SC-200 : Microsoft Security Operations Analyst

Discover Microsoft Defender XDR Threat Protection

• Understand Microsoft Defender XDR solutions by domain
• Understand the role of Microsoft Defender XDR in a modern SOC

Mitigate Incidents with Microsoft Defender XDR

• Manage incidents in Microsoft Defender XDR
• Review incidents in Microsoft Defender XDR
• Conduct advanced hunting in Microsoft Defender XDR

Protect Identities with Microsoft Entra ID Protection

• Discover the features of Microsoft Entra ID Protection
• Learn about the investigation and remediation capabilities of Microsoft Entra ID Protection

Remediate Risks with Microsoft Defender for Office 365

• Define the features of Microsoft Defender for Office 365
• Simulate attacks within your network
• Remediate risks in your environment with Microsoft Defender for Office 365

Secure Your Environment with Microsoft Defender for Identity

• Define the features of Microsoft Defender for Identity
• Configure Microsoft Defender for Identity sensors
• Remediate risks in your environment with Microsoft Defender for Identity

Secure Cloud Apps and Services with Microsoft Defender for Cloud Apps

• Define the Defender for Cloud Apps infrastructure
• Explain how Cloud Discovery helps you see what’s happening in your organization
• Use conditional access app control policies to control access to your organization’s apps

Respond to Data Loss Prevention Alerts with Microsoft 365

• Describe the components of Data Loss Prevention (DLP) in Microsoft 365
• Review DLP alerts in the Microsoft Purview compliance portal
• Investigate DLP alerts in Microsoft Defender for Cloud Apps

Manage Insider Risks with Microsoft Purview

• Prevent, detect, and contain insider risks in an organization with Microsoft Purview Insider Risk Management
• Describe the types of built-in and pre-configured policy templates
• List the prerequisites to be met before creating insider risk policies
• Explain the types of actions to take in an insider risk management case

Describe Microsoft Security Copilot

• Understand what Microsoft Security Copilot is
• Describe the terminology of Microsoft Security Copilot
• Understand how Microsoft Security Copilot handles prompt requests
• Describe the elements of an effective prompt
• Enable Microsoft Security Copilot

Key Features of Microsoft Security Copilot

• Describe the features available in the standalone experience
• Describe the services Microsoft Security Copilot can integrate with

Integrated Experiences of Microsoft Security Copilot

• Describe Microsoft Security Copilot in Microsoft Defender XDR
• Describe Microsoft Security Copilot in Microsoft Purview
• Describe Microsoft Security Copilot in Microsoft Entra

Audit with Microsoft Purview

• Identify the differences between Microsoft Purview Audit (Standard) and Audit (Premium)
• Configure Microsoft Purview Audit to optimize log management
• Perform audits to assess compliance and security measures
• Analyze irregular access patterns using advanced tools in Purview Audit (Premium) and PowerShell
• Ensure regulatory compliance through strategic data management

Investigate Threats with Content Search in Microsoft Purview

• Use content search in the Microsoft Purview compliance portal
• Design and create a content search
• Preview search results
• View search statistics
• Export search results and report
• Configure search permission filtering

Protect Against Threats with Microsoft Defender for Endpoint

• Define the features of Microsoft Defender for Endpoint
• Hunt for threats within your network
• Remediate risks in your environment with Microsoft Defender for Endpoint

Deploy Microsoft Defender for Endpoint Environment

• Create a Microsoft Defender for Endpoint environment
• Onboard devices to be monitored by Microsoft Defender for Endpoint
• Configure Microsoft Defender for Endpoint settings

Implement Windows Security Enhancements with Microsoft Defender for Endpoint

• Explain attack surface reduction in Windows
• Enable attack surface reduction rules on Windows 10 devices
• Configure attack surface reduction rules on Windows 10 devices

Investigate Devices in Microsoft Defender for Endpoint

• Use the device page in Microsoft Defender for Endpoint
• Describe forensic information on devices collected by Microsoft Defender for Endpoint
• Describe behavioral blocking by Microsoft Defender for Endpoint

Take Actions on a Device with Microsoft Defender for Endpoint

• Perform actions on a device using Microsoft Defender for Endpoint
• Execute a forensic data collection using Microsoft Defender for Endpoint
• Remotely access devices using Microsoft Defender for Endpoint

