Microsoft Security Operations Analyst Associate (SC-200) Cert Prep by Microsoft Press

Practice your skills and get ready to tackle the Microsoft Security Operations Analyst Associate (SC-200) certification exam.

Introduction

• Exam SC-200 Microsoft Security Operations Analyst: Introduction

1. Configure Settings in Microsoft Defender XDR

• Learning objectives
• Configure a connection from Defender XDR to a Sentinel workspace
• Configure alert and vulnerability notification rules
• Configure Microsoft Defender for Endpoint advanced features
• Configure endpoint rules settings, including indicators and web content filtering
• Manage automated investigation and response capabilities in Microsoft Defender XDR
• Configure automatic attack disruption in Microsoft Defender XDR

2. Manage Assets and Environments

• Learning objectives
• Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
• Identify and remediate unmanaged devices in Microsoft Defender for Endpoint
• Manage resources using Azure Arc
• Connect environments to Microsoft Defender for Cloud using multi-cloud account management
• Discover and remediate unprotected resources using Defender for Cloud
• Identify and remediate devices at risk using Microsoft Defender Vulnerability Management

3. Design and Configure a Microsoft Sentinel Workspace

• Learning objectives
• Plan a Microsoft Sentinel workspace
• Configure Microsoft Sentinel roles
• Specify Azure RBAC roles for Microsoft Sentinel configuration
• Design and configure Microsoft Sentinel data storage, including log types and log retention
• Manage multiple workspaces using Workspace Manager and Azure Lighthouse

4. Ingest Data Sources in Microsoft Sentinel

• Learning objectives
• Identify data sources to be ingested for Microsoft Sentinel and implement content hub solutions
• Configure and use Microsoft connectors for Azure resources, including Azure Policy and diagnostic settings
• Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender XDR
• Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender for Cloud
• Plan and configure Syslog and Common Event Format (CEF) event collections
• Plan and configure collection of Windows Security events using data collection rules, including Windows Event Forwarding (WEF)
• Configure threat intelligence connectors, including platform, TAXII, upload indicators API, and MISP
• Create custom log tables in the workspace to store ingested data

5. Configure Protections in Microsoft Defender Security Technologies

• Learning objectives
• Configure policies for Microsoft Defender for Cloud apps
• Configure policies for Microsoft Defender for Office
• Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules
• Configure cloud workload protections in Microsoft Defender for Cloud

6. Configure Detection in Microsoft Defender XDR

• Learning objectives
• Configure and manage custom detections
• Configure alert tuning
• Configure deception rules in Microsoft Defender XDR

7. Configure Detections in Microsoft Sentinel

• Learning objectives
• Classify and analyze data using entities
• Configure scheduled query rules, including KQL
• Configure near-real-time (NRT) query rules, including KQL
• Manage analytics rules from content hub
• Configure anomaly detection analytics rules
• Configure the fusion rule
• Query Microsoft Sentinel data using ASIM parsers
• Manage and use threat indicators

8. Respond to Alerts and Incidents in Microsoft Defender XDR

• Learning objectives
• Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive
• Investigate and remediate threats in email using Microsoft Defender for Office
• Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption
• Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies
• Investigate and remediate threats identified by Microsoft Purview insider risk policies
• Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud
• Investigate and remediate security risks identified by Microsoft Defender for Cloud apps
• Investigate and remediate compromised identities in Microsoft Entra ID
• Investigate and remediate security alerts from Microsoft Defender for Identity
• Manage actions and submissions in the Microsoft Defender portal

9. Respond to Alerts and Incidents Identified by Microsoft Defender for Endpoint

• Learning objectives
• Investigate timeline of compromised devices
• Perform actions on the device, including live response and collecting investigation packages
• Perform evidence and entity investigation

10. Enrich Investigations Using Other Microsoft Tools

• Learning objectives
• Investigate threats using a unified audit log
• Investigate threats using content search
• Perform threat hunting using Microsoft Graph activity logs

11. Manage Incidents in Microsoft Sentinel

• Learning objectives
• Triage incidents in Microsoft Sentinel
• Investigate incidents in Microsoft Sentinel
• Respond to incidents in Microsoft Sentinel

12. Configure Security Orchestration, Automation, and Response (SOAR) in Microsoft Sentinel

• Learning objectives
• Create and configure automation rules
• Create and configure Microsoft Sentinel playbooks
• Configure analytic rules to trigger automation
• Trigger playbooks manually from alerts and incidents
• Run playbooks on on-premises resources

13. Hunt for Threats Using KQL

• Learning objectives
• Identify threats using Kusto Query Language (KQL)
• Interpret threat analytics in the Microsoft Defender portal
• Create custom hunting queries using KQL

14. Hunt for Threats Using Microsoft Sentinel

• Learning objectives
• Analyze attack vector coverage using the MITRE ATT&CK in Microsoft Sentinel
• Customize content gallery hunting queries
• Use hunting bookmarks for data investigations
• Monitor hunting queries using Livestream
• Retrieve and manage archived log data
• Create and manage search jobs

15. Analyze and Interpret Data Using Workbooks

• Learning objectives
• Activate and customize Microsoft Sentinel workbook templates
• Create custom workbooks that include KQL
• Configure visualizations

Conclusion

• Exam SC-200 Microsoft Security Operations Analyst: Summary