SC-200 Microsoft Security Operations Analyst

Module 1: Mitigating threats using Microsoft Defender for Endpoint

Deploy the Microsoft Defender for Endpoint platform to detect, investigate, and respond to advanced threats. Learn how Microsoft Defender for Endpoint can help your organization stay secure. Learn how to deploy the Microsoft Defender for Endpoint environment, including onboarding devices and configuring security. Learn how to investigate incidents and alerts using Microsoft Defender for Endpoints. Perform advanced hunting and consult with threat experts. You will also learn how to configure automation in Microsoft Defender for Endpoint by managing environment settings. Finally, you will learn more about your environment’s vulnerabilities by using Threat and Vulnerability Management in Microsoft Defender for Endpoint.

Lessons

• Protect against threats with Microsoft Defender for Endpoint
• Deploy Microsoft Defender for the Endpoint environment
• Implement security improvements in Windows 10 with Microsoft Defender for Endpoint
• Manage alerts and incidents in Microsoft Defender for Endpoint
• Performing device scans in Microsoft Defender for Endpoint
• Performing actions on a device using Microsoft Defender for Endpoint
• Perform evidence and device investigations using Microsoft Defender for Endpoint
• Configure and manage automation using Microsoft Defender for Endpoint
• Configure for alerts and detections in Microsoft Defender for Endpoint
• Leverage threat and vulnerability management in Microsoft Defender for Endpoint

Lab: Mitigate threats using Microsoft Defender for Endpoint

• Deploy Microsoft Defender for Endpoint
• Reduce attacks with Defender for Endpoint

After completing this module, participants will be able to:

• Define the features of Microsoft Defender for Endpoint
• Configure Microsoft Defender for Endpoint environment settings
• Configure attack surface reduction rules on Windows 10 devices
• Examine warnings in Microsoft Defender for Endpoint
• Describe the forensic information about devices collected by Microsoft Defender for Endpoint
• Conduct forensic data collection using Microsoft Defender for Endpoint
• Examine user accounts in Microsoft Defender for Endpoint
• Managing automation settings in Microsoft Defender for Endpoint
• Managing indicators in Microsoft Defender for Endpoint
• Describe threat and vulnerability management in Microsoft Defender for Endpoint

Module 2: Mitigating threats using Microsoft 365 Defender

Analyze threat data across domains and quickly remediate threats with built-in orchestration and automation in Microsoft 365 Defender. Learn more about cybersecurity threats and how the new threat protection tools from Microsoft protect your organization’s users, devices, and data. Use advanced identity-based threat detection and remediation to protect your Azure Active Directory identities and applications from being compromised.

Lessons

• Introduction to protecting against threats with Microsoft 365
• Reduce incidents with Microsoft 365 Defender
• Protect your identities with Azure AD Identity Protection
• Addressing risks with Microsoft Defender for Office 365
• Protect your environment with Microsoft Defender for Identity
• Secure your cloud applications and services with Microsoft Cloud App Security
• Respond to data loss prevention alerts using Microsoft 365
• Managing insider risk in Microsoft 365

Lab: Mitigate threats with Microsoft 365 Defender

• Explore Microsoft 365 Defender

After completing this module, participants will be able to:

• Explain how the threat landscape is evolving.
• Managing incidents in Microsoft 365 Defender
• Performing advanced hunting in Microsoft 365 Defender
• Describe the investigation and remediation features of Azure Active Directory Identity Protection.
• Define the features of Microsoft Defender for Endpoint.
• Explain how Microsoft Defender for Endpoint can address risks in your environment.
• Defining the framework for Cloud App Security
• Explain how Cloud Discovery helps you see what’s happening in your organization

Module 3: Mitigating threats using Azure Defender

Use Azure Defender integrated with Azure Security Center for protection and security of Azure, hybrid cloud, and on-premises workloads. Learn the purpose of Azure Defender, Azure Defender’s relationship to Azure Security Center, and how to enable Azure Defender. You will also learn about the protections and detections that Azure Defender provides for each cloud workload. Learn how you can add Azure Defender features to your hybrid environment.

