Microsoft Security Operations Analyst (SC-200)

In this course, you will learn how to use these technologies to defend against cyber threats. In particular, you will configure and use Azure Sentinel and use Kusto Query Language (KQL) to detect, analyze and report. The course is designed for individuals working in a security operations job role and will help you prepare for the SC-200: Microsoft Security Operations Analyst exam.

Module 1: Defending against threats using Microsoft 365 Defender

Analyze threat data across domains and quickly remediate threats using the built-in orchestration and automation in Microsoft 365 Defender. Learn more about cybersecurity threats and how Microsoft's new threat protection tools protect your organization's users, devices and data. Use advanced identity-based threat detection and remediation to protect your Azure Active Directory identities and applications from attacks.

Lessons

• Introduction to threat protection with Microsoft 365
• Mitigating incidents with the help of Microsoft 365 Defender
• Minimize risks with Microsoft Defender for Office 365
• Microsoft Defender for Identity
• Protect your identities with Azure AD Identity Protection
• Microsoft Defender for Cloud Apps
• Respond to alerts to prevent data loss using Microsoft 365
• Managing insider risk in Microsoft 365

Lab: Defense against threats with the help of Microsoft 365 Defender

• Explore Microsoft 365 Defender

Module 2: Defending against threats using Microsoft Defender for Endpoint

Deploy the Microsoft Defender for Endpoint platform to detect, investigate and respond to advanced threats. Learn how Microsoft Defender for Endpoint can improve your organization's security. Learn how to deploy the Microsoft Defender for Endpoint environment, including device onboarding and security configuration. Learn how to investigate incidents and alerts using Microsoft Defender for Endpoint. You will be able to perform an advanced threat scan and consult with threat experts. You will also learn how to configure automation in Microsoft Defender for Endpoint by managing environment settings. Finally, you will learn about the vulnerabilities of your environment through threat and vulnerability management in Microsoft Defender for Endpoint.

Lessons

• Protect against threats with Microsoft Defender for Endpoint
• Deploy Microsoft Defender for endpoint environment
• Implement Windows security enhancements
• Carrying out device inspections
• Performing actions on a device
• Carrying out evidence and entity investigations
• Configuring and managing automation
• Configuring warnings and detections
• Benefits of threat and security risk management

Lab: Defend against threats with Microsoft 365 Defender for Endpoint

• Deploy Microsoft Defender for Endpoint
• Mitigate attacks with Defender for Endpoint

Module 3: Defending against threats with Microsoft Defender for Cloud

Using Microsoft Defender for Cloud, for Azure, Hybrid Cloud and on-premises workload protection and on-premises security. Learn more about the purpose of Microsoft Defender for Cloud and how to enable it. Also learn more about the protection and detection capabilities provided by Microsoft Defender for Cloud for each cloud workload. Learn how to add Microsoft Defender for Cloud features to your hybrid environment.

Lessons

• Planning workload protection in the cloud with Microsoft Defender for Cloud
• Protect workloads with Microsoft Defender for Cloud
• Connecting Azure resources with Microsoft Defender for Cloud
• Connect non-Azure resources with Microsoft Defender for Cloud
• Fixing security alerts with Microsoft Defender for Cloud

Lab: Defending against threats with Microsoft Defender for Cloud

• Deploy Microsoft Defender for Cloud
• Mitigating attacks with Microsoft Defender for Cloud

Module 4: Creating queries for Microsoft Sentinel using Kusto Query Language (KQL)

Write the KQL (Kusto Query Language) statements to query log data to perform detection, analysis and reporting in Microsoft Sentinel. This module focuses on the most commonly used operators. Security-related table queries are presented in the KQL sample instructions. KQL is the query language used to explore data to create analytics and workbooks and perform hunting operations in Microsoft Sentinel. Below you will find information on how to create complex statements using the basic KQL statement structure. Here you will learn how to summarize and visualize data in a KQL statement. This is the basis for creating detections in Microsoft Sentinel. Learn how to use the Kusto Query Language (KQL) to manipulate string data collected from log sources.

