Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In
Endpoint Engineering

For Security Engineers, SOC Analysts, and IT Administrators Who Configure Defender for Endpoint, Intune Security Policies, and Endpoint Hardening

Endpoint Security Engineering

The Mission: Build an Endpoint Security Stack That Survives Both Production Users and Real Adversaries

Every M365 E5 customer has Defender for Endpoint. Almost none have tuned it beyond defaults. No ASR rules in block mode. Default AV policy. No custom detections. No forensic readiness. No device control. This course closes that gap — and extends beyond MDE into the OS internals, cross-platform considerations, and adversary tradecraft that a complete endpoint security engineer needs to understand. You will learn not just what to configure, but what attackers do to bypass it, and how to validate that your controls actually work. Every configuration includes blast radius analysis, testing methodology, and production deployment strategy.

Access Course Material Start Free — No Account Needed View Pricing
ENDPOINT SECURITY ARCHITECTURELAYER 1Hardening — OS internals, CIS Benchmarks, LAPS, audit policyReduce the attack surface before the attacker arrivesLAYER 2Prevention — ASR rules, AV tuning, WDAC, exploit protectionBlock known attack techniques at the endpointLAYER 3Detection — EDR, custom KQL rules, endpoint hunting queriesCatch what prevention misses with behavioral detectionLAYER 4Response — AIR, live response, isolation, containment at scaleContain confirmed threats automatically or manuallyLAYER 5Forensic Readiness — Sysmon, PowerShell logging, KAPE, VelociraptorEnsure evidence exists when the incident happensLAYER 6Integration — Zero trust, Sentinel, automation, cross-platformConnect endpoint security to the broader security architecture865 endpoints · 12 servers · 8 Linux · 520 mobile — Northgate Engineering

The Endpoint Security Engineering Framework

Every configuration decision in this course runs through three questions:

1. What does this control actually block? Not what the documentation says it blocks. What happens in production when real users with real applications hit this control. Every ASR rule, every AV setting, every compliance policy is tested against realistic production scenarios before deployment.

2. What breaks when you enable it? Every security control has a blast radius. ASR rules block legitimate line-of-business applications. Compliance policies lock users out of corporate resources. AV exclusions create security gaps. This course teaches blast radius assessment before deployment — not after the help desk is overwhelmed.

3. How do you validate it is working? A configured control is not a working control. Every policy needs a validation method — a KQL query, an Atomic Red Team test, a health dashboard that proves the control is doing what you intended. Configuration without validation is security theatre.

Who this course is for

Security engineers responsible for the endpoint security stack but operating with mostly default configurations. You know MDE exists. You know ASR rules exist. You have not deployed them in block mode because you do not know what will break. This course gives you the methodology to deploy confidently.

SOC analysts who investigate MDE alerts daily but have no input into how the protection layer is configured. You want to move from consumer of endpoint telemetry to engineer of the endpoint stack that generates it.

IT administrators who manage Intune and need to understand the security policies they deploy at a deeper level — not just which buttons to click, but why those settings matter and what happens when the attacker encounters them.

IR practitioners who depend on endpoint telemetry and want to ensure the forensic readiness and detection coverage they rely on is actually configured. This course builds the foundation that Practical IR and Incident Triage depend on.

Who this course is not for

Certification preppers. This is not an SC-200 study guide or a portal walkthrough. It is an operational engineering course. If you want to pass a certification exam, use a certification prep course. If you want to build an endpoint security stack that survives contact with real adversaries, use this course.

Deep forensic investigators. Practical IR and Linux IR cover full forensic analysis. This course covers forensic readiness and artifact collection — ensuring evidence exists when the incident happens, not deep analysis and timeline reconstruction.

Complete beginners. This course assumes familiarity with the MDE portal and basic KQL. If you are new to KQL, complete Mastering KQL first. If you have never used the MDE portal, start with SOC Operations or M365 Security Operations.

Built on Northgate Engineering — not abstract examples

Every configuration, every detection rule, every deployment decision in this course is built for Northgate Engineering — an 810-person precision manufacturing company with 865 Windows endpoints (Windows 11 23H2), 12 Windows servers (4 DCs, 2 SQL, 2 IIS, 2 file servers, 2 application servers), 8 Linux servers (6 RHEL manufacturing, 2 Ubuntu web), 520 mobile devices, M365 E5 licensing, Intune management, and BlueVoyant as managed SOC partner. Current state: MDE onboarded on 90% of endpoints, everything else at default. Target state: complete endpoint security architecture — 100% onboarded, ASR enforced, AV tuned, EDR optimised, 20+ custom detections, compliance-driven conditional access, forensic readiness validated, servers and Linux covered, vulnerability management operational, monitoring and governance in place.

