SC-200 Exam Study Guide (Microsoft Security Operations Analyst)
You can access SC-200 Exam Microsoft official page here
Preparing for the SC-200 Microsoft Security Operations Analyst exam? Don’t know where to start? This post is the SC-200 Certificate Study Guide (with links to each exam objective).
I have curated a list of articles from Microsoft documentation for each objective of the SC-200 exam. Please share the post within your circles so it helps them to prepare for the exam.
Skills Measured
- Mitigate Threats Using Microsoft 365 Defender (25-30%)
- Mitigate Threats Using Azure Defender (25-30%)
- Mitigate Threats Using Azure Sentinel (40-45%)
SC-200 Exam Free Study Guide
For each test objective, I’ve compiled a thorough collection of articles from Microsoft documentation. Please feel free to forward this page to your friends and coworkers in order to assist them in preparing for the test .
Mitigate Threats Using Microsoft 365 Defender (25-30%)
Detect, Investigate, Respond, and Remediate Threats to the Productivity Environment by Using Microsoft Defender for Office 365
- Detect, investigate, respond, remediate Microsoft Teams, SharePoint, and OneDrive for Business threats
- Threat Explorer and Real-time detections
- Threat investigation and response
- Threat intelligence to protect, detect & respond to threats
- Remediate malicious email delivered in Office 365
- Detect, investigate, respond, remediate threats to email by using Defender for Office 365
- Threat Explorer and Real-time detections
- Automated investigation & response in Defender for Office 365
- AIR in Microsoft Defender for Office 365
- Remediation actions in Microsoft Defender for Office 365
- Manage data loss prevention policy alerts
- Review and manage Microsoft DLP alerts
- Configure and view alerts for DLP policies
- Assess and recommend sensitivity labels
- Use sensitivity labels to prioritize incident response
- Assess and recommend insider risk policies
- Insider risk management policies
Detect, Investigate, Respond, and Remediate Endpoint Threats by Using Microsoft Defender for Endpoint
- Manage data retention, alert notification, and advanced features
- Data Retention
- What is Microsoft’s data retention policy?
- Update data retention settings for Endpoint
- Alert notifications
- Configure alert notifications
- Manage Microsoft Defender for Endpoint alerts
- Advanced features
- Configure advanced features in Defender for Endpoint
- Configure device attack surface reduction rules
- Enable attack surface reduction rules
- Use attack surface reduction rules to prevent malware infection
- Configure and manage custom detections and alerts
- Custom detections overview
- Create custom detection rules
- Review alerts in Microsoft Defender for Endpoint
- Respond to incidents and alerts
- Take response actions on a device
- Manage automated investigations and remediations
- Overview of automated investigations
- Configure automated investigation & remediation capabilities
- Assess and recommend endpoint configurations to reduce and remediate vulnerabilities by using Microsoft’s Threat and Vulnerability Management solution
- Microsoft’s Threat & Vulnerability Management
- Threat and vulnerability management
- Remediate vulnerabilities with threat & vulnerability management
- Manage Microsoft Defender for Endpoint threat indicators
- Manage indicators
- Analyze Microsoft Defender for Endpoint threat analytics
- Understand the analyst report in threat analytics
Detect, Investigate, Respond, and Remediate Identity Threats
- Identify and remediate security risks related to sign-in risk policies
- Unblocking based on sign-in risk
- Identify and remediate security risks related to Conditional Access events
- Configure Conditional Access in Microsoft Defender
- Identify and remediate security risks related to Azure Active Directory
- Remediate risks in Azure AD
- Remediate users flagged for risk in Azure AD
- Identify and remediate security risks using Secure Score
- Remediate recommendations in Azure Security Center
- Identify, investigate, and remediate security risks related to privileged identities
- Lower exposure of privileged accounts
- Configure detection alerts in Azure AD Identity Protection
- Detect risks with Azure AD Identity Protection policies
- Azure Active Directory Identity Protection notifications
- Identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity
- Investigate a domain
- Microsoft Defender for Identity FAQs
- Identify, investigate, and remediate security risks by using Microsoft Cloud Application Security (MCAS)
- Investigate cloud app risks & suspicious activity
- Configure MCAS to generate alerts and reports to detect threats
- Manage alerts
- Generate data management reports
Manage Cross-domain Investigations in Microsoft 365 Defender Portal
- Manage incidents across Microsoft 365 Defender products
- Manage incidents in Microsoft 365 Defender
- Manage actions pending approval across products
- The Action center
- View and manage actions in the Action center
- Perform advanced threat hunting
- Hunt threats with advanced hunting in Microsoft 365 Defender
- Proactively hunt for threats with advanced hunting
Mitigate Threats Using Azure Defender (25-30%)
Design and Configure an Azure Defender Implementation
- Plan and configure an Azure Defender workspace
- Enable Azure Defender
- Configure Azure Defender roles
- Create & manage roles for role-based access control
- Manage portal access using RBAC
- Configure data retention policies
- Microsoft’s data retention policy
- Assess and recommend cloud workload protection
- Introduction to Azure Defender
- Cloud Workload Security
Plan and Implement the Use of Data Connectors for Ingestion of Data Sources in Azure Defender
- Identify data sources to be ingested for Azure Defender
- Categorize Microsoft alerts across data sources
- Configure Automated Onboarding for Azure resources
- Automate onboarding
- Automate onboarding of Azure Security Center
- Connect non-Azure machine onboarding
- Connect non-Azure machines
- Connect AWS cloud resources
- Connect your AWS accounts
- Connect your AWS accounts to Azure Security Center
- Connect GCP cloud resources
- Connect your GCP accounts
- Connect your GCP accounts to Azure Security Center
- Configure data collection
- Enable data collection
Manage Azure Defender Alert Rules
- Validate alert configuration
- Validating Azure Defender for DNS alerts
- Alert validation in Azure Security Center
- Setup email notifications
- Configure email notifications for security alerts
- Create and manage alert suppression rules
- Suppress alerts from Azure Defender
- Manage suppression rules
Configure Automation and Remediation
- Configure automated responses in Azure Security Center
- Automate responses to Security Center triggers
- Design and configure playbook in Azure Defender
- Reconnaissance playbook
- Remediate incidents by using Azure Defender recommendations
- Remediate recommendations in Azure Security Center
- Create an automatic response using an Azure Resource Manager template
- Create an automatic response using an ARM template
Investigate Azure Defender Alerts and Incidents
- Describe alert types for Azure workloads
- Security alerts – a reference guide
- Manage security alerts
- What are security alerts?
