Practice your skills and get ready to tackle the Microsoft Security Operations Analyst Associate (SC-200) certification exam.
Microsoft Security Operations Analyst Associate (SC-200) Cert Prep by Microsoft Press
Overview
Syllabus
Introduction
- Exam SC-200 Microsoft Security Operations Analyst: Introduction
- Learning objectives
- Configure a connection from Defender XDR to a Sentinel workspace
- Configure alert and vulnerability notification rules
- Configure Microsoft Defender for Endpoint advanced features
- Configure endpoint rules settings, including indicators and web content filtering
- Manage automated investigation and response capabilities in Microsoft Defender XDR
- Configure automatic attack disruption in Microsoft Defender XDR
- Learning objectives
- Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
- Identify and remediate unmanaged devices in Microsoft Defender for Endpoint
- Manage resources using Azure Arc
- Connect environments to Microsoft Defender for Cloud using multi-cloud account management
- Discover and remediate unprotected resources using Defender for Cloud
- Identify and remediate devices at risk using Microsoft Defender Vulnerability Management
- Learning objectives
- Plan a Microsoft Sentinel workspace
- Configure Microsoft Sentinel roles
- Specify Azure RBAC roles for Microsoft Sentinel configuration
- Design and configure Microsoft Sentinel data storage, including log types and log retention
- Manage multiple workspaces using Workspace Manager and Azure Lighthouse
- Learning objectives
- Identify data sources to be ingested for Microsoft Sentinel and implement content hub solutions
- Configure and use Microsoft connectors for Azure resources, including Azure Policy and diagnostic settings
- Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender XDR
- Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender for Cloud
- Plan and configure Syslog and Common Event Format (CEF) event collections
- Plan and configure collection of Windows Security events using data collection rules, including Windows Event Forwarding (WEF)
- Configure threat intelligence connectors, including platform, TAXII, upload indicators API, and MISP
- Create custom log tables in the workspace to store ingested data
- Learning objectives
- Configure policies for Microsoft Defender for Cloud apps
- Configure policies for Microsoft Defender for Office
- Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules
- Configure cloud workload protections in Microsoft Defender for Cloud
- Learning objectives
- Configure and manage custom detections
- Configure alert tuning
- Configure deception rules in Microsoft Defender XDR
- Learning objectives
- Classify and analyze data using entities
- Configure scheduled query rules, including KQL
- Configure near-real-time (NRT) query rules, including KQL
- Manage analytics rules from content hub
- Configure anomaly detection analytics rules
- Configure the fusion rule
- Query Microsoft Sentinel data using ASIM parsers
- Manage and use threat indicators
- Learning objectives
- Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive
- Investigate and remediate threats in email using Microsoft Defender for Office
- Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption
- Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies
- Investigate and remediate threats identified by Microsoft Purview insider risk policies
- Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud
- Investigate and remediate security risks identified by Microsoft Defender for Cloud apps
- Investigate and remediate compromised identities in Microsoft Entra ID
- Investigate and remediate security alerts from Microsoft Defender for Identity
- Manage actions and submissions in the Microsoft Defender portal
- Learning objectives
- Investigate timeline of compromised devices
- Perform actions on the device, including live response and collecting investigation packages
- Perform evidence and entity investigation
- Learning objectives
- Investigate threats using a unified audit log
- Investigate threats using content search
- Perform threat hunting using Microsoft Graph activity logs
- Learning objectives
- Triage incidents in Microsoft Sentinel
- Investigate incidents in Microsoft Sentinel
- Respond to incidents in Microsoft Sentinel
- Learning objectives
- Create and configure automation rules
- Create and configure Microsoft Sentinel playbooks
- Configure analytic rules to trigger automation
- Trigger playbooks manually from alerts and incidents
- Run playbooks on on-premises resources
- Learning objectives
- Identify threats using Kusto Query Language (KQL)
- Interpret threat analytics in the Microsoft Defender portal
- Create custom hunting queries using KQL
- Learning objectives
- Analyze attack vector coverage using the MITRE ATT&CK in Microsoft Sentinel
- Customize content gallery hunting queries
- Use hunting bookmarks for data investigations
- Monitor hunting queries using Livestream
- Retrieve and manage archived log data
- Create and manage search jobs
- Learning objectives
- Activate and customize Microsoft Sentinel workbook templates
- Create custom workbooks that include KQL
- Configure visualizations
- Exam SC-200 Microsoft Security Operations Analyst: Summary
Taught by
Microsoft Press and Charbel Nemnom