What you will be able to do

1. Deploy MDE at enterprise scale with validated onboarding across Windows, Linux, macOS, servers, and VDI — achieving 100% sensor coverage with device health monitoring that catches devices that silently fall off.

2. Configure and enforce all ASR rules using the audit-first methodology: deploy in audit mode, analyse audit data with KQL, build exclusion sets for legitimate applications, and graduate to block mode with confidence. No guessing. No breaking production.

3. Engineer Defender Antivirus beyond defaults — cloud protection levels, behavioral detection, ransomware protection, controlled folder access, and role-specific server configurations with blast radius analysis for every setting.

4. Build 20+ custom detection rules in MDE using KQL, covering credential access, lateral movement, persistence, and defense evasion. Each detection includes automated response actions, Atomic Red Team validation, and the monthly review process that keeps detections accurate.

5. Hunt proactively across all endpoint tables with 40+ production KQL queries organised by ATT&CK tactic. Build the hunt-to-detection pipeline that converts hunting findings into automated detection rules.

6. Deploy complete forensic readiness — advanced audit policies, PowerShell logging, Sysmon, Windows Event Forwarding, KAPE, Velociraptor, OSQuery, and Windows LAPS. When the incident happens, the evidence already exists.

7. Understand evasion from the defender's perspective — process injection, AMSI bypass, ETW tampering, EDR evasion, and anti-forensics. Build detections that survive evasion evolution because they target behavior, not artifacts.

8. Extend endpoint security across platforms — Windows servers, Linux (Defender for Linux, eBPF, Sysmon for Linux), macOS, and VDI environments. CIS Benchmarks for server hardening. Cross-platform unified hunting.

9. Integrate with zero trust architecture — device compliance driving conditional access, MDE risk signals in Entra ID, Sentinel cross-workload correlation, Logic App automation playbooks, and MDE API programmatic management.

10. Produce a complete, deployable architecture document — every configuration, every decision, every exception, every monitoring query, every governance procedure. The artifact you take to your own environment.

Course at a glance

Modules: 16 (ES0–ES15) across 4 phases

Interactive labs: 16 (one per module — assessment simulators, configuration workshops, detection exercises)

Custom detection rules: 20+ production KQL rules with Atomic Red Team validation

Hunting queries: 40+ organised by ATT&CK tactic

Format: Written content — production KQL, PowerShell, Intune configurations, SVG diagrams, interactive labs, worked artifacts, knowledge checks

Free content: ES0–ES1 (2 modules) — no account required

Paid content: ES2–ES15 (14 modules) — Premium or Team subscription

Platform: Microsoft Defender for Endpoint (P2), Intune, Sentinel, Entra ID

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across on-prem, Splunk, and Microsoft 365 security stacks, Cisco and Palo Alto networks, and managed SOC partnerships.

Experience spans endpoint security engineering, detection engineering, incident response, and DFIR investigation across on-prem, M365, and Linux environments — including configuring and tuning MDE across enterprise fleets, building custom detection rules, and validating endpoint security controls against real attack techniques.

The configurations, detection rules, and deployment methodologies in this course are drawn from that operational work — adapted for training but grounded in production endpoint security engineering.

Technical requirements

Microsoft 365 E5 tenant: Recommended for hands-on configuration. A free M365 E5 developer tenant provides MDE P2, Intune, Sentinel, Entra ID, and Defender for Office 365. ES0 provides complete lab setup guidance. The course is completable without a tenant using provided screenshots, pre-generated KQL results, and sample data sets.

Windows 11 VM: For endpoint-specific exercises — KAPE collection, EZ Tools parsing, Sysmon deployment, Atomic Red Team testing. VMware Workstation Pro (free) with the Windows 11 Evaluation ISO (free, 90-day).

Ubuntu VM: For Linux endpoint security exercises — Defender for Linux deployment, Sysmon for Linux, eBPF verification. Any Ubuntu 22.04+ or RHEL 8+ system.

KQL proficiency: Basic KQL is required — where, summarize, project, join. If you are new to KQL, complete Mastering KQL (K0–K3 minimum) first.

MDE portal familiarity: You should know how to navigate the device page, incident queue, and Advanced Hunting interface. SOC Operations, M365 Security Operations, or production MDE experience is sufficient.

