SC-200: Microsoft Security Operations Analyst Associate

SC-200 Course: Microsoft Security Operations Analyst Introduction

Learn how to investigate, hunt for, and respond to threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender . In this course, you'll learn how to mitigate cyberthreats using these technologies. Specifically, you'll configure and use Microsoft Sentinel and the Kusto Query Language (KQL) to perform detection, analysis, and reporting. This course is designed for individuals in security operations roles and helps prepare students for the SC-200: Microsoft Security Operations Analyst exam.

The course includes a certification exam and a bonus opportunity for a virtual gift! *Promotion valid until August 31st, for customers in Spain only. Does not apply to self-learning.

Course aimed at

The Microsoft Security Operations Analyst role collaborates with organizational stakeholders to secure the organization's information technology systems. Their goal is to reduce organizational risk by quickly remediating active attacks in the environment, advising on improvements to threat protection procedures, and communicating organizational policy violations to relevant stakeholders. Their responsibilities include threat management, monitoring, and response using various security solutions in the environment. The role is primarily concerned with investigating, detecting, and responding to threats using Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft 365 Defender, and third-party security products. Because the Security Operations Analyst will be leveraging the operational outputs of these tools, they are also a critical stakeholder in the configuration and deployment of these technologies.

Course objectives

• Investigate and mitigate threats: You will learn how to use tools like Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Defender for Cloud to investigate, hunt for, and respond to threats.
  
• Configure and manage Microsoft Sentinel: You will configure your environment in Microsoft Sentinel, manage log connections, and create queries using Kusto Query Language (KQL).
  
• Manage threat mitigation: You will use Microsoft Defender XDR, Microsoft Purview, and Microsoft Defender for Endpoint to manage threat mitigation.
  
• Threat Hunting: You will perform advanced threat hunting using threat intelligence and KQL for detection, analysis, and reporting.

Elements of the SC-200 formation

• SC-200: Threat Mitigation Using Microsoft Defender XDR (6 Modules)
• SC-200: Mitigating Threats Using Microsoft Security Copilot (5 Modules)
• SC-200: Threat Mitigation with Microsoft Purview (4 Modules)
• SC-200: Threat Mitigation with Microsoft Defender for Endpoint (9 Modules)
• SC-200: Threat Mitigation with Microsoft Defender for Cloud (6 Modules)
• SC-200: Creating Queries for Microsoft Sentinel Using Kusto Query Language (KQL) (4 Modules)
• SC-200: Configuring the Microsoft Sentinel Environment (6 Modules)
• SC-200: Connecting Logs to Microsoft Sentinel (7 Modules)
• SC-200: Creating Detections and Conducting Investigations Using Microsoft Sentinel (8 Modules)
• SC-200: Threat Hunting in Microsoft Sentinel (4 Modules)

SC-200 Course Content

Module 1: Threat Mitigation with Microsoft Defender XDR

Module objectives:

• Microsoft Defender XDR: Microsoft Defender XDR is a solution that helps mitigate threats and risks through a variety of tools and capabilities.
  
• Threat Research: Microsoft Defender XDR provides tools for threat research, including the Microsoft Security Graph API and advanced hunting capabilities.
  
• Incident Management: Microsoft Defender XDR enables incident management, including automatic attack termination and alert investigation.
  
• Office 365 Protection: Microsoft Defender for Office 365 provides capabilities to filter, simulate attacks, and remediate risks
  
• Identity Protection: Microsoft Defender for Identity and Entra ID Protection provide tools to protect identities, detect risks, and remediate threats.
  

Lessons:

• Overview of threat protection with Microsoft Defender XDR
• Incident Mitigation with Microsoft Defender XDR
  
• Remediating risks with Defender for Office 365 in Microsoft Defender XDR
  
• Microsoft Defender for Identity in Microsoft Defender XDR
  
• Identity protection with Entra ID Protection
  
• Defender for Cloud applications in Microsoft Defender XDR
  
• Course laboratories:
  • Lab 01: Threat Mitigation with Microsoft Defender XDR

Module 2: Introduction to Microsoft Security Copilot

Module objectives:

• How to describe Microsoft Copilot in Microsoft Defender XDR
  
• How to describe Microsoft Copilot in Microsoft Purview
  
• How to describe Microsoft Copilot in Microsoft Enter

Lessons:

• Fundamentals of Generative AI
  
• Microsoft Copilot Security Overview
  
• Overview of key features of Microsoft Copilot Security
  
• Overview of Microsoft Copilot Security Integrated Experiences
  

Module 3: Threat Mitigation with Microsoft Purview

Module objectives:

• Microsoft Purview: Microsoft Purview provides compliance solutions to mitigate threats
  
• Content Search: Content search is a key feature in the Microsoft 365 compliance center for quick searches across all content.
  
• Audit Solutions: Microsoft Purview provides two audit solutions: Audit (Standard) and Audit (Premium)
  
• Audit (Standard): Audit (Standard) is enabled by default and provides the ability to log and search audited activities.
  
• Premium Audit: Premium Audit builds on Standard Audit by providing advanced auditing capabilities.
  

