Microsoft Security Operations Analyst Exam (SC-200) Online Course

Microsoft Security Operations Analyst Exam (SC-200) Online Course

The role of a Microsoft Security Operations Analyst is critical in protecting an organization’s IT infrastructure. Tasked with minimizing risk, these professionals actively investigate and respond to threats, recommend best practices for threat protection, and report security policy violations to relevant stakeholders. Their responsibilities span threat detection, monitoring, and response using a range of Microsoft and third-party security tools.

This course prepares you to excel in that role by leveraging Microsoft 365 Defender, Microsoft Defender for Endpoint, Microsoft Defender for Cloud (formerly Azure Defender), and Microsoft Sentinel. You’ll gain hands-on experience investigating and mitigating threats across environments, and play a key role in configuring and operationalizing these security solutions.

Here’s what the course covers:

• Module 1: Mitigate threats using Microsoft 365 Defender

• Module 2: Mitigate threats using Microsoft Defender for Endpoint

• Module 3: Mitigate threats using Microsoft Defender for Cloud

• Module 4: Write effective queries in Microsoft Sentinel using Kusto Query Language (KQL)

• Module 5: Configure the Microsoft Sentinel environment

• Module 6: Connect logs and data sources to Microsoft Sentinel

• Module 7: Manage incidents, conduct threat response, use User and Entity Behavior Analytics (UEBA), and monitor security posture

• Module 8: Perform threat hunting with Microsoft Sentinel

By the end of the course, you'll have the skills, practical experience, and confidence needed to pass the SC-200 Microsoft Security Operations Analyst certification exam and step into a critical security role in any organization.

Who should take this Course?

The Microsoft Security Operations Analyst Exam (SC-200) Online Course is ideal for security analysts, incident responders, and IT professionals responsible for monitoring, detecting, and responding to cybersecurity threats using Microsoft security solutions. It’s also suitable for individuals preparing for the SC-200 certification exam and those seeking to enhance their skills in using tools like Microsoft 365 Defender, Azure Defender, and Azure Sentinel to protect organizational assets. Prior knowledge of Microsoft security concepts and networking fundamentals is recommended.

Course Table of Contents

Introduction

• The Need for SOC Team
• SC-200 - Microsoft Security Operations Analyst - Course Introduction
• SC-200 - Microsoft Security Operations Analyst - Recent Update

Module 1- Mitigate Threats Using Microsoft 365 Defender

• Module 1 - Learning Objectives
• Introduction to Threat Protection
• Microsoft 365 Defender Suite
• Typical Timeline of an Attack
• Microsoft 365 Defender - Interactive Demonstration
• Mitigate Incidents Using Microsoft 365 Defender - Chapter Introduction
• How to Create Your Playground - Lab Environment
• Microsoft 365 Defender Portal - Introduction
• Managing Incidents
• More about Incidents
• Simulate Incidents - Tor Browser
• Managing Incidents
• Managing Alerts
• Investigating Incidents - MITRE ATT-A-CK
• Advance Hunting
• Advance Hunting Schema
• Exploring the Kusto Queries
• Microsoft Threat Experts
• Microsoft Defender for Office 365 - Chapter Introduction
• Microsoft Defender for Office 365 - Key Capabilities
• Microsoft Defender for Office 365 - Key Capabilities - II
• Safeguard Your Organization- M365 Defender for O365 - Lab I
• Safeguard Your Organization- M365 Defender for O365 - Lab II
• Attack Simulation - Lab Activity
• Microsoft Defender for Identity - Introduction
• What Is Microsoft Defender for Identity
• Microsoft Defender for Identity - Key Capabilities
• Installing Sensors on Domain Controller - 1
• Installing Sensors on Domain Controller - 2
• Capturing Lateral Movements
• Threat Hunting Lab
• Microsoft Defender for Identity Sensors - Architecture
• Protect Your Identities with Azure AD Identity Protection - Introduction
• User Risks and Sign-In Risks
• User Risk Policy and Sign-In Risk Policy - Lab Activity
• Cloud App Security - Introduction
• The Cloud App Security Framework
• Conditional Access App Controls
• What Is Information Protection?
• Insider Risk Management - Enable Auditing
• Phases of Cloud App security
• Cloud App security Phases - Lab Activity
• Data Loss Prevention - Chapter Introduction
• DLP Alerts
• Create Policies for DLP in Compliance Portal
• Insider Risk Management
• What Is Insider Risk
• Pain Points of a Modern Workplace
• Insider Risk management with M365 Defender
• Insider Risk Management - Permissions
• Module 1 - Summary

Module 2 - Mitigate Threats Using Microsoft Defender for Endpoint

• Module 2 - Introduction
• Defender for Endpoint - Features
• Defender for Endpoint - Terminology
• Onboarding Devices to Defender
• Windows 10 Security Enhancements - Chapter Introduction
• Attack Surface Reduction Rules
• Attack Surface Rules
• Device Inventory
• Device Investigation -Alerts
• Behavioral Blocking
• Client Behavioral Blocking
• EDR- Block Mode
• EDR- Block Mode - Lab Activity
• Performing Actions on the Device
• Live Response
• Perform Evidence and Entities Investigations
• User Investigations
• Advance Automated Remediation Features - Endpoint
• Managing File Uploads
• Automation Folder Exclusion
• File Level Investigation
• Automating Device Group Remediation
• Blocking Risky Devices Using Intune, Defender, and Azure AD
• Configure Alerts and Detections - Chapter Introduction
• Configuring Advance Features
• Configuring Email Notifications
• Indicators of Compromise
• Threat and Vulnerability Management - Chapter Introduction
• Threat and Vulnerability Management - Explanation
• Module 2 - Summary

