SC-200: Microsoft Security Operations Analyst Exam Resource Guide (February 2023 Update)

SC-200 just received a minor terminology update, which is good news if you’ve already been preparing and were hoping that this wasn’t a major update to the exam objectives. This is one my favourite exams to recommend for someone who wants to get in to Microsoft cybersecurity technologies and exams, due to some of the Defender and Sentinel skills you need to pass the exam.

If you’ve already passed MS-500 and AZ-500, this is an excellent choice as your next exam, because there will be some overlap in the technologies, but expect this exam to go much deeper into understanding the Defender family of technologies, and it also goes deeper into Sentinel than you will have seen on previous exams. You will definitely need to spend some time with Kusto and Log Analytics, not just for the Microsoft Sentinel portion of the exam, but Microsoft 365 Defender and Microsoft Defender for Cloud as well.

Mitigate threats using Microsoft 365 Defender (25-30%)

Mitigate threats to the productivity environment by using Microsoft 365 Defender 

• Investigate, respond, and remediate threats to Microsoft Teams, SharePoint, and OneDrive
  • Remediation actions
  • Safe Attachments in Defender for Office 365
• Investigate, respond, remediate threats to email by using Microsoft Defender for Office 365
  • AIR overview
• Investigate and respond to alerts generated from insider risk policies
  • Plan for insider risk management
• Identify, investigate, and remediate security risks by using Microsoft Defender for Cloud Apps
  • Investigate risky users
  • Detect suspicious user activity with UEBA
  • Investigate risky OAuth apps
• Configure Microsoft Defender for Cloud Apps to generate alerts and reports to detect threats
  • Manage alerts
  • Create snapshot Cloud Discovery reports

Mitigate endpoint threats by using Microsoft Defender for Endpoint

• Manage data retention, alert notification, and advanced features
  • Verify data storage location and update data retention settingsConfigure alert notifications
  • Configure advanced features
• Recommend security baselines for devices
  • Manage security baselines
• Respond to incidents and alerts
  • View and organize the Incidents queue
  • View and organize the Alerts queue
• Manage automated investigations and remediations
  • Configure AIR capabilities
• Assess and recommend endpoint configurations to reduce and remediate vulnerabilities by using the Microsoft threat and vulnerability management solution
  • Learn about attack surface reduction rules
  • Configure attack surface reduction capabilities
  • Security operations dashboard
• Manage Microsoft Defender for Endpoint threat indicators
  • Create indicators

Mitigate identity threats

• Identify and remediate security risks related to events for Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra
  • Identity secure score
• Identify and remediate security risks related to Azure AD Identity Protection events
  • Configure notifications
• Identify and remediate security risks related to conditional access events
  • Conditional Access insights and reporting
• Identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity
  • Microsoft Defender for Identity Security Alerts

Manage extended detection and response (XDR) in Microsoft 365 Defender

• Manage incidents across Microsoft 365 Defender products
  • Incident alerts
• Manage investigation and remediation actions in the Action Center
  • Manage incidents in Microsoft 365 Defender
• perform advanced threat hunting
  • Hunt for ransomware
  • Hunt across devices, emails, apps, and identities
• Identify and remediate security risks using Microsoft Secure Score
  • Secure Score overview
• Analyze threat analytics
  • Threat analytics overview
• Configure and manage custom detections and alerts
  • Create & manage detection rules
  • Manage alerts

Mitigate threats using Microsoft Defender for Cloud (20-25%)

Design and configure an Microsoft Defender for Cloud implementation

• Plan and configure Microsoft Defender for Cloud settings, including selecting target subscriptions and workspace
  • Organize management groups and subscriptions
  • Export to a Log Analytics workspace
  • Change the data retention period
• Configure Microsoft Defender for Cloud roles
  • User roles and permissions
• Assess and recommend cloud workload protection
  • Reference list of recommendations
  • Feature coverage for Azure PaaS resources
  • Coverage by OS, machine type, and cloud
• Identify and remediate security risks using the Microsoft Defender for Cloud Secure Score
  • Access and track your secure score
• Manage policies for regulatory compliance 
  • Improve your regulatory compliance
• Review and remediate security recommendations
  • Remediate recommendations

Plan and implement the use of data connectors for ingestion of data sources in Microsoft Defender for Cloud

• Identify data sources to be ingested for Microsoft Defender for Cloud
  • Integrate security solutions and data sources
• Configure automated onboarding for Azure resources
  • Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud
• Connect multi-cloud and on-premises resources
  • Connect non-Azure machines
  • Connect AWS accounts
  • Connect GCP accounts
• Configure data collection
  • Integrate security solutions and data sources