Lessons

• Creating KQL statements for Microsoft Sentinel
• Analyzing query results with the help of KQL
• Creating statements with multiple tables using KQL
• Working with string data using KQL statements

Lab: Creating queries for Microsoft Sentinel using Kusto Query Language (KQL)

Module 5: Configuring your Microsoft Sentinel environment

Getting started with Microsoft Sentinel by properly configuring the Microsoft Sentinel workspace. Setting up and configuring traditional SIEM (Security Information & Event Management) systems usually takes a lot of time. In addition, these systems are not necessarily designed for cloud workloads. Microsoft Sentinel allows you to quickly gain valuable security insights from your cloud and local data. This module will help you get started. Below you will find information on how to use the Microsoft Sentinel workspace architecture to configure your system to meet your organization's security requirements. As a Security Operations Analyst, you need to understand the tables, fields and data that are captured in your workspace. Learn how to query the most commonly used data tables in Microsoft Sentinel.

Lessons

• Introduction to Microsoft Sentinel
• Create and manage Microsoft Sentinel workspaces
• Querying logs in Microsoft Sentinel
• Using watchlists in Microsoft Sentinel
• Using threat intelligence in Microsoft Sentinel

Lab: Configuring your Microsoft Sentinel environment

Module 6: Connecting logs to Microsoft Sentinel

Connect data at cloud level with Microsoft Sentinel - across users, applications and infrastructures as well as locally and in multiple clouds. The data connectors provided by Microsoft Sentinel are primarily used to connect log data. This module provides an overview of the available data connectors. You will learn about the configuration options and data provided by Microsoft Sentinel connectors for Microsoft 365 Defender.

Lessons

• Connecting data with Microsoft Sentinel using data connectors
• Establishing a connection from Microsoft services with Microsoft Sentinel
• Connecting Microsoft 365 Defender with Microsoft Sentinel
• Connecting Windows hosts with Microsoft Sentinel
• Connecting Common Event Format logs with Microsoft Sentinel
• Connecting syslog data sources with Microsoft Sentinel
• Connecting threat indicators with Microsoft Sentinel

Lab: Connecting protocols with Microsoft Sentinel

• Connecting data with Microsoft Sentinel using data connectors
• Connecting Windows devices to Microsoft Sentinel via data connectors
• Connecting Linux hosts to Microsoft Sentinel via data connectors
• Connecting Threat Intelligence with Microsoft Sentinel via data connectors

Module 7: Creating detections and conducting investigations using Microsoft Sentinel

Detect previously undetected threats and quickly remediate threats with built-in orchestration and automation in Microsoft Sentinel. Learn how to respond to security threats with Microsoft Sentinel playbooks. You will look at incident management in Microsoft Sentinel, get information about events and entities in Microsoft Sentinel and learn ways to resolve incidents. You will also learn more about querying, visualizing and monitoring data in Microsoft Sentinel.

Lessons

• Threat detection with Microsoft Sentinel analyses
• Management of security incidents in Microsoft Sentinel
• Responding to threats with Microsoft Sentinel playbooks
• User and Entity Behavior Analytics in Microsoft Sentinel
• Query, visualize and monitor data in Microsoft Sentinel

Lab: Create detections and perform investigations using Microsoft Sentinel

• Activate a Microsoft security rule
• Creating a playbook
• Creating a planned query
• Understanding recognition modeling
• Carrying out attacks
• Creating recognitions
• Investigating incidents
• Creating workbooks

Module 8: Executing a threat scan in Microsoft Sentinel

In this module, you will learn how to proactively identify threat behaviors using Microsoft Sentinel queries. You will also learn how to use bookmarks and live streams to search for threats. You will also learn how to use notebooks in Microsoft Sentinel for advanced threat hunting.

Lessons

• Concepts for threat hunting in Microsoft Sentinel
• Threat hunting with Microsoft Sentinel
• Search for threats using notebooks in Microsoft Sentinel

Lab: Running a threat scan in Microsoft Sentinel

• Executing a threat scan in Microsoft Sentinel
• Threat hunting using notebooks with Microsoft Sentinel