Description

The Microsoft Security Operations Analyst  certificate examination assesses your ability to do technical activities such as defending against threats with Microsoft 365 Defender, defending against threats with Azure Defender, and defending against threats with Azure Sentinel. As an Operations Analyst, you will be working on the organization’s information security and ensure that the overall goal is achieved.

Skills Acquired

Below is the list of skills and knowledge you will learn:

• Firstly, as a Microsoft Security Operations Analyst, you will be required to perform threat management, monitoring, and response by using a variety of security solutions across their environment.

• The role primarily investigates, responds to, and hunts for threats using Microsoft Azure Sentinel, Azure Defender, Microsoft 365 Defender, and third-party security products.

Exam Overview

• Firstly, the Microsoft Security Operations Analyst examination  exam fee is $165 USD.

• Secondly, talking about the Microsoft Security Operations Analyst exam questions, there will be 40-60 questions.

• Thirdly, the exam is available in the English language only.

• Next, the passing mark for Microsoft Security Operations Analyst is 700 on a scale of 1-1000.

• Lastly, the SC-200 exam format is multiple choice and multiple response questions.

Mitigate threats using Microsoft 365 Defender (25-30%)

Detect, investigate, respond, and remediate threats to the productivity environment by using Microsoft Defender for Office 365

• Firstly, detect, investigate, respond, remediate Microsoft Teams, SharePoint, and OneDrive for Business threats (Microsoft Documentation: Understanding Threat Explorer and Real-time detections, Understanding Threat investigation and response, Understanding Threat intelligence to protect, detect & respond to threats, Understanding Remediate malicious email delivered in Office 365)

• Secondly, detect, investigate, respond, remediate threats to email by using Defender for Office 365 (Microsoft Documentation: Understanding Threat Explorer and Real-time detections, Understanding Automated investigation & response in Defender for Office 365, Understanding AIR in Microsoft Defender for Office 365, Understanding Remediation actions in Microsoft Defender for Office 365)

• manage data loss prevention policy alerts (Microsoft Documentation: Understanding Review and manage Microsoft DLP alerts, Understanding Configure and view alerts for DLP policies)

• assess and recommend sensitivity labels (Microsoft Documentation: Learning about Use sensitivity labels to prioritize incident response)

• assess and recommend insider risk policies (Microsoft Documentation: Understanding Insider risk management policies)

Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender for Endpoint

• configure device attack surface reduction rules (Microsoft Documentation: Understanding Enable attack surface reduction rules, Understanding Use attack surface reduction rules to prevent malware infection)

• configure and manage custom detections and alerts (Microsoft Documentation: Understanding Custom detections overview, Understanding Create custom detection rules, Understanding Review alerts in Microsoft Defender for Endpoint)

• respond to incidents and alerts (Microsoft Documentation: Understanding Take response actions on a device)

• manage automated investigations and remediations Assess and recommend endpoint (Microsoft Documentation: Understanding Overview of automated investigations, Understanding Configure automated investigation & remediation capabilities)

• configurations to reduce and remediate vulnerabilities by using Microsoft’s Threat and Vulnerability Management solution (Microsoft Documentation: Understanding Microsoft’s Threat & Vulnerability Management, Understanding Threat and vulnerability management, Understanding Remediate vulnerabilities with threat & vulnerability management)

• manage Microsoft Defender for Endpoint threat indicators (Microsoft Documentation: Understanding Manage indicators)

• analyze Microsoft Defender for Endpoint threat analytics (Microsoft Documentation: Understand the analyst report in threat analytics)

Detect, investigate, respond, and remediate identity threats

• Firstly, identify and remediate security risks related to sign-in risk policies (Microsoft Documentation: Understanding Unblocking based on sign-in risk)

• Secondly, identify and remediate security risks related to Conditional Access events (Microsoft Documentation: Understanding Configure Conditional Access in Microsoft Defender)

• Thirdly, identify and remediate security risks related to Azure Active Directory (Microsoft Documentation: Understanding Remediate risks in Azure AD, Understanding Remediate users flagged for risk in Azure AD)

• identify and remediate security risks using Secure Score (Microsoft Documentation: Understanding Remediate recommendations in Azure Security Center)

• identify, investigate, and remediate security risks related to privileged identities (Microsoft Documentation: Understanding Lower exposure of privileged accounts)

• configure detection alerts in Azure AD Identity Protection (Microsoft Documentation: Understanding Detect risks with Azure AD Identity Protection policies, Understanding Azure Active Directory Identity Protection notifications)

• identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity (Microsoft Documentation: Understanding Investigate a domain)

• identify, investigate, and remediate security risks by using Microsoft Cloud Application Security (MCAS) (Microsoft Documentation: Understanding Investigate cloud app risks & suspicious activity)