Configure and respond to alerts and incidents in Microsoft Defender for Cloud

• Validate alert configuration
  • Security alerts and incidents
  • How are alerts classified?
• Set up email notifications
  • Set up email notifications
• Create and manage alert suppression rules
  • Create and manage alerts suppression rules
• Design and configure workflow automation in Microsoft Defender for Cloud
  • Automate responses to recommendations
  • Automate responses to alerts
• Remediate alerts and incidents by using Microsoft Defender for Cloud recommendations
  • What is a security recommendation?
• Manage security alerts and incidents
  • Investigate and respond to security alerts
  • Manage security incidents
• Analyze Microsoft Defender for Cloud threat intelligence
  • Generate threat intelligence reports
• Manage user data discovered during and investigation
  • Manage user data

Mitigate threats using Microsoft Sentinel (50-55%)

Design and configure an Microsoft Sentinel workspace

• Plan a Microsoft Sentinel workspace
  • Design your Microsoft Sentinel workspace architecture
  • Create a Log Analytics workspace in the Azure portal
  • Design a workspace deployment
  • Security baseline
• Configure Microsoft Sentinel roles
  • Roles and permissions
• Design and configure Microsoft Sentinel data storage
  • Log data usage and costs
• Implement and use Content hub, repositories, and community resources
  • Content hub catalog
  • Manage custom content with repositories
  • Useful resources

Plan and Implement the use of data connectors for ingestion of data sources in Microsoft Sentinel

• Identify data sources to be ingested for Microsoft Sentinel
  • Connect data sources
• Identify the prerequisites for a Microsoft Sentinel data connector
  • Connect data sources
• Configure data connectors by using Azure Policy
  • Azure Policy
• Configure and use Microsoft Sentinel data connectors
  • Connect data sources
  • Create a custom connector
• Configure Microsoft Sentinel connectors for Microsoft 365 Defender and Microsoft Defender for Cloud 
  • Integrate with Microsoft 365 Defender
• Design and configure Syslog and CEF event collections
  • Collect data from Linux-based sources using Syslog
  • CEF over Syslog sources
• Design and Configure Windows Security events collections
  • Windows security events
• Configure custom threat intelligence connectors
  • Connect threat intelligence
  • Create a custom connector

Manage Microsoft Sentinel analytics rules

• Design and configure analytics rules
  • Use built-in rules
  • Create a rule
• Activate Microsoft Security analytics rules
  • Work with SOC-ML anomaly rules
  • Enable User and Entity Behavior Analytics (UEBA)
• Configure built-in scheduled queries
  • Use built-in analytics rules
  • Kusto query overview
• Configure custom scheduled queries
  • Create a custom analytics rule with a scheduled query
• Define incident creation logic
  • Scheduled Analytics Rules
• Manage and use watchlists
  • Create watchlists
  • Manage watchlists
• Manage and use threat indicators
  • Work with threat indicators

Perform data classification and normalization

• Classify and analyze data by using entities
  • Classifying data with entities
  • Investigate entities with entity pages
• Create custom logs in Azure Log Analytics to store custom data
  • Design a workspace deployment
• Query Microsoft Sentinel data by using Advanced SIEM Information Model (ASIM) parsers
  • ASIM parsers
• Develop and manage ASIM parsers
  • ASIM schemas
    

Configure Security Orchestration Automation and Response (SOAR) in Microsoft Sentinel

• Configure automation rules
  • Automation rules
• Create and configure Microsoft Sentinel playbooks
  • Steps for creating a playbook
  • How to run a playbook
• Configure alerts and incidents to trigger automation
  • Use triggers and actions in playbooks
  • Migrate alert playbooks to automation rules
• Use automation to remediate threats
  • Use automation to respond to threats
• Use automation to manage incidents
  • Respond to incidents

Manage Microsoft Sentinel Incidents

• Triage incidents in Microsoft Sentinel
  • Manage your SOC with incident metrics
• Investigate incidents in Microsoft Sentinel
  • Investigate incidents
• Respond to incidents in Microsoft Sentinel
  • Automation rules
• Investigate multi-workspace incidents
  • Work with incidents in multiple workspaces
• Identify advanced threats with User and Entity Behavior Analytics (UEBA)
  • Common UEBA investigation methods

Use Microsoft Sentinel workbooks to analyze and interpret data

• Activate and customize Microsoft Sentinel workbook templates
  • Use built-in workbooks
• Create custom workbooks
  • Create new workbook
• Configure advanced visualizations
  • Visualize collected data
• View and analyze Microsoft Sentinel data using workbooks
  • Use Azure Monitor workbooks
• Track incident metrics using the security operations efficiency workbook
  • Security operations efficiency workbook

Hunt for threats using Microsoft Sentinel

• Create custom hunting queries
  • Threat hunting
• Run hunting queries manually
  • Create KQL queries for Microsoft Sentinel
• Monitor hunting queries by using Livestream
  • Hunt with livestream
• Configure and use MSTICPy in notebooks
  • Get started with notebooks and MSTICPy
• Perform hunting by using notebooks
  • Hunt with Jupyter notebooks
• Track query results with bookmarks
  • Hunt with bookmarks
• Use hunting bookmarks for data investigations
  • Hunt with bookmarks
• Convert a hunting query to an analytical rule
  • Create a custom analytics rule with a scheduled query