Conduct File and Entity Investigations with Microsoft Defender for Endpoint

• Investigate files in Microsoft Defender for Endpoint
• Investigate domains and IP addresses in Microsoft Defender for Endpoint
• Investigate user accounts in Microsoft Defender for Endpoint

Configure and Manage Automation with Microsoft Defender for Endpoint

• Configure advanced features of Microsoft Defender for Endpoint
• Manage automation settings in Microsoft Defender for Endpoint

Configure Alerts and Detections in Microsoft Defender for Endpoint

• Configure alert settings in Microsoft Defender for Endpoint
• Manage indicators in Microsoft Defender for Endpoint

Use Vulnerability Management in Microsoft Defender for Endpoint

• Manage threats and vulnerabilities in Microsoft Defender for Endpoint
• Identify vulnerabilities on devices with Microsoft Defender for Endpoint
• Track emerging threats in Microsoft Defender for Endpoint

Plan Cloud Workload Protections with Microsoft Defender for Cloud

• Describe the features of Microsoft Defender for Cloud
• Explain workload protections in Microsoft Defender for Cloud
• Enable Microsoft Defender for Cloud

Connect Azure Resources to Microsoft Defender for Cloud

• Explore Azure resources
• Configure auto-provisioning in Microsoft Defender for Cloud
• Describe manual provisioning in Microsoft Defender for Cloud

Connect Non-Azure Resources to Microsoft Defender for Cloud

• Connect non-Azure machines to Microsoft Defender for Cloud
• Connect AWS accounts to Microsoft Defender for Cloud
• Connect GCP accounts to Microsoft Defender for Cloud

Manage Cloud Security Posture with Microsoft Defender for Cloud

• Describe the features of Microsoft Defender for Cloud
• Explain Microsoft Defender for Cloud security posture management protections for your resources

Explain Cloud Workload Protections in Microsoft Defender for Cloud

• Explain which workloads are protected by Microsoft Defender for Cloud
• Describe the benefits of protections provided by Microsoft Defender for Cloud
• Explain how Microsoft Defender for Cloud protection works

Remediate Security Alerts with Microsoft Defender for Cloud

• Describe alerts in Microsoft Defender for Cloud
• Remediate alerts in Microsoft Defender for Cloud
• Automate responses in Microsoft Defender for Cloud

Build KQL Statements for Microsoft Azure Sentinel

• Build KQL statements
• Search security events in log files using KQL
• Filter searches based on event time, severity, domain, and other relevant data using KQL

Analyze Query Results with KQL

• Synthesize data using KQL statements
• Display visualizations using KQL statements

Build Multi-Table Statements with KQL

• Create queries using unions to display results across multiple tables using KQL
• Merge two tables with the join operator using KQL

Use Data in Microsoft Azure Sentinel with Kusto Query Language

• Extract data from unstructured string fields using KQL
• Extract data from structured string data using KQL
• Create functions using KQL

Discover Microsoft Sentinel

• Identify the different components and features of Microsoft Sentinel
• Identify use cases where Microsoft Sentinel is a good solution

Create and Manage Microsoft Sentinel Workspaces

• Describe the architecture of the Microsoft Sentinel workspace
• Install the Microsoft Sentinel workspace
• Manage a Microsoft Sentinel workspace

Query Logs in Microsoft Azure Sentinel

• Use the Logs page to view data tables in Microsoft Azure Sentinel
• Query the most used tables using Microsoft Azure Sentinel

Use Watchlists in Microsoft Azure Sentinel

• Create a watchlist in Microsoft Azure Sentinel
• Use KQL to access the watchlist in Microsoft Azure Sentinel

Use Threat Intelligence in Microsoft Azure Sentinel

• Manage threat indicators in Microsoft Azure Sentinel
• Use KQL to access threat indicators in Microsoft Azure Sentinel

Connect Data to Microsoft Sentinel Using Data Connectors

• Install content hub solutions to provision Microsoft Sentinel data connectors
• Use data connectors in Microsoft Sentinel
• Describe providers of Microsoft Sentinel data connectors
• Explain differences between Common Event Format and Syslog connector in Microsoft Sentinel

Connect Microsoft Services to Microsoft Sentinel

• Connect Microsoft service connectors
• Explain how connectors automatically create incidents in Microsoft Sentinel

Connect Microsoft Defender XDR to Microsoft Sentinel

• Enable the Microsoft Defender XDR connector in Microsoft Sentinel
• Enable the Microsoft Defender for Cloud connector in Microsoft Azure Sentinel
• Enable the Microsoft Defender for IoT connector in Microsoft Sentinel

