SC-200: Microsoft Security Operations Analyst Exam Resource Guide (August 2022 Update)

SC-200 was updated in August, and while there are quite a few changes, it wasn’t a major overhaul, instead it’s more of a consolidation of some topics, as well as the expansion and addition of topics. Before we get into the main changes, it’s also worth noting the section weightings have changed, most notably the Microsoft Sentinel section expanding to 50-55% and Defender for Cloud dropping to 20-25%. This means that the weighting is still very heavily Azure leaning, now sitting and 70-80% of the exam versus previously sitting at 65-75% of the exam.

Why was the Sentinel weighting increased? Simple, there’s quite a few additional Sentinel topics included, reflecting some of the additional capabilities that have been introduced over the last few years. Let’s get into some of the differences with the exam update. Let’s start with what’s been removed, and then what’s been added.

Removed

• Sensitivity labels
• Attack surface reduction rules
• Privileged Identity Management
• Defender for Cloud automatic response using an Azure Resource Manager template
• Defender for Cloud for Key Vault alerts

As you can see. the list of what was removed is fairly short, but some of them are still potentially covered by other parts of the exam though. The list of what was added is dominated by Sentinel topics, and while they are mostly self explanatory, the one that stands out to me is Sentinel automation. Pay close attention here, because this is effectively telling you that it’s not just about automation using Playbooks. The other thing to note is that the inclusion of custom detections in Microsoft 365 Defender means another area where KQL can turn up in the exam.

If you are starting your exam preparation already having exposure to Microsoft Defender for Cloud, Microsoft Sentinel, Log Analytics, Kusto Query Language and Logic Apps, as well as an understanding of other related Azure services, you are going to be in pretty good shape to fill in the Microsoft 365 Defender gaps and pass the exam. However, you can also easily figure out that the opposite is true – if you’ve only been working with the Microsoft 365 Defender components, there is going to be much study and learning to have a good chance at passing on your first attempt.

The good news is that regardless of which of these categories you fall under, the exam doesn’t expect you to have a deep understanding of the workloads that you are trying to protect, and instead focuses on the skills and tools needed to perform those tasks, not how to remediate the underlying issues that might be identified on a workload by workload basis. This is where this exam is quite different to exams such as MS-500 and AZ-500, as they expect you to know a bit more about the workloads you are trying to protect as well as how to protect them.

This means that the candidates for this exam get a very different recommendation from me versus those targeting one of the 500 series exams just mentioned, I usually don’t recommend those as someone’s first exam, as they tend to reward those who have done other exams in the lead up to them, in the case of MS-500 for example, I highly recommend that someone has already passed MS-100, MS-101 and MD-101 for example, as they’ve traditionally done a good job of covering a great deal of overlapping content with MS-500.

If you’ve already passed MS-500 and AZ-500, this is an excellent choice as your next exam, because there will be some overlap in the technologies, but expect this exam to go much deeper into understanding the Defender family of technologies, and it also goes deeper into Sentinel than you will have seen on previous exams. You will definitely need to spend some time with Kusto and Log Analytics, not just for the Microsoft Sentinel portion of the exam, but Microsoft Defender for Cloud as well.

Mitigate threats using Microsoft 365 Defender (25-30%)

Mitigate threats to the productivity environment by using Microsoft 365 Defender 

• Investigate, respond, and remediate threats to Microsoft Teams, SharePoint, and OneDrive
  • Remediation actions
  • Safe Attachments in Defender for Office 365
• Investigate, respond, remediate threats to email by using Microsoft Defender for Office 365
  • AIR overview
• Investigate and respond to alerts generated from insider risk policies
  • Plan for insider risk management
• Identify, investigate, and remediate security risks by using Microsoft Defender for Cloud Apps
  • Investigate risky users
  • Detect suspicious user activity with UEBA
  • Investigate risky OAuth apps
• Configure Microsoft Defender for Cloud Apps to generate alerts and reports to detect threats
  • Manage alerts
  • Create snapshot Cloud Discovery reports

