Preparing for the SC-200: Microsoft Security Operations Analyst exam (January 2022 Update)

SC-200 had a refresh in late January, which was mostly to incorporate the renaming of Azure Sentinel to Microsoft Sentinel, and the renaming of Azure Security Center and Azure Defender to Microsoft Defender for Cloud. In other words, the exam is going to be better aligned with current material you will be using for your exam preparation.

As I’ve mentioned in the previous preparation guides for Microsoft’s security and compliance exams, they are targeting those who have broad exposure across both Azure and Microsoft 365 technologies. If you take a look at the weighting of this exam, 65-75% of it could be categorised as mostly Azure related, while only 25-30% of the exam is Microsoft 365 focused. What does this mean for those of you planning on taking this exam?

If you are starting your exam preparation already having exposure to Microsoft Defender for Cloud, Microsoft Sentinel, Log Analytics, Kusto Query Language and Logic Apps, as well as an understanding of other related Azure services, you are going to be in pretty good shape to fill in the Microsoft 365 Defender gaps and pass the exam. However, you can also easily figure out that the opposite is true – if you’ve only been working with the Microsoft 365 Defender components, there is going to be much study and learning to have a good chance at passing on your first attempt.

The good news is that regardless of which of these categories you fall under, the exam doesn’t expect you to have a deep understanding of the workloads that you are trying to protect, and instead focuses on the skills and tools needed to perform those tasks, not how to remediate the underlying issues that might be identified on a workload by workload basis. This is where this exam is quite different to exams such as MS-500 and AZ-500, as they expect you to know the workloads you are trying to protect as well as how to protect them.

This means that the candidates for this exam get a very different recommendation from me versus those targeting one of the 500 series exams just mentioned, I usually don’t recommend those as someone’s first exam, as they tend to reward those who have done other exams in the lead up to them, in the case of MS-500 for example, I highly recommend that someone has already passed MS-100, MS-101 and MD-101 for example, as they’ve traditionally done a good job of covering a great deal of overlapping content with MS-500.

Now, if you’ve already passed MS-500 and AZ-500, this is an excellent choice as your next exam, because there will be some overlap in the technologies, but expect this exam to go much deeper into understanding the Defender family of technologies, and it also goes deeper into Sentinel than you will have seen on previous exams. You will definitely need to spend some time with Kusto and Log Analytics, not just for the Microsoft Sentinel portion of the exam, but Microsoft Defender for Cloud as well.

Mitigate threats using Microsoft 365 Defender (25-30%)

Detect, investigate, respond, and remediate threats to the productivity environment by using Microsoft Defender for Office 365

• detect, investigate, respond, and remediate threats to Microsoft Teams, SharePoint, and OneDrive
  • Remediation actions
  • Safe Attachments in Defender for Office 365
• detect, investigate, respond, remediate threats to email by using Defender for Office 365
  • AIR overview
• manage data loss prevention policy alerts
  • Get started with the data loss prevention alert dashboard
• assess and recommend sensitivity labels
  • Get started with sensitivity labels
• assess and recommend insider risk policies
  • Plan for insider risk management

Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender for Endpoint

• manage data retention, alert notification, and advanced features
  • Verify data storage location and update data retention settings
  • Configure alert notifications
  • Configure advanced features
• configure device attack surface reduction rules
  • Learn about attack surface reduction rules
  • Configure attack surface reduction capabilities
• configure and manage custom detections and alerts
  • Security operations dashboard
• respond to incidents and alerts
  • View and organize the Incidents queue
  • View and organize the Alerts queue
• manage automated investigations and remediations Assess and recommend endpoint configurations to reduce and remediate vulnerabilities by using Microsoft’s threat and vulnerability management solution.
  • Configure AIR capabilities
• manage Microsoft Defender for Endpoint threat indicators
  • Create indicators
• analyze Microsoft Defender for Endpoint threat analytics
  • Threat analytics overview

Detect, investigate, respond, and remediate identity threats

• identify and remediate security risks related to sign-in risk policies
  • Configure risk policies
• identify and remediate security risks related to Conditional Access events
  • Conditional Access insights and reporting
• identify and remediate security risks related to Azure Active Directory
  • Identity secure score
• identify and remediate security risks using Secure Score
  • Secure Score overview
• identify, investigate, and remediate security risks related to privileged identities
  • Configure security alerts for Azure AD roles in Privileged Identity Management
  • Configure security alerts for Azure resource roles in Privileged Identity Management
• configure detection alerts in Azure AD Identity Protection
  • Configure notifications
• identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity
  • Microsoft Defender for Identity Security Alerts

Detect, investigate, respond, and remediate application threats

• identify, investigate, and remediate security risks by using Microsoft Cloud Application Security (MCAS)
  • Investigate risky users
  • Detect suspicious user activity with UEBA
  • Investigate risky OAuth apps
• configure MCAS to generate alerts and reports to detect threats
  • Manage alerts
  • Create snapshot Cloud Discovery reports

Manage cross-domain investigations in Microsoft 365 Defender portal

• manage incidents across Microsoft 365 Defender products
  • Incident alerts
• manage actions pending approval across products
  • Manage incidents in Microsoft 365 Defender
• perform advanced threat hunting
  • Hunt for ransomware
  • Hunt across devices, emails, apps, and identities

Mitigate threats using Microsoft Defender for Cloud (25-30%)

