Preparing for the SC-200: Microsoft Security Operations Analyst exam (July 2021 Update)

As I’ve mentioned in the previous preparation guides for Microsoft’s security and compliance exams, they are targeting those who have broad exposure across both Azure and Microsoft 365 technologies. If you take a look at the weighting of this exam, 65-75% of it could be categorised as mostly Azure related, while only 25-30% of the exam is Microsoft 365 focused. What does this mean for those of you planning on taking this exam?

If you are starting your exam preparation already having exposure to Azure Defender, Azure Security Center, Sentinel, Log Analytics, Kusto Query Language and Logic Apps, as well as an understanding of other related Azure services, you are going to be in pretty good shape to fill in the Microsoft 365 Defender gaps and pass the exam. However, you can also easily figure out that the opposite is true – if you’ve only been working with the Microsoft 365 Defender components, there is going to be much study and learning to have a good chance at passing on your first attempt.

The good news is that regardless of which of these categories you fall under, the exam doesn’t expect you to have a deep understanding of the workloads that you are trying to protect, and instead focuses on the skills and tools needed to perform those tasks, not how to remediate the underlying issues that might be identified on a workload by workload basis. This is where this exam is quite different to exams such as MS-500 and AZ-500, as they expect you to know the workloads you are trying to protect as well as how to protect them.

This means that the candidates for this exam get a very different recommendation from me versus those targeting one of the 500 series exams just mentioned, I usually don’t recommend those as someone’s first exam, as they tend to reward those who have done other exams in the lead up to them, in the case of MS-500 for example, I highly recommend that someone has already passed MS-100, MS-101 and MD-101 for example, as they’ve traditionally done a good job of covering a great deal of overlapping content with MS-500.

Now, if you’ve already passed MS-500 and AZ-500, this is an excellent choice as your next exam, because there will be some overlap in the technologies, but expect this exam to go much deeper into understanding the Defender family of technologies, and it also goes deeper into Sentinel than you will have seen on previous exams. You will definitely need to spend some time with Kusto and Log Analytics, not just for the Sentinel portion of the exam, but Azure Defender as well.

Mitigate threats using Microsoft 365 Defender (25-30%)

Detect, investigate, respond, and remediate threats to the productivity environment by using Microsoft Defender for Office 365

• detect, investigate, respond, remediate Microsoft Teams, SharePoint, and OneDrive for Business threats
  • Remediation actions
  • Safe Attachments in Defender for Office 365
• detect, investigate, respond, remediate threats to email by using Defender for Office 365
  • AIR overview
• manage data loss prevention policy alerts
  • Get started with the data loss prevention alert dashboard
• assess and recommend sensitivity labels
  • Get started with sensitivity labels
• assess and recommend insider risk policies
  • Plan for insider risk management

Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender for Endpoint

• manage data retention, alert notification, and advanced features
  • Verify data storage location and update data retention settings
  • Configure alert notifications
  • Configure advanced features
• configure device attack surface reduction rules
  • Learn about attack surface reduction rules
  • Configure attack surface reduction capabilities
• configure and manage custom detections and alerts
  • Security operations dashboard
• respond to incidents and alerts
  • View and organize the Incidents queue
  • View and organize the Alerts queue
• manage automated investigations and remediations Assess and recommend endpoint configurations to reduce and remediate vulnerabilities by using Microsoft’s Threat and Vulnerability Management solution.
  • Configure AIR capabilities
• manage Microsoft Defender for Endpoint threat indicators
  • Create indicators
• analyze Microsoft Defender for Endpoint threat analytics
  • Threat analytics overview

Detect, investigate, respond, and remediate identity threats

• identify and remediate security risks related to sign-in risk policies
  • Configure risk policies
• identify and remediate security risks related to Conditional Access events
  • Conditional Access insights and reporting
• identify and remediate security risks related to Azure Active Directory
  • Identity secure score
• identify and remediate security risks using Secure Score
  • Secure Score overview
• identify, investigate, and remediate security risks related to privileged identities
  • Configure security alerts for Azure AD roles in Privileged Identity Management
  • Configure security alerts for Azure resource roles in Privileged Identity Management
• configure detection alerts in Azure AD Identity Protection
  • Configure notifications
• identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity
  • Microsoft Defender for Identity Security Alerts

Detect, investigate, respond, and remediate application threats

• identify, investigate, and remediate security risks by using Microsoft Cloud Application Security (MCAS)
  • Investigate risky users
  • Detect suspicious user activity with UEBA
  • Investigate risky OAuth apps
• configure MCAS to generate alerts and reports to detect threats
  • Manage alerts
  • Create snapshot Cloud Discovery reports

Manage cross-domain investigations in Microsoft 365 Defender portal

• manage incidents across Microsoft 365 Defender products
  • Incident alerts
• manage actions pending approval across products
  • Manage incidents in Microsoft 365 Defender
• perform advanced threat hunting
  • Hunt for ransomware
  • Hunt across devices, emails, apps, and identities

Mitigate threats using Azure Defender (25-30%)