Mitigate endpoint threats by using Microsoft Defender for Endpoint

• Manage data retention, alert notification, and advanced features
  • Verify data storage location and update data retention settingsConfigure alert notifications
  • Configure advanced features
• Recommend security baselines for devices
  • Manage security baselines
• Respond to incidents and alerts
  • View and organize the Incidents queue
  • View and organize the Alerts queue
  • respond to incidents and alerts
• Manage automated investigations and remediations
  • Configure AIR capabilities
• Assess and recommend endpoint configurations to reduce and remediate vulnerabilities by using the Microsoft threat and vulnerability management solution
  • Learn about attack surface reduction rules
  • Configure attack surface reduction capabilities
  • Security operations dashboard
• Manage Microsoft Defender for Endpoint threat indicators
  • Create indicators

Mitigate identity threats

• Identify and remediate security risks related to Azure AD Identity Protection events
  • Configure notifications
• Identify and remediate security risks related to conditional access events
  • Conditional Access insights and reporting
• Identify and remediate security risks related to Azure Active Directory events
  • Identity secure score
• Identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity
  • Microsoft Defender for Identity Security Alerts

Manage extended detection and response (XDR) in Microsoft 365 Defender

• Manage incidents across Microsoft 365 Defender products
  • Incident alerts
• Manage investigation and remediation actions in the Action Center
  • Manage incidents in Microsoft 365 Defender
• perform advanced threat hunting
  • Hunt for ransomware
  • Hunt across devices, emails, apps, and identities
• Identify and remediate security risks using Microsoft Secure Score
  • Secure Score overview
• Analyze threat analytics
  • Threat analytics overview
• Configure and manage custom detections and alerts
  • Create & manage detection rules
  • Manage alerts

Mitigate threats using Microsoft Defender for Cloud (20-25%)

Design and configure an Microsoft Defender for Cloud implementation

• Plan and configure Microsoft Defender for Cloud settings, including selecting target subscriptions and workspace
  • Organize management groups and subscriptions
  • Export to a Log Analytics workspace
  • Change the data retention period
• Configure Microsoft Defender for Cloud roles
  • User roles and permissions
• Assess and recommend cloud workload protection
  • Reference list of recommendations
  • Feature coverage for Azure PaaS resources
  • Coverage by OS, machine type, and cloud
• Identify and remediate security risks using the Microsoft Defender for Cloud Secure Score
  • Access and track your secure score
• Manage policies for regulatory compliance 
  • Improve your regulatory compliance
• Review and remediate security recommendations
  • Remediate recommendations

Plan and implement the use of data connectors for ingestion of data sources in Microsoft Defender for Cloud

• Identify data sources to be ingested for Microsoft Defender for Cloud
  • Integrate security solutions and data sources
• Configure automated onboarding for Azure resources
  • Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud
• Connect multi-cloud and on-premises resources
  • Connect non-Azure machines
  • Connect AWS accounts
  • Connect GCP accounts
• Configure data collection
  • Integrate security solutions and data sources

Configure and respond to alerts and incidents in Microsoft Defender for Cloud

• Validate alert configuration
  • Security alerts and incidents
  • How are alerts classified?
• Set up email notifications
  • Set up email notifications
• Create and manage alert suppression rules
  • Create and manage alerts suppression rules
• Design and configure workflow automation in Microsoft Defender for Cloud
  • Automate responses to recommendations
  • Automate responses to alerts
• Remediate alerts and incidents by using Microsoft Defender for Cloud recommendations
  • What is a security recommendation?
• Manage security alerts and incidents
  • Investigate and respond to security alerts
  • Manage security incidents
• Analyze Microsoft Defender for Cloud threat intelligence
  • Generate threat intelligence reports
• Manage user data discovered during and investigation
  • Manage user data

Mitigate threats using Microsoft Sentinel (50-55%)

Design and configure an Microsoft Sentinel workspace

• Plan a Microsoft Sentinel workspace
  • Create a Log Analytics workspace in the Azure portal
  • Design a workspace deployment
  • Security baseline
• Configure Microsoft Sentinel roles
  • Roles and permissions
• Design and configure Microsoft Sentinel data storage
  • Log data usage and costs
• Implement and use Content hub, repositories, and community resources
  • Content hub catalog
  • Manage custom content with repositories
  • Useful resources