Lessons

• Plan for workload protection in the cloud with Azure Defender
• Explain cloud workload protection in Azure Defender
• Connect Azure assets to Azure Defender
• Connect resources outside Azure to Azure Defender
• Fixing security alerts using Azure Defender

Lab: Defending against threats with Azure Defender

• Deploying Azure Defender
• Reduce attacks with Azure Defender

After completing this module, participants will be able to:

• Describe Azure Defender features
• Explain the features of Azure Security Center
• Explain which workloads are protected by Azure Defender
• Explain how Azure Defender protection works
• Configure automatic provisioning in Azure Defender
• Describe manual provisioning in Azure Defender
• Connect non-Azure machines to Azure Defender
• Describing alerts in Azure Defender
• Fixing warnings in Azure Defender
• Automate responses in Azure Defender

Module 4: Creating queries for Azure Sentinel using Kusto Query Language (KQL)

Write Kusto Query Language (KQL) statements to query log data to perform detections, analysis and reporting in Azure Sentinel. This module will focus on the most commonly used operators. The examples of KQL statements will show security-related table queries. KQL is the query language used to parse data to create analytics, workbooks, and perform hunting in Azure Sentinel. Learn how basic KQL statements provide the foundation for building more complex statements. Learn how to summarize and visualize data with a KQL statement that provides the foundation for building detections in Azure Sentinel. Learn how to use Kusto Query Language (KQL) to manipulate string data retrieved from log sources.

Lessons

• Construct KQL statements for Azure Sentinel
• Analyzing search results using KQL
• Create multi-table statements using KQL
• Working with data in Azure Sentinel using the Kusto Query Language

Lab : Creating queries for Azure Sentinel using Kusto Query Language (KQL)

• Constructing basic KQL statements
• Analyzing search results using KQL
• Create statements for multiple tables in KQL
• Working with string data in KQL

After completing this module, participants will be able to:

• Constructing KQL statements
• Search log files for security events using KQL
• Filter searches based on event time, severity, domain and other relevant data using KQL
• Summarizing data using KQL statements
• Render visualizations using KQL statements
• Extract data from unstructured string fields using KQL
• Extracting data from structured string data using KQL
• Creating functions using KQL

Module 5: Configuring your Azure Sentinel environment

Get started with Azure Sentinel by properly configuring the Azure Sentinel workspace. Traditional security information and event management (SIEM) systems typically take a long time to install and configure. They are also not necessarily designed with cloud workloads in mind. Azure Sentinel allows you to quickly start gaining valuable security insights from your cloud and on-premises data. This module will help you get started. Learn about the architecture of Azure Sentinel workspaces to ensure you configure your system to meet your organization’s security operations requirements. As a Security Operations Analyst, you need to understand the tables, fields, and data included in your workspace. Learn how to query the most commonly used data tables in Azure Sentinel.

Lessons

• Introduction to Azure Sentinel
• Create and manage Azure Sentinel workspaces
• Query logs in Azure Sentinel
• Use watchlists in Azure Sentinel
• Leverage threat intelligence in Azure Sentinel

Lab : Setting up your Azure Sentinel environment

• Create an Azure Sentinel workspace
• Create a watch list
• Create a threat indicator

After completing this module, participants will be able to:

• Identify the different components and features of Azure Sentinel.
• Identify use cases where Azure Sentinel would be a good solution.
• Describe the Azure Sentinel workspace architecture
• Installing the Azure Sentinel workspace
• Managing an Azure Sentinel workspace
• Create a watchlist in Azure Sentinel
• Use KQL to access the watchlist in Azure Sentinel
• Managing threat indicators in Azure Sentinel
• Use KQL to access threat indicators in Azure Sentinel

Module 6: Connecting logs to Azure Sentinel

Connect cloud-scale data across all users, devices, applications, and infrastructure, both on-premises and across multiple clouds to Azure Sentinel. The primary method of connecting log data is to use the data connectors provided by Azure Sentinel. This module provides an overview of the available data connectors. You will learn about the configuration options and data provided by Azure Sentinel connections for Microsoft 365 Defender.