- Manage security incidents
- Incidents in Azure Security Center
- Analyze Azure Defender threat intelligence
- Threat intelligence
- Azure Defender powered by Microsoft threat intelligence
- Respond to Azure Defender for Key Vault alerts
- Respond to Azure Defender for Key Vault alerts
- Manage user data discovered during an investigation
- How does Azure Security Center helps analyze attacks using Investigation?
Mitigate Threats Using Azure Sentinel (40-45%)
Design and Configure an Azure Sentinel Workspace
- Plan an Azure Sentinel workspace
- Plan for the Azure Sentinel workspace
- Configure Azure Sentinel roles
- Permissions in Azure Sentinel
- Design Azure Sentinel data storage
- Move Azure Sentinel logs to long-term storage
- Use Azure Data Explorer for retention of Azure Sentinel logs
- Configure Azure Sentinel service security
- Azure security baseline for Azure Sentinel
Plan and Implement the Use of Data Connectors for Ingestion of Data Sources in Azure Sentinel
- Identify data sources to be ingested for Azure Sentinel
- Connect data sources
- Identify the prerequisites for a data connector
- On-board Azure Sentinel
- Configure and use Azure Sentinel data connectors
- Connect data to Azure Sentinel using data connectors
- Design Syslog and CEF collections
- Collect data from Linux-based sources using Syslog
- Connect your external solution using Common Event Format
- Best Practices for CEF collection in Azure Sentinel
- Design and Configure Windows Events collections
- Connect Windows security events
- Configure custom threat intelligence connectors
- Connect data from threat intelligence providers
- Create custom logs in Azure Log Analytics to store custom data
- Collect custom logs with Log Analytics agent
Manage Azure Sentinel Analytics Rules
- Design and configure analytics rules
- Define rule query logic & configure settings
- Create custom analytics rules to detect threats
- Create a custom analytics rule with a scheduled query
- Activate Microsoft security analytical rules
- Using Microsoft Security incident creation analytics rules
- Configure connector provided scheduled queries
- Azure Sentinel: The connectors grand
- Operationalize Azure Sentinel: From log ingestion to incident detection
- Configure custom scheduled queries
- Create a custom analytics rule with a scheduled query
- Define incident creation logic
- Configure the incident creation settings
Configure Security Orchestration Automation and Remediation (SOAR) in Azure Sentinel
- Create Azure Sentinel playbooks
- Use playbooks with automation rules in Azure Sentinel
- Configure rules and incidents to trigger playbooks
- Choose the trigger
- Automate threat response with playbooks in Azure Sentinel
- Use playbooks to remediate threats
- Use playbooks with automation rules in Azure Sentinel
- Use playbooks to manage incidents
- Configure security playbook in Azure Sentinel
- Use playbooks across Microsoft Defender solutions
- Security automation & orchestration
- Azure Sentinel Microsoft Defender ATP
Manage Azure Sentinel Incidents
- Investigate incidents in Azure Sentinel
- Investigate incidents with Azure Sentinel
- Triage incidents in Azure Sentinel
- Triage security alerts
- Respond to incidents in Azure Sentinel
- Respond to a security alert
- Investigate multi-workspace incidents
- Work with incidents in many workspaces at once
- Cross workspace Hunting is now available
- Identify advanced threats with User and Entity Behavior Analytics (UEBA)
- Identify advanced threats with UEBA in Azure Sentinel
Use Azure Sentinel Workbooks to Analyze and Interpret Data
- Activate and customize Azure Sentinel workbook templates
- Workbooks vs. workbook templates
- ARM template for deploying a workbook template
- Create custom workbooks
- Create new workbooks
- Configure advanced visualizations
- Query and visualize data with Azure Sentinel Workbooks
- View and analyze Azure Sentinel data using workbooks
- Visualize and monitor your data
- Visualize data in Azure Sentinel
- Track incident metrics using the security operations efficiency workbook
- Manage your SOC better with incident metrics
Hunt for Threats Using the Azure Sentinel Portal
- Create custom hunting queries
- Create custom queries to refine threat hunting
- Creating custom Azure Sentinel Hunting queries
- Run hunting queries manually
- Hunt for threats by using Azure Sentinel
- Monitor hunting queries by using Livestream
- Manage hunting and Livestream queries in Azure Sentinel
- Perform advanced hunting with notebooks
- Use Jupyter Notebook to hunt for security threats
- Hunt for threats using notebooks in Azure Sentinel
- Track query results with bookmarks
- Track query results
- Use hunting bookmarks for data investigations
- Explore bookmarks in the investigation graph
- Convert a hunting query to an analytical rule
- Turning Hunting queries into Analytics Rules
- Threat hunting vs Analytics rule
This brings us to the end of the SC-200 Microsoft Security Operations Analyst exam study guide.
Follow Me to Receive Updates on SC-200 Exam
Share the SC-200 Study Guide in Your Network
Share on facebook
Share on twitter
Share on linkedin