Lessons:

• Microsoft Purview Compliance Solutions
• Investigation and remediation of compromised entities identified by Microsoft Purview data loss prevention (DLP) policies
  
• Investigation and remediation of insider risk threats identified by Microsoft Purview policies
  
• Threat investigation using content search in Microsoft Purview
  
• Threat Investigation Using Microsoft Purview Standard Audit
  
• Threat Investigation Using Microsoft Purview Premium Audit
  

Module 4: Threat Mitigation with Microsoft Defender for Endpoint

Module objectives:

• Defender for Endpoint: Microsoft Defender for Endpoint is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats on their endpoints.
  
• Threat Management: Defender for Endpoint provides advanced, near-real-time, actionable attack detections.
  Device Onboarding: Devices can be monitored using
• Microsoft Defender for Endpoint via the Defender for Endpoint portal.
  
• Attack surface reduction: Attack surface reduction rules can be enabled on Windows devices to reduce the attack surface.
  
• Vulnerability Management: Defender Vulnerability Management uses built-in, agentless scanners to continuously monitor and detect risk across your organization, even when devices are not connected to the corporate network.
  

Lessons:

• Threat protection with Microsoft Defender for Endpoint
  
• Deploying the Microsoft Defender for Endpoint Environment
  
• Implementing Windows security improvements
  
• Conducting device research
  
• Performing actions on a device
  
• Conducting evidence and entity investigations
  
• Setting up and managing automation
  
• Settings for alerts and detections
  
• Using Threat and Vulnerability Management
• Module Laboratory:
  • Lab 01: Threat Mitigation with Microsoft Defender for Endpoint

Module 5: Threat Mitigation with Microsoft Defender for Cloud

Course objectives:

• Defender for Cloud: Microsoft Defender for Cloud is a development security operations (DevSecOps) solution that unifies security management at the code level across multi-cloud and multi-pipeline environments.
  
• Cloud Security: Microsoft Defender for Cloud offers Cloud Security Posture Management (CSPM) and a Cloud Workload Protection Platform (CWPP).
  
• Workload protections: Microsoft Defender for Cloud provides workload protections for servers, containers, storage, databases, and other workloads.
  
• Hybrid cloud protection: Microsoft Defender for Cloud can protect hybrid cloud environments, including non-Azure machines and AWS and GCP accounts.
  
• Alert Remediation: Microsoft Defender for Cloud provides practical tasks to mitigate threats, prevent future attacks, and trigger automated responses
  

Lessons:

• Understanding cloud workload protections in Microsoft Defender for Cloud
  
• Connecting Azure resources to Microsoft Defender for the Cloud
  
• Connecting non-Azure resources to Microsoft Defender for Cloud
  
• Managing your cloud security posture
  
• Microsoft Defender for Cloud Workload Protection
  
• Remediating security alerts using Microsoft Defender for Cloud
  
• Module Laboratory:
  • Lab 01: Threat Mitigation with Microsoft Defender for Cloud

Module 6: Creating Queries for Microsoft Sentinel Using Kusto Query Language (KQL)

Module objectives:

• KQL Statements: Building KQL Statements for Microsoft Sentinel
  
• KQL Operators: Use KQL operators such as summarize, render, union, join, and extend
  
• KQL Data Extraction: Extract data from unstructured and structured string fields using KQL
  
• KQL Functions: Creating Functions and Parsers Using KQL
  
• KQL Lab: Lab exercises for creating queries for Microsoft Sentinel using KQL
  

Lessons:

• Building KQL statements for Microsoft Sentinel
  
• Using KQL to analyze query results
  
• Using KQL to create multi-table statements
  
• Working with string data using KQL statements
  
• Module laboratories:
  • Lab 01: Creating Queries for Microsoft Sentinel Using Kusto Query Language (KQL)

Module 7: Configuring the Microsoft Sentinel Environment

Module objectives:

• Microsoft Sentinel: Microsoft Sentinel is a scalable, cloud-native solution that provides security information and event management (SIEM) and security orchestration, automation, and response (SOAR).
  
• Sentinel Components: Microsoft Sentinel has several components, including data connectors, analyzers, workbooks, analytical rules, search queries, notebooks, incidents and investigations, automation playbooks, and Azure Logic Apps custom connectors and watchlists.
  
• Using Sentinel: Microsoft Sentinel is a solution for performing security operations in on-premises and cloud environments. It can be used to collect event data from various sources and perform security operations on that data to identify suspicious activity.
  
• Sentinel Watchlists: Microsoft Sentinel watchlists can be used to investigate threats, respond to incidents quickly, import enterprise data, reduce alert fatigue, and enrich event data.
  
• Threat Intelligence: Microsoft Sentinel lets you manage threat indicators, view, sort, filter, and search imported threat indicators, and perform daily threat intelligence administrative tasks.
  