Lessons

• Connect data to Azure Sentinel using data connectors
• Connect Microsoft services to Azure Sentinel
• Connect Microsoft 365 Defender to Azure Sentinel
• Connect Windows hosts to Azure Sentinel
• Connecting logs in Common Event Format to Azure Sentinel
• Connecting syslog data sources to Azure Sentinel
• Connect threat indicators to Azure Sentinel

Lab : Connecting logs to Azure Sentinel

• Connect data to Azure Sentinel using data connectors
• Connect Windows devices to Azure Sentinel using data connections
• Connect Linux hosts to Azure Sentinel using data connectors
• Connect Threat intelligence to Azure Sentinel using data connections

After completing this module, participants will be able to:

• Explain the use of data connections in Azure Sentinel
• Explain the differences between the Common Event Format and the Syslog connection in Azure Sentinel
• Connecting Microsoft service contacts
• Explain how contacts automatically create incidents in Azure Sentinel
• Activate the Microsoft 365 Defender connection in Azure Sentinel
• Connect Azure Windows Virtual Machines to Azure Sentinel
• Connect non-Azure Windows hosts to Azure Sentinel
• Configure the Log Analytics agent to collect Sysmon events
• Explain the options for deploying the Common Event Format Connector in Azure Sentinel
• Configuring the TAXII connection in Azure Sentinel
• View threat indicators in Azure Sentinel

Module 7: Creating detections and performing investigations with Azure Sentinel

Discover previously undetected threats and remediate threats quickly with built-in orchestration and automation in Azure Sentinel. You will learn how to create Azure Sentinel playbooks to respond to security threats. You will explore Azure Sentinel incident management, learn about Azure Sentinel events and devices, and discover ways to resolve incidents. You’ll also learn how to query, visualize, and monitor data in Azure Sentinel.

Lessons

• Threat detection with Azure Sentinel analytics
• Hot response with Azure Sentinel playbooks
• Security incident management in Azure Sentinel
• Using device behavior analysis in Azure Sentinel
• Query, visualize and monitor data in Azure Sentinel

Lab : Create detections and perform investigations with Azure Sentinel

• Activate a Microsoft Security rule
• Create a Playbook
• Create a scheduled question
• Understanding detection modeling
• Carrying out attacks
• Creating detections
• Investigating incidents
• Creating workbooks

After completing this module, participants will be able to:

• Explain the importance of Azure Sentinel Analytics.
• Create rules from templates.
• Managing rules with changes.
• Explain Azure Sentinel SOAR features.
• Create a playbook to automate an incident response.
• Investigate and manage incident resolution.
• Explain user and device behavior analysis in Azure Sentinel
• Explore devices in Azure Sentinel
• Visualize security data using Azure Sentinel Workbooks.

Module 8: Performing threat hunting in Azure Sentinel

In this module, you will learn how to proactively identify threat behaviors using Azure Sentinel queries. You will also learn how to use bookmarks and livestream to hunt for threats. You will also learn how to use notebooks in Azure Sentinel for advanced hunting.

Lessons

• Threat hunting with Azure Sentinel
• Hunting for threats using notebooks in Azure Sentinel

Laboration: Hot hunting in Azure Sentinel

• Performing threat hunting in Azure Sentinel
• Threat hunting using notebooks with Azure Sentinel

After completing this module, participants will be able to:

• Describe threat hunting concepts for use with Azure Sentinel
• Define a threat hunting hypothesis for use in Azure Sentinel
• Use questions to search for threats.
• Observe threats over time with livestream.
• Explore API libraries for advanced threat hunting in Azure Sentinel
• Creating and using notebooks in Azure Sentinel