No third-party paid tools required. MDE, Intune, Sentinel, and Entra ID are included in the M365 E5 developer tenant. All complementary tools (Sysmon, KAPE, EZ Tools, Velociraptor, OSQuery, Atomic Red Team, WinPMEM) are free.

Course Syllabus

Four phases. Sixteen modules. ES0–ES1 are free — no account required.

Free Phase 1 — Foundations

ES0
Endpoint Security Foundations and Modern Threat Landscape — Why traditional AV fails, modern attack chains on endpoints, the endpoint security stack (6 layers), key metrics (MTTD, MTTR, and what actually matters), the Microsoft ecosystem view, NE endpoint landscape assessment, deployment sequence, blast radius management, endpoint security maturity model, and the attacker's perspective on your endpoint stack.
ES1
Endpoint Architecture and OS Internals — Windows process model (processes, tokens, handles), LSASS and credential storage (Mimikatz, Credential Guard, RunAsPPL), Windows registry as attack surface, Event Tracing for Windows (ETW) and EDR dependencies, Windows security subsystem architecture, Linux kernel and eBPF, Linux authentication and privilege model, macOS security architecture (TCC, Gatekeeper, SIP), mapping OS internals to ATT&CK techniques, and translating internals knowledge to security engineering decisions.

Phase 2 — Protection Engineering

ES2
MDE Architecture, Onboarding and Device Health — MDE sensor architecture, cloud-side processing and data flow, licensing tiers (P1 vs P2 operational reality), onboarding methods compared, Intune-based onboarding at scale, server and Linux onboarding, onboarding validation and troubleshooting, device health monitoring with KQL dashboards, device groups and RBAC, and mobile endpoints.
ES3
Production Deployment, Compliance and Conditional Access — Zero-trust onboarding playbook, tamper protection, GPO vs Intune vs MDE settings conflicts, compliance policies that work, Windows compliance baseline, macOS/iOS/Android compliance, compliance plus conditional access enforcement, security baselines vs custom policies, non-compliant device remediation and exception management, and performance impact testing.
ES4
Attack Surface Reduction Rules Mastery — All ASR rules explained individually (what each actually blocks in production), audit-first deployment methodology, analysing ASR audit data with KQL, the safe set (deploy first), the careful set (LOB application testing), the high-risk set (business justification), block vs audit vs warn modes, custom exclusions and lifecycle, controlled folder access and ransomware protection, and ASR monitoring and drift detection.
ES5
Antivirus Engineering and Behavioral Protection — Beyond default AV configuration, cloud-delivered protection and ML models, behavioral monitoring and in-memory detection, ransomware protection deep dive, network protection, scan configuration for production, AV exclusions (the necessary evil), PUA protection, AV health monitoring and signature management, and server-specific AV configuration.
ES6
Device Control, Application Control and Exploit Guard — USB and removable media control, printer and Bluetooth policies, AppLocker, WDAC deep dive and at-scale deployment, exploit protection (DEP, ASLR, CFG), web content filtering, endpoint DLP integration, device control monitoring and reporting, and building the governance document.

Phase 3 — Detection and Response

ES7
EDR Configuration and Automated Response — EDR beyond default configuration, automated investigation and response (AIR), AIR tuning (the confidence decision), live response configuration and workflow, live response scripting, device isolation and containment, indicator management, alert tuning and suppression, threat analytics, and EDR telemetry optimisation.
ES8
Detection Engineering for Endpoints — Custom detections in MDE vs Sentinel (decision framework), MDE Advanced Hunting tables deep dive, building effective detection KQL (3 principles), custom detections for credential access (LSASS, DCSync, SAM), lateral movement (PsExec, WMI, RDP, pass-the-hash), persistence and defense evasion, threat intelligence integration, automated actions on detection (3-tier response matrix), detection testing with Atomic Red Team, and detection lifecycle management.
ES9
KQL for Endpoint Hunting — Endpoint hunting philosophy and cadence, DeviceProcessEvents deep dive (5 queries), DeviceNetworkEvents deep dive (beaconing, exfiltration, DGA), file and registry event hunting, logon and DLL hunting, essential joins and time-window queries, advanced JSON parsing and anomaly detection, LOLBAS tracking and detection, parent-child process anomaly hunting, and building the endpoint hunting query library.
ES10
Alert Triage, Investigation and Containment — MDE alert to Sentinel incident flow, the 60-minute endpoint triage rule, device timeline exploration, process tree analysis (4 patterns), investigation playbooks (ransomware, commodity malware, living-off-the-land), evidence collection with chain of custody, containment at scale, and decision trees for ransomware vs commodity vs APT.