Design and configure an Azure Defender implementation

• plan and configure Azure Defender settings, including selecting target subscriptions and workspace
  • Organize management groups and subscriptions
  • Export to a Log Analytics workspace
• configure Azure Defender roles
  • User roles and permissions
• configure data retention policies
  • Change the data retention period
• assess and recommend cloud workload protection
  • Reference list of recommendations
  • Feature coverage for Azure PaaS resources
  • Coverage by OS, machine type, and cloud

Plan and implement the use of data connectors for ingestion of data sources in Azure Defender

• identify data sources to be ingested for Azure Defender
  • Integrate security solutions and data sources
• configure Automated Onboarding for Azure resources
  • Configure auto provisioning for agents and extensions from Azure Security Center
• connect on-premises computers
  • Connect non-Azure machines
• connect AWS cloud resources
  • Connect AWS accounts
• connect GCP cloud resources
  • Connect GCP accounts
• configure data collection
  • Integrate security solutions and data sources

Manage Azure Defender alert rules 

• validate alert configuration
  • Security alerts and incidents
• setup email notifications
  • Set up email notifications
• create and manage alert suppression rules
  • Create and manage alerts suppression rules

Configure automation and remediation 

• configure automated responses in Azure Security Center
  • Automate responses to alerts
• design and configure playbook in Azure Defender
  • Automate responses to recommendations
• remediate incidents by using Azure Defender recommendations
  • What is a security recommendation?
• create an automatic response using an Azure Resource Manager template
  • Quickstart: Create an automatic response to a specific security alert using an ARM template

Investigate Azure Defender alerts and incidents

• describe alert types for Azure workloads
  • How are alerts classified?
• manage security alerts
  • Investigate and respond to security alerts
• manage security incidents
  • Manage security incidents
• analyze Azure Defender threat intelligence
  • Generate threat intelligence reports
• respond to Azure Defender for Key Vault alerts
  • Handle Defender for Key Vault alerts
• manage user data discovered during an investigation
  • Manage user data

Mitigate threats using Azure Sentinel (40-45%)

Design and configure an Azure Sentinel workspace

• plan an Azure Sentinel workspace
  • Create a Log Analytics workspace in the Azure portal
  • Design a workspace deployment
• configure Azure Sentinel roles
  • Roles and permissions
• design Azure Sentinel data storage
  • Log data usage and costs
• configure Azure Sentinel service security
  • Security baseline

Plan and Implement the use of Data Connectors for Ingestion of Data Sources in Azure Sentinel

• identify data sources to be ingested for Azure Sentinel
  • Connect data sources
• identify the prerequisites for a data connector
  • Connect data sources
• configure and use Azure Sentinel data connectors
  • Create a custom connector
• design and configure Syslog and CEF event collections
  • Collect data from Linux-based sources using Syslog
• design and Configure Windows Events collections
  • Windows security events
• configure custom threat intelligence connectors
  • Connect threat intelligence
  • Create a custom connector
• create custom logs in Azure Log Analytics to store custom data
  • Design a workspace deployment

Manage Azure Sentinel analytics rules

• design and configure analytics rules
  • Use built-in rules
• create custom analytics rules to detect threats
  • Create a rule
• activate Microsoft security analytical rules
  • Work with SOC-ML anomaly rules
  • Enable User and Entity Behavior Analytics (UEBA)
• configure connector provided scheduled queries
  • Kusto query overview
• configure custom scheduled queries
  • Create a custom analytics rule with a scheduled query
• define incident creation logic
  • Scheduled Analytics Rules

Configure Security Orchestration Automation and Response (SOAR) in Azure Sentinel

• create Azure Sentinel playbooks
  • Steps for creating a playbook
• configure rules and incidents to trigger playbooks
  • How to run a playbook
• use playbooks to remediate threats
  • Use automation to respond to threats
• use playbooks to manage incidents
  • Respond to incidents
• use playbooks across Microsoft Defender solutions
  • Integrate with Microsoft 365 Defender

Manage Azure Sentinel Incidents

• investigate incidents in Azure Sentinel
  • Investigate incidents
• triage incidents in Azure Sentinel
  • Manage your SOC with incident metrics
• respond to incidents in Azure Sentinel
  • Automation rules
• investigate multi-workspace incidents
  • Work with incidents in multiple workspaces
• identify advanced threats with User and Entity Behavior Analytics (UEBA)
  • Common UEBA investigation methods

Use Azure Sentinel workbooks to analyze and interpret data

• activate and customize Azure Sentinel workbook templates
  • Use built-in workbooks
• create custom workbooks
  • Create new workbook
• configure advanced visualizations
  • Visualize collected data
• view and analyze Azure Sentinel data using workbooks
  • Use Azure Monitor workbooks
• track incident metrics using the security operations efficiency workbook
  • Security operations efficiency workbook

Hunt for threats using the Azure Sentinel portal

• create custom hunting queries
  • Threat hunting
• run hunting queries manually
  • Create KQL queries for Azure Sentinel
• monitor hunting queries by using Livestream
  • Hunt with livestream
• perform advanced hunting with notebooks
  • Hunt with Jupyter notebooks
• track query results with bookmarks
  • Hunt with bookmarks
• use hunting bookmarks for data investigations
  • Hunt with bookmarks
• convert a hunting query to an analytical rule
  • Create a custom analytics rule with a scheduled query