Course Description: SC-200: Microsoft Security Operations Analyst Associate

Learn how to investigate, hunt for, and respond to threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. In this course, you’ll learn how to mitigate cyberthreats using these technologies. Specifically, you’ll configure and use Microsoft Sentinel, as well as the Kusto Query Language (KQL), to perform detection, analysis, and reporting. The course is designed for individuals in a security operations job role and helps students prepare for the SC-200: Microsoft Security Operations Analyst exam.

Audience profile

The Microsoft Security Operations Analyst role works with organizational stakeholders to protect the organization's information technology systems. Their goal is to reduce organizational risk by quickly remediating active attacks in the environment, advising on improvements to threat protection procedures, and communicating organizational policy violations to relevant stakeholders. Their responsibilities include managing, monitoring, and responding to threats using a variety of security solutions in the environment. The role is primarily concerned with investigating, detecting, and responding to threats using Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft 365 Defender, and third-party security products. Because the Security Operations Analyst is the one who will be making use of the operational results of these tools, they are also a key stakeholder in the configuration and deployment of these technologies.

Items in this collection

• Introduction to Microsoft 365 Threat Protection (6 Units)
• Incident Mitigation with Microsoft 365 Defender (15 Units)
• Protecting identities with Azure AD Identity Protection (5 Units)
• Remediate risks with Microsoft Defender for Office 365 (5 Units)
• Protect your environment with Microsoft Defender for Identity (5 Units)
• Protecting cloud applications and services with Microsoft Defender for Cloud Apps (9 Units)
• Responding to data loss prevention alerts using Microsoft 365 (6 Units)
• Manage insider risk in Microsoft Purview (7 Units)
• Protect against threats with Microsoft Defender for Endpoint (4 Units)
• Deploying Microsoft Defender for Endpoint Environment (10 Units)
• Implementing Windows Security Enhancements with Microsoft Defender for Endpoint (5 Units)
• Performing Device Investigations in Microsoft Defender for Endpoint (7 Units)
• Perform actions on a device with Microsoft Defender for Endpoint (7 Units)
• Conduct Evidence and Entity Investigations with Microsoft Defender for Endpoint (7 Units)
• Setting up and managing automation with Microsoft Defender for Endpoint (7 Units)
• Configuring alerts and detections in Microsoft Defender for Endpoint (7 Units)
• Using Vulnerability Management in Microsoft Defender for Endpoint (6 Units)
• Understanding Cloud Workload Protections in Microsoft Defender for Cloud (7 Units)
• Connecting Azure Resources to Microsoft Defender for the Cloud (6 Units)
• Connect non-Azure resources to Microsoft Defender for Cloud (7 Units)
• Managing Cloud Security Posture (7 Units)
• Understanding Cloud Workload Protections in Microsoft Defender for Cloud (13 Units)
• Remediating security alerts using Microsoft Defender for Cloud (8 Units)
• Building KQL Statements for Microsoft Sentinel (10 Units)
• Using KQL to analyze query results (7 Units)
• Using KQL to create multi-table statements (5 Units)
• Working with data in Microsoft Sentinel using the Kusto query language (7 Units)
• Introduction to Microsoft Sentinel (6 Units)
• Creating and Managing Microsoft Sentinel Workspaces (9 Units)
• Query logs in Microsoft Sentinel (7 Units)
• Using Playlists in Microsoft Sentinel (6 Units)
• Using Threat Intelligence in Microsoft Sentinel (6 Units)
• Data connection to Microsoft Sentinel using data connectors (6 Units)
• Connecting Microsoft Services to Microsoft Sentinel (8 Units)
• Microsoft 365 Defender Connection to Microsoft Sentinel (10 Units)
• Connecting Windows Hosts to Microsoft Sentinel (7 Units)
• Connecting Common Event Format Logs to Microsoft Sentinel (5 Units)
• Connecting Syslog Data Sources to Microsoft Sentinel (7 Units)
• Connecting Threat Indicators to Microsoft Sentinel (7 Units)
• Threat Detection with Microsoft Sentinel Analysis (9 Units)
• Automation in Microsoft Sentinel (5 Units)
• Threat Response with Microsoft Sentinel Playbooks (7 Units)
• Managing Security Incidents in Microsoft Sentinel (7 Units)
• Identifying threats with behavioral analysis (7 units)
• Data normalization in Microsoft Sentinel (8 Units)
• Querying, Visualizing, and Monitoring Data in Microsoft Sentinel (8 Units)
• Managing Content in Microsoft Sentinel (5 Units)
• Explanation of threat hunting concepts in Microsoft Sentinel (6 Units)
• Threat hunting with Microsoft Sentinel (7 Units)
• Using Search Jobs in Microsoft Sentinel (5 Units)
• Threat hunting with notebooks in Microsoft Sentinel (7 Units)