Connect Windows Hosts to Microsoft Sentinel

• Connect Azure Windows virtual machines to Microsoft Sentinel
• Connect non-Azure Windows hosts to Microsoft Sentinel
• Configure the Log Analytics agent to collect Sysmon events

Connect Common Event Format Logs to Microsoft Sentinel

• Deploy the Common Event Format connector in Microsoft Sentinel
• Run the deployment script for the Common Event Format connector

Connect Syslog Data Sources to Microsoft Sentinel

• Describe the data collection rule of the Azure Monitor agent for Syslog
• Install and configure the Azure Monitor Linux Agent extension with the Syslog data collection rule
• Run the deployment and connection scripts of Azure Arc Linux
• Verify that Syslog log data is available in Microsoft Sentinel
• Create a parser using KQL in Microsoft Sentinel

Connect Threat Indicators to Microsoft Sentinel

• Configure the TAXII connector in Microsoft Sentinel
• Configure the Threat Intelligence Platform connector in Microsoft Sentinel
• View threat indicators in Microsoft Sentinel

Detect Threats with Microsoft Sentinel Analytics

• Explain the importance of Microsoft Sentinel Analytics
• Explain the different types of analytic rules
• Create rules from templates
• Create new rules and analytic queries using the Analytics Rule Wizard
• Manage rules with changes

Automate in Microsoft Sentinel

• Explain automation options in Microsoft Sentinel
• Create automation rules in Microsoft Sentinel

Respond to Threats with Microsoft Sentinel Playbooks

• Explain the SOAR capabilities of Microsoft Sentinel
• Explore the Microsoft Sentinel Logic Apps connector
• Create a playbook to automate incident response
• Run a playbook on-demand in response to an incident

Manage Security Incidents in Microsoft Sentinel

• Discover security incidents and incident management in Microsoft Sentinel
• Explore Microsoft Sentinel incident evidence and entities
• Use Microsoft Sentinel to investigate security incidents and manage incident resolution

Identify Threats with Behavioral Analytics

• Explain User and Entity Behavior Analytics (UEBA) in Azure Sentinel
• Explore entities in Microsoft Azure Sentinel

Normalize Data in Microsoft Sentinel

• Use ASIM parsers
• Create an ASIM parser
• Create parameterized KQL functions

Query, Visualize, and Monitor Data in Microsoft Sentinel

• Visualize security data using Microsoft Sentinel workbooks
• Understand how queries work
• Explore workbook features
• Create a Microsoft Sentinel workbook

Manage Content in Microsoft Sentinel

• Install a content hub solution in Microsoft Sentinel
• Connect a GitHub repository to Microsoft Sentinel

Explain Threat Hunting Concepts in Microsoft Sentinel

• Describe threat hunting concepts to use with Microsoft Sentinel
• Define a threat hunting hypothesis to use in Microsoft Sentinel

Hunt for Threats with Microsoft Sentinel

• Use queries to hunt for threats
• Save key results with bookmarks
• Observe threats over time with live streaming

Use Search Jobs in Microsoft Sentinel

• Use search jobs in Microsoft Sentinel
• Restore logs from archives in Microsoft Sentinel

Hunt for Threats Using Notebooks in Microsoft Sentinel

• Explore API libraries for advanced threat hunting in Microsoft Sentinel
• Describe notebooks in Microsoft Sentinel
• Create and use notebooks in Microsoft Sentinel

Updated: 06/04/2024

In this training, we mix theory with technical workshops to quickly make you operational. Additionally, each participant receives course materials at the end of the training.

One of our consultant trainers conducts the training. With solid field experience, they make the learning process both interactive and enriching.

For assessment, the trainer regularly asks questions and uses various methods to continuously measure your progress. This approach promotes a dynamic and engaging learning experience.

After the training, we ask you to complete a satisfaction questionnaire. Your feedback helps us to maintain and constantly improve the quality of our training.

Finally, we offer the flexibility to deliver this training both in-person and remotely, and it can be customized to meet your company’s specific needs upon request.

To participate in this training, you must have previously completed the “SC-900: Microsoft Security, Compliance, and Identity Fundamentals” training.

You can register for one of our training courses up to two business days before it starts, if there are still available places and you signed quote.

If you have specific needs related to a disability, please do not hesitate to make a request; we are happy to adjust our services according to the type of disability.