SC-200: Microsoft Security Operations Analyst Exam Resource Guide (May 2023 Update)

SC-200 just received a major update, including some structural changes as well as additional topics being added. Some of the additional items that have been added in include device groups, device discovery, attack surface reduction, UnifiedAuditLog, Content Search, Defender for DevOps, an expansion of UEBA topics and working with archived log data in Sentinel. There are more, but I just wanted to hihglight that the changes are found in all three sections of the exam topics.

This is one my favorite exams to recommend for someone who wants to get into Microsoft cybersecurity technologies and exams, due to some of the Defender and Sentinel skills you need to pass the exam. If you’ve already passed MS-500 (retiring shortly) and AZ-500, this is an excellent choice as your next exam, because there will be some overlap in the technologies, but expect this exam to go much deeper into understanding the Defender family of technologies, and it also goes deeper into Sentinel than you will have seen on previous exams. You will definitely need to spend some time with Kusto and Log Analytics, not just for the Microsoft Sentinel portion of the exam, but Microsoft 365 Defender and Microsoft Defender for Cloud as well.

Mitigate threats using Microsoft 365 Defender (25-30%)

Mitigate threats to the productivity environment by using Microsoft 365 Defender 

• Investigate, respond, and remediate threats to Microsoft Teams, SharePoint, and OneDrive
  • Remediation actions
  • Safe Attachments in Defender for Office 365
• Investigate, respond, and remediate threats to email by using Microsoft Defender for Office 365
  • AIR overview
• Investigate and respond to alerts generated from Data Loss Prevention policies
  • Investigate data loss prevention alerts with Microsoft 365 Defender
• Investigate and respond to alerts generated from insider risk policies
  • Plan for insider risk management
• Discover and manage apps by using Microsoft Defender for Cloud Apps
  • Create snapshot Cloud Discovery reports
• Identify, investigate, and remediate security risks by using Defender for Cloud Apps
  • Investigate risky users
  • Detect suspicious user activity with UEBA
  • Investigate risky OAuth apps
  • Manage alerts

Mitigate endpoint threats by using Microsoft Defender for Endpoint

• Manage data retention, alert notification, and advanced features
  • Verify data storage location and update data retention settingsConfigure alert notifications
  • Configure advanced features
• Recommend attack surface reduction (ASR) for devices
  • Learn about attack surface reduction rules
  • Configure attack surface reduction capabilities
  • Security operations dashboard
  • Manage security baselines
• Respond to incidents and alerts
  • View and organize the Incidents queue
  • View and organize the Alerts queue
• Configure and manage device groups
  • Create and manage device groups in Microsoft Defender for Endpoint
• Identify devices at risk by using the Microsoft Defender Vulnerability Management
  • What is Microsoft Defender Vulnerability Management
• Manage endpoint threat indicators
  • Create indicators
• Identify unmanaged devices by using device discovery
  • Configure device discovery

Mitigate identity threats

• Identify and remediate security risks related to events for Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra
  • Identity secure score
• Identify and remediate security risks related to Azure AD Identity Protection events
  • Configure notifications
• Identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity
  • Microsoft Defender for Identity Security Alerts

Manage extended detection and response (XDR) in Microsoft 365 Defender

• Manage incidents and automated investigations in the Microsoft 365 Defender portal
  • Incident alerts
  • Manage incidents in Microsoft 365 Defender
• Manage actions and submissions in the Microsoft 365 Defender portal
  • Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft
• Identify threats by using KQL
  • Hunt for ransomware
  • Hunt across devices, emails, apps, and identities
• Identify and remediate security risks using Microsoft Secure Score
  • Secure Score overview
• Analyze threat analytics in the Microsoft 365 Defender portal
  • Threat analytics overview
• Configure and manage custom detections and alerts
  • Create & manage detection rules
  • Manage alerts

Investigate threats by using audit features in Microsoft 365 Defender and Microsoft Purview

• Perform threat hunting by using UnifiedAuditLog
  • Search the audit log
• Perform threat hunting by using Content Search
  • Get started with Content search

Mitigate threats using Microsoft Defender for Cloud (15-20%)

Implement and maintain cloud security posture management

• Assign and manage regulatory compliance policies, including Microsoft cloud security benchmark (MCSB)
  • Improve your regulatory compliance
• Improve the Defender for Cloud secure score by remediating recommendations
  • Access and track your secure score
  • Remediate recommendations
• Configure plans and agents for Microsoft Defender for Servers
  • Select a Defender for Servers plan
  • Protect servers with Defender for Servers
• Configure and manage Microsoft Defender for DevOps
  • Connect GitHub repositories
  • Connect Azure DevOps repositories
  • Configure the Microsoft Security DevOps GitHub action
  • Configure the Microsoft Security DevOps Azure DevOps extension

Configure environment settings in Defender for Cloud

• Plan and configure Microsoft Defender for Cloud settings, including selecting target subscriptions and workspaces
  • Organize management groups and subscriptions
  • Export to a Log Analytics workspace
  • Change the data retention period
  • Integrate security solutions and data sources
• Configure Microsoft Defender for Cloud roles
  • User roles and permissions
• Assess and recommend cloud workload protection
  • Reference list of recommendations
  • Feature coverage for Azure PaaS resources
  • Coverage by OS, machine type, and cloud
• Enable Microsoft Defender plans for Defender for Cloud
  • Integrate security solutions and data sources
• Configure automated onboarding for Azure resources
  • Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud
• Connect compute resources by using Azure Arc
  • Plan agents, extensions, and Azure Arc for Defender for Servers
• Connect multicloud resources by using Environment settings
  • Connect non-Azure machines
  • Connect AWS accounts
  • Connect GCP accounts