Course outline

Module 1: Mitigate threats using Microsoft Defender for Endpoint

• Protect against threats with Microsoft Defender for Endpoint
• Deploy the Microsoft Defender for Endpoint environment
• Implement Windows 10 security enhancements with Microsoft Defender for Endpoint
• Manage alerts and incidents in Microsoft Defender for Endpoint
• Perform device investigations in Microsoft Defender for Endpoint
• Perform actions on a device using Microsoft Defender for Endpoint
• Perform evidence and entities investigations using Microsoft Defender for Endpoint
• Configure and manage automation using Microsoft Defender for Endpoint
• Configure for alerts and detections in Microsoft Defender for Endpoint
• Use Threat and Vulnerability Management in Microsoft Defender for Endpoint

Lab: Mitigate threats using Microsoft Defender for Endpoint

Module 2

• Introduction to threat protection with Microsoft 365
• Mitigate incidents using Microsoft 365 Defender
• Protect your identities with Azure AD Identity Protection
• Remediate risks with Microsoft Defender for Office 365
• Safeguard your environment with Microsoft Defender for Identity
• Secure your cloud apps and services with Microsoft Cloud App Security
• Respond to data loss prevention alerts using Microsoft 365
• Manage insider risk in Microsoft 365

Lab: Mitigate threats using Microsoft 365 Defender

Module 3

• Plan for cloud workload protections using Azure Defender
• Explain cloud workload protections in Azure Defender
• Connect Azure assets to Azure Defender
• Connect non-Azure resources to Azure Defender
• Remediate security alerts using Azure Defender

Lab: Mitigate threats using Azure Defender

Module 4: Create queries for Azure Sentinel using Kusto Query Language (KQL)

• Construct KQL statements for Azure Sentinel
• Analyze query results using KQL
• Build multi-table statements using KQL
• Work with data in Azure Sentinel using Kusto Query Language

Lab: Create queries for Azure Sentinel using Kusto Query Language (KQL)

Module 5: Configure your Azure Sentinel environment

• Introduction to Azure Sentinel
• Create and manage Azure Sentinel workspaces
• Query logs in Azure Sentinel
• Use watchlists in Azure Sentinel
• Use threat intelligence in Azure Sentinel

Lab: Configure your Azure Sentinel environment

Module 6: Connect logs to Azure Sentinel

• Connect data to Azure Sentinel using data connectors
• Connect Microsoft services to Azure Sentinel
• Connect Microsoft 365 Defender to Azure Sentinel
• Connect Windows hosts to Azure Sentinel
• Connect Common Event Format logs to Azure Sentinel
• Connect syslog data sources to Azure Sentinel
• Connect threat indicators to Azure Sentinel

Lab: Connect logs to Azure Sentinel

Module 7: Create detections and perform investigations using Azure Sentinel

• Threat detection with Azure Sentinel analytics
• Threat response with Azure Sentinel playbooks
• Security incident management in Azure Sentinel
• Use entity behavior analytics in Azure Sentinel
• Query, visualize, and monitor data in Azure Sentinel

Lab: Create detections and perform investigations using Azure Sentinel

Module 8: Perform threat hunting in Azure Sentinel

• Threat hunting with Azure Sentinel
• Hunt for threats using notebooks in Azure Sentinel

Lab: Threat hunting in Azure Sentinel

Prerequisites

• Basic knowledge of Microsoft 365
• Basic knowledge of Microsoft identity, compliance, and security products
• Intermediate knowledge of Microsoft Windows
• Knowledge of Azure services, particularly Azure SQL Database and Azure Storage
• Familiarity with Azure virtual machines and virtual networks
• Basic knowledge of scripting concepts

Language

• Course: English/Spanish
• Labs: English

Associate Certification

Microsoft Certified: Security Operations Analyst Associate

Manage security operations environments. Configure protections and detections. Manage incident responses. Conduct threat hunting.

Level: Intermediate
Role: Security Engineer, Security Operations Analyst
Product: Azure, Microsoft 365
Subject: Security

Related Certifications

Complete a prerequisite:

• Microsoft Certified: Azure Security Engineer Associate (AZ-500 Microsoft Azure Security Technologies)
• Microsoft Certified: Identity and Access Administrator Associate (SC-300: Microsoft Identity and Access Administrator)
• Microsoft Certified: Security Operations Analyst Associate (SC-200: Microsoft Security Operations Analyst Associate)

Take a test:

• Microsoft Cybersecurity Architect (SC-100: Microsoft Cybersecurity Architect)

Get certified:

• Microsoft Certified: Cybersecurity Architect Expert