1 — Why Traditional AV Fails
• Section 0.2 — Modern Attack Chains on Endpoints
• Section 0.3 — The Endpoint Security Stack
• Section 0.4 — Key Metrics
• Section 0.5 — The Microsoft Ecosystem View
• Section 0.6 — The NE Endpoint Landscape
• Section 0.7 — The Deployment Sequence
• Section 0.8 — The Blast Radius Problem
• Section 0.9 — The Endpoint Security Maturity Model
• Section 0.10 — The Attacker's Perspective

No prerequisites. This is the first module of the course. Basic familiarity with M365 administration is helpful but not required — every concept is explained at first use.

Go to Section 0.1 — Why Traditional AV Fails to begin.