Lessons:

• Introduction to Microsoft Sentinel
  
• Creating and Managing Microsoft Sentinel Workspaces
  
• Query logs in Microsoft Sentinel
  
• Using watchlists in Microsoft Sentinel
  
• Using Threat Intelligence in Microsoft Sentinel
  
• The unified security operations platform
  
• Module Laboratory:
  • Lab 1: Configuring the Microsoft Sentinel Environment

Module 8: Connecting Logs to Microsoft Sentinel

Module objectives:

• Sentinel Connectors: Microsoft Sentinel provides several data connectors to connect logs and data sources
  
• Content Hub Solutions: Content Hub solutions include data connectors, analyzers, workbooks, analysis rules, search queries, notebooks, watchlists, and playbooks.
  
• Data Collection Rules: Data collection rules (DCRs) are used to manage collection settings at scale, improve security and performance, and save costs.
  
• Threat Intelligence: The Threat Intelligence Content Hub solution provides connectors for the TAXII, Microsoft Defender Threat Intelligence, and Threat Intelligence platforms.
  
• Microsoft Defender: Microsoft Sentinel provides built-in connectors for Microsoft Defender solutions, such as Microsoft Defender XDR, Microsoft Defender for Cloud, and Microsoft Defender for IoT.
  

Lessons:

• Content Management in Microsoft Sentinel
  
• Connecting data to Microsoft Sentinel using data connectors
  
• Connecting Microsoft services to Microsoft Sentinel
  
• Connecting Microsoft Defender XDR to Microsoft Sentinel
  
• Connecting Windows Hosts to Microsoft Sentinel
  
• Connecting Common Event Format Logs to Microsoft Sentinel
  
• Connecting Syslog Data Sources to Microsoft Sentinel
  
• Connecting Threat Indicators to Microsoft Sentinel
  
• Module Laboratory:
  • Lab 01: Connecting Logs to Microsoft Sentinel

Module 9: Creating Detections and Conducting Investigations with Microsoft Sentinel

Module objectives:

• Analysis Rules: Microsoft Sentinel Analytics analyzes data from multiple sources to identify correlations and anomalies. It also provides several types of analysis rules.
  
• Automation: Microsoft Sentinel provides automation options such as automation rules and playbooks to automate incident handling.
  
• Incident Management: Microsoft Sentinel provides incident management capabilities, including evidence and entity management, as well as incident investigation and resolution.
  
• Data Normalization: Microsoft Sentinel provides data normalization capabilities, including the use of ASIM parsers and parameterized KQL functions.
  

Lessons

• Threat detection with Microsoft Sentinel analysis
  
• Automation in Microsoft Sentinel
  
• Responding to threats with Microsoft Sentinel playbooks
  
• Security Incident Management in Microsoft Sentinel
  
• Entity Behavior Analysis in Microsoft Sentinel
  
• Data normalization in Microsoft Sentinel
  
• Query, visualize, and monitor data in Microsoft Sentinel
• Module Laboratory:
  • Lab 01: Creating Detections and Conducting Investigations with Microsoft Sentinel

Module 10: Performing Threat Hunting in Microsoft Sentinel

Module objectives:

• Threat Hunting: Learn how to perform threat hunting in Microsoft Sentinel using queries, bookmarks, live streaming, and MITRE ATT&CK.
  
• Hunting Tools: Use tools like notebooks, hunting jobs, and external tools to hunt for threats in Microsoft Sentinel
  
• Threat Hunting Hypothesis: Develop a threat hunting hypothesis that is feasible, narrow in scope, time-bound, useful, effective, and related to the threat model.
  

Lessons

• Explanation of threat hunting concepts in Microsoft Sentinel
  
• Threat Hunting with Microsoft Sentinel
  
• Using Search Jobs in Microsoft Sentinel
  
• Optional: Threat hunting with notebooks in Microsoft Sentinel
  
• Module Laboratory:
  • Lab 1: Threat Hunting in Microsoft Sentinel

Prerequisites

• Basic knowledge of Microsoft Defender
• Basic knowledge of Microsoft identity, compliance, and security products
• Intermediate knowledge of Windows 11, Linux, and Windows Server
• Be familiar with Microsoft Azure portals and services and Microsoft Defender
• Be familiar with Azure Monitoring and Azure Log Analytics
• Be familiar with Azure virtual machines
• Basic knowledge of scripting concepts
  

Language

• Course: English / Spanish
• Labs: English / Spanish

Microsoft Associate Certification: Security Operations Analyst Associate

Microsoft Certified: Security Operations Analyst Associate

Manage security operations environments. Configure protections and detections. Manage incident responses. Perform threat hunting.

Level: Intermediate
Role: Security Engineer, Security Operations Analyst
Product: Azure, Microsoft 365
Subject: Security

Related Microsoft Certification: Cybersecurity Architect Expert

Complete a prerequisite:

• Microsoft Certified: Azure Security Engineer Associate (AZ-500 Microsoft Azure Security Technologies)
• Microsoft Certified: Identity and Access Administrator Associate (SC-300: Microsoft Identity and Access Administrator)
• Microsoft Certified: Security Operations Analyst Associate (SC-200: Microsoft Security Operations Analyst Associate)

Take an exam:

• Microsoft Cybersecurity Architect (SC-100: Microsoft Cybersecurity Architect)

Get certified:

• Microsoft Certified: Cybersecurity Architect Expert