• configure MCAS to generate alerts and reports to detect threats (Microsoft Documentation: Understanding Manage alerts, Understanding Generate data management reports)

Manage cross-domain investigations in Microsoft 365 Defender Portal

• Firstly, manage incidents across Microsoft 365 Defender products (Microsoft Documentation: Understanding Manage incidents in Microsoft 365 Defender)

• Secondly, manage actions pending approval across products (Microsoft Documentation: Understanding The Action center, Understanding View and manage actions in the Action center)

• perform advanced threat hunting (Microsoft Documentation: Understanding Hunt threats with advanced hunting in Microsoft 365 Defender, Understanding Proactively hunt for threats with advanced hunting)

Mitigate threats using Azure Defender (25-30%)

Design and configure an Azure Defender implementation

• plan and configure an Azure Defender workspace (Microsoft Documentation: Understanding Enable Azure Defender)

• configure Azure Defender roles (Microsoft Documentation: Understanding Create & manage roles for role-based access control, Understanding Manage portal access using RBAC)

• configure data retention policies (Microsoft Documentation: Understanding Microsoft’s data retention policy)

• assess and recommend cloud workload protection (Microsoft Documentation: Understanding Introduction to Azure Defender)

Plan and implement the use of data connectors for ingestion of data sources in Azure Defender

• identify data sources to be ingested for Azure Defender (Microsoft Documentation: Understanding Categorize Microsoft alerts across data sources)

• configure Automated Onboarding for Azure resources (Microsoft Documentation: Understanding Automate onboarding, Understanding Automate onboarding of Azure Security Center)

• connect non-Azure machine onboarding (Microsoft Documentation: Understanding Connect non-Azure machines)

• Next, connect AWS cloud resources (Microsoft Documentation: Understanding Connect your AWS accounts, Understanding Connect your AWS accounts to Azure Security Center)

• connect GCP cloud resources (Microsoft Documentation: Understanding Connect your GCP accounts, Understanding Connect your GCP accounts to Azure Security Center)

• configure data collection (Microsoft Documentation: Understanding Enable data collection)

Manage Azure Defender alert rules

• validate alert configuration (Microsoft Documentation: Understanding Validating Azure Defender for DNS alerts, Understanding Alert validation in Azure Security Center)

• setup email notifications (Microsoft Documentation: Understanding Configure email notifications for security alerts)

• create and manage alert suppression rules (Microsoft Documentation: Understanding Suppress alerts from Azure Defender, Understanding Manage suppression rules)

Configure automation and remediation

• Firstly, configure automated responses in Azure Security Center (Microsoft Documentation: Understanding Automate responses to Security Center triggers)

• Secondly, design and configure playbook in Azure Defender (Microsoft Documentation: Understanding Reconnaissance playbook)

• Thirdly, remediate incidents by using Azure Defender recommendations (Microsoft Documentation: Understanding Remediate recommendations in Azure Security Center)

• create an automatic response using an Azure Resource Manager template (Microsoft Documentation: Understanding Create an automatic response using an ARM template)

Investigate Azure Defender alerts and incidents

• Firstly, describe alert types for Azure workloads (Microsoft Documentation: Understanding Security alerts – a reference guide)

• Secondly, manage security alerts (Microsoft Documentation: Understanding What are security alerts?

• Thirdly, manage security incidents (Microsoft Documentation: Understanding Incidents in Azure Security Center

• analyze Azure Defender threat intelligence (Microsoft Documentation: Understanding Threat intelligence, Understanding Azure Defender powered by Microsoft threat intelligence

• respond to Azure Defender for Key Vault alerts (Microsoft Documentation: Understanding Respond to Azure Defender for Key Vault alerts)

• manage user data discovered during an investigation (Microsoft Documentation: Understanding How does Azure Security Center helps analyze attacks using Investigation?)

Mitigate threats using Azure Sentinel (40-45%)

Design and configure an Azure Sentinel workspace

• Firstly, plan an Azure Sentinel workspace (Microsoft Documentation: Understanding Plan for the Azure Sentinel workspace)

• Secondly, configure Azure Sentinel roles (Microsoft Documentation: Understanding Permissions in Azure Sentinel)

• Thirdly, design Azure Sentinel data storage (Microsoft Documentation: Understanding Move Azure Sentinel logs to long-term storage, Understanding Use Azure Data Explorer for retention of Azure Sentinel logs)

• configure Azure Sentinel service security (Microsoft Documentation: Understanding Azure security baseline for Azure Sentinel)

Plan and Implement the use of Data Connectors for Ingestion of Data Sources in Azure Sentinel

