SC-200T00: Microsoft Security Operations Analyst

Prepare to pass the SC-200: Microsoft Security Operations Analyst Certification Exam.

Course Description

Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender XDR and Microsoft Defender for Cloud. In this course you will learn how to mitigate cyberthreats using these technologies. Specifically, you will configure and use Microsoft Sentinel as well as utilize Kusto Query Language (KQL) to perform detection, analysis, and reporting. The course was designed for people who work in a Security Operations job role and helps learners prepare for the exam SC-200: Microsoft Security Operations Analyst.

Audience Profile

The Microsoft Security Operations Analyst collaborates with organizational stakeholders to secure information technology systems for the organization. Their goal is to reduce organizational risk by rapidly remediating active attacks in the environment, advising on improvements to threat protection practices, and referring violations of organizational policies to appropriate stakeholders. Responsibilities include threat management, monitoring, and response by using a variety of security solutions across their environment. The role primarily investigates, responds to, and hunts for threats using Microsoft Sentinel, Microsoft Defender XDR, Microsoft Defender for Cloud, and third-party security products. Since the Security Operations Analyst consumes the operational output of these tools, they are also a critical stakeholder in the configuration and deployment of these technologies.

About this Course

Course Outline

Skills at a glance

Manage a security operations environment (25–30%)
Configure protections and detections (15–20%)
Manage incident response (35–40%)
Perform threat hunting (15–20%)

Manage a security operations environment (25–30%)

Configure settings in Microsoft Defender XDR

Configure a connection from Defender XDR to a Sentinel workspace
Configure alert and vulnerability notification rules
Configure Microsoft Defender for Endpoint advanced features
Configure endpoint rules settings, including indicators and web content filtering
Manage automated investigation and response capabilities in Microsoft Defender XDR
Configure automatic attack disruption in Microsoft Defender XDR

Manage assets and environments

Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
Identify and remediate unmanaged devices in Microsoft Defender for Endpoint
Manage resources by using Azure Arc
Connect environments to Microsoft Defender for Cloud (by using multi-cloud account management)
Discover and remediate unprotected resources by using Defender for Cloud
Identify and remediate devices at risk by using Microsoft Defender Vulnerability Management

Design and configure a Microsoft Sentinel workspace

Plan a Microsoft Sentinel workspace
Configure Microsoft Sentinel roles
Specify Azure RBAC roles for Microsoft Sentinel configuration
Design and configure Microsoft Sentinel data storage, including log types and log retention
Manage multiple workspaces by using Workspace manager and Azure Lighthouse

Ingest data sources in Microsoft Sentinel

Identify data sources to be ingested for Microsoft Sentinel
Implement and use Content hub solutions
Configure and use Microsoft connectors for Azure resources, including Azure Policy and diagnostic settings
Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender XDR
Plan and configure Syslog and Common Event Format (CEF) event collections
Plan and configure collection of Windows Security events by using data collection rules, including Windows Event Forwarding (WEF)
Configure threat intelligence connectors, including platform, TAXII, upload indicators API, and MISP
Create custom log tables in the workspace to store ingested data

Configure protections and detections (15–20%)

Configure protections in Microsoft Defender security technologies

Configure policies for Microsoft Defender for Cloud Apps
Configure policies for Microsoft Defender for Office
Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules
Configure cloud workload protections in Microsoft Defender for Cloud

Configure detection in Microsoft Defender XDR

Configure and manage custom detections
Configure alert tuning
Configure deception rules in Microsoft Defender XDR

Configure detections in Microsoft Sentinel

Classify and analyze data by using entities
Configure scheduled query rules, including KQL
Configure near-real-time (NRT) query rules, including KQL
Manage analytics rules from Content hub
Configure anomaly detection analytics rules
Configure the Fusion rule
Query Microsoft Sentinel data by using ASIM parsers
Manage and use threat indicators

Manage incident response (35–40%)

Respond to alerts and incidents in Microsoft Defender XDR

Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive
Investigate and remediate threats in email by using Microsoft Defender for Office
Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption
Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies
Investigate and remediate threats identified by Microsoft Purview insider risk policies
Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud
Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
Investigate and remediate compromised identities in Microsoft Entra ID
Investigate and remediate security alerts from Microsoft Defender for Identity
Manage actions and submissions in the Microsoft Defender portal

Respond to alerts and incidents identified by Microsoft Defender for Endpoint

Investigate timeline of compromised devices
Perform actions on the device, including live response and collecting investigation packages
Perform evidence and entity investigation

Enrich investigations by using other Microsoft tools

Investigate threats by using unified audit Log
Investigate threats by using Content Search
Perform threat hunting by using Microsoft Graph activity logs

Manage incidents in Microsoft Sentinel

Triage incidents in Microsoft Sentinel
Investigate incidents in Microsoft Sentinel
Respond to incidents in Microsoft Sentinel

Configure security orchestration, automation, and response (SOAR) in Microsoft Sentinel

Create and configure automation rules
Create and configure Microsoft Sentinel playbooks
Configure analytic rules to trigger automation
Trigger playbooks manually from alerts and incidents
Run playbooks on On-premises resources

Perform threat hunting (15–20%)

Hunt for threats by using KQL

Identify threats by using Kusto Query Language (KQL)
Interpret threat analytics in the Microsoft Defender portal
Create custom hunting queries by using KQL

Hunt for threats by using Microsoft Sentinel

Analyze attack vector coverage by using the MITRE ATT&CK in Microsoft Sentinel
Customize content gallery hunting queries
Use hunting bookmarks for data investigations
Monitor hunting queries by using Livestream
Retrieve and manage archived log data
Create and manage search jobs

Analyze and interpret data by using workbooks

Activate and customize Microsoft Sentinel workbook templates
Create custom workbooks that include KQL
Configure visualizations

Azure
Microsoft 365

Role

Security Engineer
Security Operations Analyst