Module 3 - Mitigate Threats Using Microsoft Defender for Cloud

• Module 3 - Introduction
• What Is Azure Security Center
• Microsoft Defender for Cloud - Features
• Azure Defender for Cloud - Lab Activity
• CSPM and CWP
• Which Resources Are Protected Using Microsoft Defender
• Benefits of Azure Defender for Servers
• Defender for App Services
• Defender for App Services - Lab
• Defender for Storage - Lab
• Defender for SQL - Lab
• Defender for Keyvault
• Defender for DNS
• Defender for Kubernetes
• Defender for Container Registry
• Connect Azure Assets to Azure Defender- Chapter Introduction
• Asset Inventory - Lab
• Auto-Provisioning
• Stored Event Types
• Manual Provisioning
• Connect Non-Azure Resources to Defender
• Onboarding Methods
• Onboard GCP Instance to Azure ARC
• Onboarding AWS Services to Defender Cloud
• Remediating Security Alerts- Chapter Introduction
• Changing World and Attackers
• What Are Security Alerts and Notifications
• How Does a Defender Work?
• Alert Severity Level
• Continuous Monitoring and Assessments
• MITRE Attack Tactics and Alert Types
• Remediating Alerts
• Automated Responses
• Alert Suppression
• Module 3 - Summary

Module 4 - Create Queries for Microsoft Sentinel Using Kusto Query Language

• Module 4 - Introduction
• The Construct of KQL Language
• The Lab Environment
• Declaring Variables with Let
• Search and Where Operator
• Extend Operator
• Order by Usage
• Project Operator
• Summarize, Count, and DCount Functions
• Arg_Max and Arg_Min Functions
• Make_List and Make_Set Functions
• Render Operator
• Bin Function
• Union Operator
• Module 4 Summary

Module 5 - Microsoft Sentinel Environment - Configuration

• What Is a SIEM Solution
• What Is Microsoft Sentinel
• Microsoft Sentinel - Components
• Data Connectors
• Log Retention
• Workbooks
• Analytics Alerts
• Threat Hunting
• Incidents and Investigations
• Automation Playbooks
• Creating Azure Sentinel Workspace
• Azure Sentinel - RBAC
• Data Connectors
• Onboarding Windows host to Sentinel
• Ingesting Events to Sentinel
• Sentinel Watchlist
• Sentinel - Creating a Watchlist for Tor Nodes-Edited
• Sentinel - Create Hunting Query
• Sentinel - Live Stream
• Sentinel - Capturing Traffic from TOR Exit Nodes
• Sentinel - Create Analytical Rules
• Analytical Rule Type - Fusion
• Analytical Rule Types - Security Types
• Analytical Rule Types - ML-Based Behavioral Analytics
• Analytical Rule Types - Anomaly, Scheduled Alerts, and NRT
• Creating Analytics Rules Based on Template
• Creating Analytic Rules Based on Wizard
• Managing the Rules
• Define Threat Intelligence - CTI
• Create TI - Lab Activity

Module 6 - Microsoft Sentinel Environment - Connecting Logs

• Module 6 Introduction
• Connect M365 Defender to Sentinel
• Office 365 Log Connector
• Azure Activity Log Connector
• Azure Active Directory Identity Protection Connector
• Defender for Office 365 Connector
• Defender for Endpoint Connector
• Connect Threat Indicators to Microsoft Sentinel

Module 7 - Microsoft Sentinel Environment - Incidents, Threat Response, UEBA, and Monitoring

• Module 7 Introduction
• Key Concepts of Incident Management - I
• Investigations in Azure Sentinel
• Key Concepts of Incident Management - II
• Incident Management in Microsoft Sentinel - I
• Incident Management in Microsoft Sentinel - II
• Brute Force Attack against Azure Portal - Simulation
• Threat Response with Microsoft Sentinel Playbooks - Introduction/Use Case
• Step 1 - Creating Analytical Rule to Look for Role Membership Changes
• Step 2 - Integrate Log Analytics with Azure AD Audit Logs
• Step 3 - Verify Log Analytics
• Step 4 - Incident Creation in Sentinel
• Step 5 - Create Logic App to Integrate with Microsoft Teams
• Step 6 - Edit Analytical Rule to Add Logic App - Playbooks
• Testing the Integration
• UEBA - User Entity Behavior Analytics - Introduction
• Entity Behavior Lab -I
• Entity Behavior Lab -II
• Workbooks - Introduction
• Create Workbooks Using Template
• Create Workbook from scratch

Module 8 - Perform Threat Hunting with Microsoft Sentinel

• Module 8 Introduction
• Cyber Security Threat Hunting
• The Need for Proactive Hunting
• Develop a Threat Hunting Hypothesis
• Threat Hunting - Recap
• Notebooks - Introduction
• Sentinel Notebooks - Lab Activity

SC 200 - Microsoft Security Operations Analyst - Course Summary

• Microsoft Security Operations Analyst - Course Summary