• identify data sources to be ingested for Azure Sentinel (Microsoft Documentation: Understanding Connect data sources)

• identify the prerequisites for a data connector (Microsoft Documentation: Understanding On-board Azure Sentinel)

• configure and use Azure Sentinel data connectors (Microsoft Documentation: Understanding Connect data to Azure Sentinel using data connectors)

• design Syslog and CEF collections (Microsoft Documentation: Understanding Collect data from Linux-based sources using Syslog, Understanding Connect your external solution using Common Event Format, Understanding Best Practices for CEF collection in Azure Sentinel)

• design and Configure Windows Events collections (Microsoft Documentation: Understanding Connect Windows security events)

• configure custom threat intelligence connectors (Microsoft Documentation: Understanding Connect data from threat intelligence providers)

• create custom logs in Azure Log Analytics to store custom data (Microsoft Documentation: Understanding Collect custom logs with Log Analytics agent)

Manage Azure Sentinel analytics rules

• design and configure analytics rules (Microsoft Documentation: Understanding Define rule query logic & configure settings)

• create custom analytics rules to detect threats (Microsoft Documentation: Understanding Create a custom analytics rule with a scheduled query)

• activate Microsoft security analytical rules (Microsoft Documentation: Understanding Using Microsoft Security incident creation analytics rules)

• configure connector provided scheduled queries (Microsoft Documentation: Understanding Azure Sentinel: The connectors grand)

• Next, configure custom scheduled queries (Microsoft Documentation: Understanding Create a custom analytics rule with a scheduled query)

• define incident creation logic (Microsoft Documentation: Understanding Configure the incident creation settings)

Configure Security Orchestration Automation and Remediation (SOAR) in Azure Sentinel

• Firstly, create Azure Sentinel playbooks (Microsoft Documentation: Understanding Use playbooks with automation rules in Azure Sentinel)

• Secondly, configure rules and incidents to trigger playbooks (Microsoft Documentation: Understanding Choose the trigger, Understanding Automate threat response with playbooks in Azure Sentinel)

• Thirdly, use playbooks to remediate threats (Microsoft Documentation: Understanding Use playbooks with automation rules in Azure Sentinel)

• Next, use playbooks to manage incidents

• Last but not least, use playbooks across Microsoft Defender solutions (Microsoft Documentation: Understanding Security automation & orchestration)

Manage Azure Sentinel Incidents

• Firstly, investigate incidents in Azure Sentinel (Microsoft Documentation: Understanding Investigate incidents with Azure Sentinel)

• Secondly, triage incidents in Azure Sentinel (Microsoft Documentation: Understanding Triage security alerts)

• Thirdly, respond to incidents in Azure Sentinel (Microsoft Documentation: Understanding Respond to a security alert)

• investigate multi-workspace incidents (Microsoft Documentation: Understanding Work with incidents in many workspaces at once)

• identify advanced threats with User and Entity Behavior Analytics (UEBA) (Microsoft Documentation: Understanding Identify advanced threats with UEBA in Azure Sentinel)

Use Azure Sentinel workbooks to analyze and interpret data

• Firstly, activate and customize Azure Sentinel workbook templates (Microsoft Documentation: Understanding Workbooks vs. workbook templates, Understanding ARM template for deploying a workbook template)

• Secondly, create custom workbooks (Microsoft Documentation: Understanding Create new workbooks)

• Next, configure advanced visualizations (Microsoft Documentation: Understanding Query and visualize data with Azure Sentinel Workbooks)

• view and analyze Azure Sentinel data using workbooks (Microsoft Documentation: Understanding Visualize and monitor your data, Understanding Visualize data in Azure Sentinel)

• track incident metrics using the security operations efficiency workbook (Microsoft Documentation: Understanding Manage your SOC better with incident metrics)

Hunt for threats using the Azure Sentinel portal

• Firstly, create custom hunting queries (Microsoft Documentation: Understanding Create custom queries to refine threat hunting)

• Secondly, run hunting queries manually (Microsoft Documentation: Understanding Hunt for threats by using Azure Sentinel)

• monitor hunting queries by using Livestream (Microsoft Documentation: Understanding Manage hunting and Livestream queries in Azure Sentinel)

• perform advanced hunting with notebooks (Microsoft Documentation: Understanding Use Jupyter Notebook to hunt for security threats, Understanding Hunt for threats using notebooks in Azure Sentinel)

• track query results with bookmarks (Microsoft Documentation: Understanding Track query results)

• use hunting bookmarks for data investigations (Microsoft Documentation: Understanding Explore bookmarks in the investigation graph)

• convert a hunting query to an analytical rule (Microsoft Documentation: Understanding Threat hunting vs Analytics rule)