SC-200 Preparation Details
Preparing for the SC-200 Microsoft Security Operations Analyst exam? Don’t know where to start? This post is the SC-200 Certificate Study Guide (with links to each exam objective).
I have curated a list of articles from Microsoft documentation for each objective of the SC-200 exam. Please share the post within your circles so it helps them to prepare for the exam.
Exam Voucher for SC-200 with 1 Retake
Get 40% OFF with the combo
SC-200 Microsoft Security Operations Analyst
Udemy | Introduction to Cloud Security with Microsoft |
Pluralsight | Managing Security Operations in Azure |
LinkedIn Learning (Free trial) | Manage Microsoft security operations |
SC-200 Microsoft Security Analyst Practice Test
Whizlabs Exam Questions | Microsoft Security Analyst Practice Test |
Udemy Practice Tests | Security Operations Analyst Test |
Amazon e-book (PDF) | Microsoft Azure Security Infrastructure |
Looking for SC-200 Dumps? Read This!
Using sc-200 exam dumps can get you permanently banned from taking any future Microsoft certificate exam. Read the FAQ page for more information. However, I strongly suggest you validate your understanding with practice questions.
Check out all the other Azure certificate study guides
Full Disclosure: Some of the links in this post are affiliate links. I receive a commission when you purchase through them.
Mitigate Threats Using Microsoft 365 Defender (25-30%)
Detect, Investigate, Respond, and Remediate Threats to the Productivity Environment by Using Microsoft Defender for Office 365
Detect, investigate, respond, remediate Microsoft Teams, SharePoint, and OneDrive for Business threats
Threat Explorer and Real-time detections
Threat investigation and response
Threat intelligence to protect, detect & respond to threats
Remediate malicious email delivered in Office 365
Detect, investigate, respond, remediate threats to email by using Defender for Office 365
Threat Explorer and Real-time detections
Automated investigation & response in Defender for Office 365
AIR in Microsoft Defender for Office 365
Remediation actions in Microsoft Defender for Office 365
Manage data loss prevention policy alerts
Review and manage Microsoft DLP alerts
Configure and view alerts for DLP policies
Assess and recommend sensitivity labels
Use sensitivity labels to prioritize incident response
Assess and recommend insider risk policies
Insider risk management policies
Detect, Investigate, Respond, and Remediate Endpoint Threats by Using Microsoft Defender for Endpoint
Manage data retention, alert notification, and advanced features
Data Retention
What is Microsoft’s data retention policy?
Update data retention settings for Endpoint
Alert notifications
Manage Microsoft Defender for Endpoint alerts
Advanced features
Configure device attack surface reduction rules
Enable attack surface reduction rules
Use attack surface reduction rules to prevent malware infection
Configure and manage custom detections and alerts
Review alerts in Microsoft Defender for Endpoint
Respond to incidents and alerts
Take response actions on a device
Manage automated investigations and remediations
Overview of automated investigations
Configure automated investigation & remediation capabilities
Assess and recommend endpoint configurations to reduce and remediate vulnerabilities by using Microsoft’s Threat and Vulnerability Management solution
Microsoft’s Threat & Vulnerability Management
Threat and vulnerability management
Remediate vulnerabilities with threat & vulnerability management
Manage Microsoft Defender for Endpoint threat indicators
Analyze Microsoft Defender for Endpoint threat analytics
Understand the analyst report in threat analytics
Detect, Investigate, Respond, and Remediate Identity Threats
Identify and remediate security risks related to sign-in risk policies
Unblocking based on sign-in risk
Identify and remediate security risks related to Conditional Access events
Configure Conditional Access in Microsoft Defender
Identify and remediate security risks related to Azure Active Directory
Remediate users flagged for risk in Azure AD
Identify and remediate security risks using Secure Score
Remediate recommendations in Azure Security Center
Identify, investigate, and remediate security risks related to privileged identities
Lower exposure of privileged accounts
Configure detection alerts in Azure AD Identity Protection
Detect risks with Azure AD Identity Protection policies
Azure Active Directory Identity Protection notifications
Identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity
Microsoft Defender for Identity FAQs
Identify, investigate, and remediate security risks by using Microsoft Cloud Application Security (MCAS)
Investigate cloud app risks & suspicious activity
Configure MCAS to generate alerts and reports to detect threats
Generate data management reports
Manage Cross-domain Investigations in Microsoft 365 Defender Portal
Manage incidents across Microsoft 365 Defender products
Manage incidents in Microsoft 365 Defender
Manage actions pending approval across products
View and manage actions in the Action center
Perform advanced threat hunting
Hunt threats with advanced hunting in Microsoft 365 Defender
Proactively hunt for threats with advanced hunting
Mitigate Threats Using Azure Defender (25-30%)
Design and Configure an Azure Defender Implementation
Plan and configure an Azure Defender workspace
Configure Azure Defender roles
Create & manage roles for role-based access control
Manage portal access using RBAC
Configure data retention policies
Microsoft’s data retention policy
Assess and recommend cloud workload protection
Introduction to Azure Defender
Plan and Implement the Use of Data Connectors for Ingestion of Data Sources in Azure Defender
Identify data sources to be ingested for Azure Defender
Categorize Microsoft alerts across data sources
Configure Automated Onboarding for Azure resources
Automate onboarding of Azure Security Center
Connect non-Azure machine onboarding
Connect AWS cloud resources
Connect your AWS accounts to Azure Security Center
Connect GCP cloud resources
Connect your GCP accounts to Azure Security Center
Configure data collection
Amazon link (affiliate)
Manage Azure Defender Alert Rules
Validate alert configuration
Validating Azure Defender for DNS alerts
Alert validation in Azure Security Center
Setup email notifications
Configure email notifications for security alerts
Create and manage alert suppression rules
Suppress alerts from Azure Defender
Configure Automation and Remediation
Configure automated responses in Azure Security Center
Automate responses to Security Center triggers
Design and configure playbook in Azure Defender
Remediate incidents by using Azure Defender recommendations
Remediate recommendations in Azure Security Center
Create an automatic response using an Azure Resource Manager template
Create an automatic response using an ARM template
Investigate Azure Defender Alerts and Incidents
Describe alert types for Azure workloads
Security alerts – a reference guide
Manage security alerts
Manage security incidents
Incidents in Azure Security Center
Analyze Azure Defender threat intelligence
Azure Defender powered by Microsoft threat intelligence
Respond to Azure Defender for Key Vault alerts
Respond to Azure Defender for Key Vault alerts
Manage user data discovered during an investigation
How does Azure Security Center helps analyze attacks using Investigation?