Design and configure an Microsoft Defender for Cloud implementation

• plan and configure Microsoft Defender for Cloud settings, including selecting target subscriptions and workspace
  • Organize management groups and subscriptions
  • Export to a Log Analytics workspace
• configure Microsoft Defender for Cloud roles
  • User roles and permissions
• configure data retention policies
  • Change the data retention period
• assess and recommend cloud workload protection
  • Reference list of recommendations
  • Feature coverage for Azure PaaS resources
  • Coverage by OS, machine type, and cloud

Plan and implement the use of data connectors for ingestion of data sources in Microsoft Defender for Cloud

• identify data sources to be ingested for Microsoft Defender for Cloud
  • Integrate security solutions and data sources
• configure automated onboarding for Azure resources
  • Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud
• connect on-premises computers
  • Connect non-Azure machines
• connect AWS cloud resources
  • Connect AWS accounts
• connect GCP cloud resources
  • Connect GCP accounts
• configure data collection
  • Integrate security solutions and data sources

Manage Microsoft Defender for Cloud alert rules 

• validate alert configuration
  • Security alerts and incidents
• setup email notifications
  • Set up email notifications
• create and manage alert suppression rules
  • Create and manage alerts suppression rules

Configure automation and remediation 

• configure automated responses in Microsoft Defender for Cloud
  • Automate responses to alerts
• design and configure workflow automation in Microsoft Defender for Cloud
  • Automate responses to recommendations
• remediate incidents by using Microsoft Defender for Cloud recommendations
  • What is a security recommendation?
• create an automatic response using an Azure Resource Manager template
  • Quickstart: Create an automatic response to a specific security alert using an ARM template

Investigate Microsoft Defender for Cloud alerts and incidents

• describe alert types for Azure workloads
  • How are alerts classified?
• manage security alerts
  • Investigate and respond to security alerts
• manage security incidents
  • Manage security incidents
• analyze Microsoft Defender for Cloud threat intelligence
  • Generate threat intelligence reports
• respond to Microsoft Defender for Cloud for Key Vault alerts
  • Handle Defender for Key Vault alerts
• manage user data discovered during an investigation
  • Manage user data

Mitigate threats using Microsoft Sentinel (40-45%)

Design and configure an Microsoft Sentinel workspace

• plan a Microsoft Sentinelworkspace
  • Create a Log Analytics workspace in the Azure portal
  • Design a workspace deployment
• configure Microsoft Sentinel roles
  • Roles and permissions
• design Microsoft Sentinel data storage
  • Log data usage and costs
• configure security settings and access for Microsoft Sentinel
  • Security baseline

Plan and Implement the use of Data Connectors for Ingestion of Data Sources in Microsoft Sentinel

• identify data sources to be ingested for Microsoft Sentinel
  • Connect data sources
• identify the prerequisites for a data connector
  • Connect data sources
• configure and use Microsoft Sentinel data connectors
  • Create a custom connector
• configure data connectors by using Azure Policy
  • Azure Policy
• design and configure Syslog and CEF event collections
  • Collect data from Linux-based sources using Syslog
• design and Configure Windows Security events collections
  • Windows security events
• configure custom threat intelligence connectors
  • Connect threat intelligence
  • Create a custom connector
• create custom logs in Azure Log Analytics to store custom data
  • Design a workspace deployment

Manage Microsoft Sentinel analytics rules

• design and configure analytics rules
  • Use built-in rules
• create custom analytics rules to detect threats
  • Create a rule
• activate Microsoft Security analyticsl rules
  • Work with SOC-ML anomaly rules
  • Enable User and Entity Behavior Analytics (UEBA)
• configure connector provided scheduled queries
  • Kusto query overview
• configure custom scheduled queries
  • Create a custom analytics rule with a scheduled query
• define incident creation logic
  • Scheduled Analytics Rules

Configure Security Orchestration Automation and Response (SOAR) in Microsoft Sentinel

• create Microsoft Sentinel playbooks
  • Steps for creating a playbook
• configure rules and incidents to trigger playbooks
  • How to run a playbook
• use playbooks to remediate threats
  • Use automation to respond to threats
• use playbooks to manage incidents
  • Respond to incidents
• use playbooks across Microsoft Defender solutions
  • Integrate with Microsoft 365 Defender

Manage Microsoft Sentinel Incidents

• investigate incidents in Microsoft Sentinel
  • Investigate incidents
• triage incidents in Microsoft Sentinel
  • Manage your SOC with incident metrics
• respond to incidents in Microsoft Sentinel
  • Automation rules
• investigate multi-workspace incidents
  • Work with incidents in multiple workspaces
• identify advanced threats with User and Entity Behavior Analytics (UEBA)
  • Common UEBA investigation methods

Use Microsoft Sentinel workbooks to analyze and interpret data

• activate and customize Microsoft Sentinel workbook templates
  • Use built-in workbooks
• create custom workbooks
  • Create new workbook
• configure advanced visualizations
  • Visualize collected data
• view and analyze Microsoft Sentinel data using workbooks
  • Use Azure Monitor workbooks
• track incident metrics using the security operations efficiency workbook
  • Security operations efficiency workbook

Hunt for threats using the Microsoft Sentinel portal

• create custom hunting queries
  • Threat hunting
• run hunting queries manually
  • Create KQL queries for Microsoft Sentinel
• monitor hunting queries by using Livestream
  • Hunt with livestream
• perform advanced hunting with notebooks
  • Hunt with Jupyter notebooks
• track query results with bookmarks
  • Hunt with bookmarks
• use hunting bookmarks for data investigations
  • Hunt with bookmarks
• convert a hunting query to an analytical rule
  • Create a custom analytics rule with a scheduled query