Phase 4 — Advanced and Operations

ES11
Forensic Readiness and Artifact Collection — Designing for investigation, Windows audit policy configuration, PowerShell logging (ScriptBlock, Module, Transcription), Sysmon deployment and configuration, Windows Event Forwarding architecture, KAPE for endpoint collection, memory acquisition readiness, Velociraptor for fleet-wide collection, OSQuery for state inspection, and Windows LAPS configuration.
ES12
Advanced Evasion, Anti-Forensics and Threat Intelligence — Why defenders need evasion knowledge, process injection techniques and detection, AMSI bypass and script-level evasion, ETW tampering and blind spots, EDR evasion from the defender's perspective, anti-forensics detection, living-off-the-land at enterprise scale, red team and purple team validation, threat intelligence-driven defense, and building resilient detections.
ES13
Servers, Linux and Cross-Platform Endpoint Security — Server security architecture and threat model, domain controller protection, SQL/IIS/file server protection, CIS Benchmarks for server hardening, Defender for Linux deployment, eBPF-based detection on Linux, Sysmon for Linux, macOS endpoint security, unified hunting across platforms, and VDI/multi-session environments.
ES14
Zero Trust, Integration and Automation — Zero trust for endpoints (device compliance as trust signal), MDE plus Sentinel integration, MDE plus Entra ID conditional access, Defender for Cloud integration, MDO and MDI cross-workload correlation, endpoint security automation with Logic Apps, cross-workload automation, MDE API for engineering and operations, third-party SIEM and MSSP integration, and the complete integrated architecture.
ES15
Capstone — Complete Endpoint Security Architecture — 90-day endpoint security project. Nine deployment phases: assessment and planning, onboarding and compliance, attack surface reduction, AV and EDR optimisation, custom detections and hunting, forensic readiness, servers and cross-platform, vulnerability management, monitoring and governance. Deliverable: the complete, deployable, auditable endpoint security architecture document.

Prerequisites

Required:

Basic KQL — Mastering KQL K0–K3 minimum. You need to be comfortable with where, summarize, project, join, and time functions.

Familiarity with the MDE portal — from SOC Operations, M365 Security Operations, Practical IR, or production experience. You should know what the device page, incident queue, and Advanced Hunting interface look like.

Recommended but not required:

Entra ID Security — conditional access and device identity integration (connects directly to ES3 and ES14).

Detection Engineering — detection methodology that this course applies to endpoint-specific tables (connects to ES8).

Practical IR — investigation methodology that depends on the forensic readiness this course builds (connects to ES11).

Where this course fits

The other Ridgeline courses use Defender for Endpoint. This course teaches how to build the endpoint foundation those courses depend on:

Detection Engineering assumes endpoint telemetry is flowing. This course ensures it is.

Practical IR assumes forensic readiness is configured. This course builds it.

Incident Triage assumes the endpoint stack generates reliable alerts. This course engineers the stack.

Threat Hunting assumes endpoint data exists to hunt against. This course ensures collection, retention, and enrichment are operational.

Learner ladder: Entra ID Security (identity layer) → Endpoint Security Engineering (endpoint layer) → Detection Engineering (detection layer) → SOC Operations (operational layer)

Support and community

Questions about course content: training@ridgelinecyber.com

Billing and account management: Self-service via your account page or training@ridgelinecyber.com

LinkedIn: Follow Ridgeline Cyber for operational security content, course updates, and new module announcements

X: @RidgelineCyber

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy configurations, detection rules, scripts, and policies from this course in your organization's production environment. You may not redistribute course content, share account credentials, or republish course materials.

Endpoint security configurations: All Intune policies, KQL queries, detection rules, Sysmon configs, and automation playbooks are provided as-is for deployment in your environment. Test every configuration in audit mode before enforcement. Security controls have production impact — validate blast radius before deployment. Ridgeline Cyber Defence is not responsible for operational impact from deployed configurations.

Fictional environment: All scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental. IP addresses use RFC 5737 documentation ranges.

Version and changelog

Current version: 1.0  |  Last updated: 2026

2026 — v1.0: Course launch. 16 modules (ES0–ES15) across 4 phases. Complete endpoint security engineering from OS internals through architecture deployment. 20+ custom detection rules, 40+ hunting queries, forensic readiness stack, cross-platform coverage, zero trust integration, and capstone architecture document.

This course is actively maintained. Endpoint security configurations are updated as MDE capabilities evolve, new ASR rules are released, and new attack techniques emerge. Check this page for version updates.