Mitigate Threats Using Azure Sentinel (40-45%)
Design and Configure an Azure Sentinel Workspace
Plan an Azure Sentinel workspace
Plan for the Azure Sentinel workspace
Configure Azure Sentinel roles
Design Azure Sentinel data storage
Move Azure Sentinel logs to long-term storage
Use Azure Data Explorer for retention of Azure Sentinel logs
Configure Azure Sentinel service security
Azure security baseline for Azure Sentinel
Plan and Implement the Use of Data Connectors for Ingestion of Data Sources in Azure Sentinel
Identify data sources to be ingested for Azure Sentinel
Identify the prerequisites for a data connector
Configure and use Azure Sentinel data connectors
Connect data to Azure Sentinel using data connectors
Design Syslog and CEF collections
Collect data from Linux-based sources using Syslog
Connect your external solution using Common Event Format
Best Practices for CEF collection in Azure Sentinel
Design and Configure Windows Events collections
Connect Windows security events
Configure custom threat intelligence connectors
Connect data from threat intelligence providers
Create custom logs in Azure Log Analytics to store custom data
Collect custom logs with Log Analytics agent
Manage Azure Sentinel Analytics Rules
Design and configure analytics rules
Define rule query logic & configure settings
Create custom analytics rules to detect threats
Create a custom analytics rule with a scheduled query
Activate Microsoft security analytical rules
Using Microsoft Security incident creation analytics rules
Configure connector provided scheduled queries
Azure Sentinel: The connectors grand
Operationalize Azure Sentinel: From log ingestion to incident detection
Configure custom scheduled queries
Create a custom analytics rule with a scheduled query
Define incident creation logic
Configure the incident creation settings
Configure Security Orchestration Automation and Remediation (SOAR) in Azure Sentinel
Create Azure Sentinel playbooks
Use playbooks with automation rules in Azure Sentinel
Configure rules and incidents to trigger playbooks
Automate threat response with playbooks in Azure Sentinel
Use playbooks to remediate threats
Use playbooks with automation rules in Azure Sentinel
Use playbooks to manage incidents
Configure security playbook in Azure Sentinel
Use playbooks across Microsoft Defender solutions
Security automation & orchestration
Azure Sentinel Microsoft Defender ATP
Manage Azure Sentinel Incidents
Investigate incidents in Azure Sentinel
Investigate incidents with Azure Sentinel
Triage incidents in Azure Sentinel
Respond to incidents in Azure Sentinel
Investigate multi-workspace incidents
Work with incidents in many workspaces at once
Cross workspace Hunting is now available
Identify advanced threats with User and Entity Behavior Analytics (UEBA)
Identify advanced threats with UEBA in Azure Sentinel
Use Azure Sentinel Workbooks to Analyze and Interpret Data
Activate and customize Azure Sentinel workbook templates
Workbooks vs. workbook templates
ARM template for deploying a workbook template
Create custom workbooks
Configure advanced visualizations
Query and visualize data with Azure Sentinel Workbooks
View and analyze Azure Sentinel data using workbooks
Visualize and monitor your data
Visualize data in Azure Sentinel
Track incident metrics using the security operations efficiency workbook
Manage your SOC better with incident metrics
Hunt for Threats Using the Azure Sentinel Portal
Create custom hunting queries
Create custom queries to refine threat hunting
Creating custom Azure Sentinel Hunting queries
Run hunting queries manually
Hunt for threats by using Azure Sentinel
Monitor hunting queries by using Livestream
Manage hunting and Livestream queries in Azure Sentinel
Perform advanced hunting with notebooks
Use Jupyter Notebook to hunt for security threats
Hunt for threats using notebooks in Azure Sentinel
Track query results with bookmarks
Use hunting bookmarks for data investigations
Explore bookmarks in the investigation graph
Convert a hunting query to an analytical rule
Turning Hunting queries into Analytics Rules
Threat hunting vs Analytics rule
This brings us to the end of the SC-200 Microsoft Security Operations Analyst exam study guide.
What do you think? Let me know in the comments section if I have missed out on anything. Also, I love to hear from you how your SC-200 exam preparation is going on!
In case you are preparing for other Azure certification exams, check out the Azure study guide for those exams.
Follow Me to Receive Updates on SC-200 Exam
Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.
1 Comment
Hi,
This looks like a great study guide. I am preparing for the SC-200 Exam. I quickly looked over the topics/links. Do you have any recommendations for labs to build hands-on skills with Defender and Sentinel?
Thanks!