Respond to alerts and incidents in Microsoft Defender for Cloud

• Set up email notifications
  • Security alerts and incidents
  • How are alerts classified?
• Set up email notifications
  • Set up email notifications
• Create and manage alert suppression rules
  • Create and manage alerts suppression rules
• Design and configure workflow automation in Microsoft Defender for Cloud
  • Automate responses to recommendations
  • Automate responses to alerts
• Remediate alerts and incidents by using Microsoft Defender for Cloud recommendations
  • What is a security recommendation?
• Manage security alerts and incidents
  • Investigate and respond to security alerts
  • Manage security incidents
• Analyze Microsoft Defender for Cloud threat intelligence reports
  • Generate threat intelligence reports

Mitigate threats using Microsoft Sentinel (50-55%)

Design and configure an Microsoft Sentinel workspace

• Plan a Microsoft Sentinel workspace
  • Design your Microsoft Sentinel workspace architecture
  • Create a Log Analytics workspace in the Azure portal
  • Design a workspace deployment
  • Security baseline
• Configure Microsoft Sentinel roles
  • Roles and permissions
• Design and configure Microsoft Sentinel data storage
  • Log data usage and costs

Plan and Implement the use of data connectors for ingestion of data sources in Microsoft Sentinel

• Identify data sources to be ingested for Microsoft Sentinel
  • Connect data sources
• Configure and use Microsoft Sentinel data connectors for Azure resources, including Azure Policy and diagnostic settings
  • Azure Policy
  • Connect data sources
  • Create a custom connector
• Configure Microsoft Sentinel connectors for Microsoft 365 Defender and Microsoft Defender for Cloud 
  • Integrate with Microsoft 365 Defender
• Design and configure Syslog and Common Event Format (CEF) event collections
  • Collect data from Linux-based sources using Syslog
  • CEF over Syslog sources
• Design and Configure Windows Security events collections
  • Windows security events
• Configure threat intelligence connectors
  • Connect threat intelligence
  • Create a custom connector
• Create custom log tables in the workspace to store ingested data
  • Design a workspace deployment

Manage Microsoft Sentinel analytics rules

• Configure the Fusion rule
  • Configure multistage attack (Fusion) rules
• Configure Microsoft security analytics rules
  • Work with SOC-ML anomaly rules
  • Enable User and Entity Behavior Analytics (UEBA)
• Configure built-in scheduled query rules
  • Use built-in rules
• Configure custom scheduled query rules
  • Create a rule
  • Create a custom analytics rule with a scheduled query
• Configure near-real-time (NRT) query rules
  • Create near-real-time (NRT) analytics rules
• Manage analytics rules from Content hub
  • Content hub catalog
  • Manage custom content with repositories
  • Useful resources
• Manage and use watchlists
  • Create watchlists
  • Manage watchlists
• Manage and use threat indicators
  • Work with threat indicators

Perform data classification and normalization

• Classify and analyze data by using entities
  • Classifying data with entities
  • Investigate entities with entity pages
• Query Microsoft Sentinel data by using Advanced SIEM Information Model (ASIM) parsers
  • ASIM parsers
• Develop and manage ASIM parsers
  • ASIM schemas
    

Configure Security Orchestration Automation and Response (SOAR) in Microsoft Sentinel

• Create and configure automation rules
  • Automation rules
  • Use automation to respond to threats
• Create and configure Microsoft Sentinel playbooks
  • Steps for creating a playbook
  • How to run a playbook
• Configure analytics rules to trigger automation
  • Use triggers and actions in playbooks
  • Migrate alert playbooks to automation rules
• Trigger playbooks manually from alerts and incidents
  • Use triggers and actions in playbooks

Manage Microsoft Sentinel Incidents

• Create an incident
  • Create incidents from Microsoft Security alerts
• Triage incidents in Microsoft Sentinel
  • Manage your SOC with incident metrics
• Investigate incidents in Microsoft Sentinel
  • Investigate incidents
• Respond to incidents in Microsoft Sentinel
  • Automation rules
  • Respond to incidents
• Investigate multi-workspace incidents
  • Work with incidents in multiple workspaces

Use Microsoft Sentinel workbooks to analyze and interpret data

• Activate and customize Microsoft Sentinel workbook templates
  • Use built-in workbooks
  • Security operations efficiency workbook
• Create custom workbooks
  • Create new workbook
  • Use Azure Monitor workbooks
• Configure advanced visualizations
  • Visualize collected data

Hunt for threats using Microsoft Sentinel

• Analyze attack vector coverage by using MITRE ATT&CK in Microsoft Sentinel
  • MITRE ATT&CK coverage
• Customize content gallery hunting queries
  • Threat hunting
• Create custom hunting queries
  • Create KQL queries for Microsoft Sentinel
• Use hunting bookmarks for data investigations
  • Hunt with bookmarks
• Monitor hunting queries by using Livestream
  • Hunt with livestream
• Retrieve and manage archived log data
  • Restore archived logs from search
  • Configure data retention and archive
• Create and manage search jobs
  • Search large datasets

Manage threats by using entity behavior analytics

• Configure entity behavior settings
  • Enable User and Entity Behavior Analytics (UEBA)
• Investigate threats by using entity pages
  • Common UEBA investigation methods
• Configure anomaly detection analytics rules
  • Anomaly detection rules