Plan and Implement the use of data connectors for ingestion of data sources in Microsoft Sentinel

• Identify data sources to be ingested for Microsoft Sentinel
  • Connect data sources
• Identify the prerequisites for a Microsoft Sentinel data connector
  • Connect data sources
• Configure data connectors by using Azure Policy
  • Azure Policy
• Configure and use Microsoft Sentinel data connectors
  • Connect data sources
  • Create a custom connector
• Configure Microsoft Sentinel connectors for Microsoft 365 Defender and Microsoft Defender for Cloud 
  • Integrate with Microsoft 365 Defender
• Design and configure Syslog and CEF event collections
  • Collect data from Linux-based sources using Syslog
• Design and Configure Windows Security events collections
  • Windows security events
• Configure custom threat intelligence connectors
  • Connect threat intelligence
  • Create a custom connector

Manage Microsoft Sentinel analytics rules

• Design and configure analytics rules
  • Use built-in rules
  • Create a rule
• Activate Microsoft Security analytics rules
  • Work with SOC-ML anomaly rules
  • Enable User and Entity Behavior Analytics (UEBA)
• Configure built-in scheduled queries
  • Use built-in analytics rules
  • Kusto query overview
• Configure custom scheduled queries
  • Create a custom analytics rule with a scheduled query
• Define incident creation logic
  • Scheduled Analytics Rules
• Manage and use watchlists
  • Create watchlists
  • Manage watchlists
• Manage and use threat indicators
  • Work with threat indicators

Perform data classification and normalization

• Classify and analyze data by using entities
  • Classifying data with entities
  • Investigate entities with entity pages
• Create custom logs in Azure Log Analytics to store custom data
  • Design a workspace deployment
• Query Microsoft Sentinel data by using Advanced SIEM Information Model (ASIM) parsers
  • ASIM parsers
• Develop and manage ASIM parsers
  • ASIM schemas
    

Configure Security Orchestration Automation and Response (SOAR) in Microsoft Sentinel

• Configure automation rules
  • Automation rules
• Create and configure Microsoft Sentinel playbooks
  • Steps for creating a playbook
  • How to run a playbook
• Configure alerts and incidents to trigger automation
  • Use triggers and actions in playbooks
  • Migrate alert playbooks to automation rules
• Use automation to remediate threats
  • Use automation to respond to threats
• Use automation to manage incidents
  • Respond to incidents

Manage Microsoft Sentinel Incidents

• Triage incidents in Microsoft Sentinel
  • Manage your SOC with incident metrics
• Investigate incidents in Microsoft Sentinel
  • Investigate incidents
• Respond to incidents in Microsoft Sentinel
  • Automation rules
• Investigate multi-workspace incidents
  • Work with incidents in multiple workspaces
• Identify advanced threats with User and Entity Behavior Analytics (UEBA)
  • Common UEBA investigation methods

Use Microsoft Sentinel workbooks to analyze and interpret data

• Activate and customize Microsoft Sentinel workbook templates
  • Use built-in workbooks
• Create custom workbooks
  • Create new workbook
• Configure advanced visualizations
  • Visualize collected data
• View and analyze Microsoft Sentinel data using workbooks
  • Use Azure Monitor workbooks
• Track incident metrics using the security operations efficiency workbook
  • Security operations efficiency workbook

Hunt for threats using Microsoft Sentinel

• Create custom hunting queries
  • Threat hunting
• Run hunting queries manually
  • Create KQL queries for Microsoft Sentinel
• Monitor hunting queries by using Livestream
  • Hunt with livestream
• Configure and use MSTICPy in notebooks
  • Get started with notebooks and MSTICPy
• Perform hunting by using notebooks
  • Hunt with Jupyter notebooks
• Track query results with bookmarks
  • Hunt with bookmarks
• Use hunting bookmarks for data investigations
  • Hunt with bookmarks
• Convert a hunting query to an analytical rule
  • Create a custom analytics rule with a scheduled query