- Home
- IT Courses
- MS-SC200T00: Microsoft Security Operations Analyst
MS-SC200T00: Microsoft Security Operations Analyst
Course Code: MS-SC200T00
Learn how to investigate, respond to, and hunt for threats using Microsoft Azure Sentinel, Azure Defender, and Microsoft 365 Defender. In this course you will learn how to mitigate cyberthreats using these technologies. Specifically, you will configure and use Azure Sentinel as well as utilize Kusto Query Language (KQL) to perform detection, analysis, and reporting. The course was designed for people who work in a Security Operations job role and helps learners prepare for the exam SC-200: Microsoft Security Operations Analyst.
The Microsoft Security Operations Analyst collaborates with organizational stakeholders to secure information technology systems for the organization. Their goal is to reduce organizational risk by rapidly remediating active attacks in the environment, advising on improvements to threat protection practices, and referring violations of organizational policies to appropriate stakeholders. Responsibilities include threat management, monitoring, and response by using a variety of security solutions across their environment. The role primarily investigates, responds to, and hunts for threats using Microsoft Azure Sentinel, Azure Defender, Microsoft 365 Defender, and third-party security products. Since the Security Operations Analyst consumes the operational output of these tools, they are also a critical stakeholder in the configuration and deployment of these technologies.
Before attending this course, students must have:
- Basic understanding of Microsoft 365
- Fundamental understanding of Microsoft security, compliance, and identity products
- Intermediate understanding of Windows 10
- Familiarity with Azure services, specifically Azure SQL Database and Azure Storage
- Familiarity with Azure virtual machines and virtual networking
- Basic understanding of scripting concepts.
After completing this course, students will be able to:
- Explain how Microsoft Defender for Endpoint can remediate risks in your environment
- Create a Microsoft Defender for Endpoint environment
- Configure Attack Surface Reduction rules on Windows 10 devices
This course will prepare delegates to write the Microsoft Certified: Security Operations Analyst Associate Exam.
Modules
In this module, you'll learn how to use the Microsoft 365 Defender integrated threat protection suite.
Lessons
- Introduction
- Explore Extended Detection & Response (XDR) response use cases
- Understand Microsoft Defender XDR in a Security Operations Center (SOC)
- Explore Microsoft Security Graph
- Investigate security incidents in Microsoft Defender XDR
- Knowledge check
- Summary and resources
Learning objectives
- Understand Microsoft Defender XDR solutions by domain
- Understand the Microsoft Defender XDR role in a Modern SOC
Learn how the Microsoft 365 Defender portal provides a unified view of incidents from the Microsoft 365 Defender family of products.
Lessons
- Introduction
- Use the Microsoft Defender portal
- Manage incidents
- Investigate incidents
- Manage and investigate alerts
- Manage automated investigations
- Use the action center
- Explore advanced hunting
- Investigate Microsoft Entra sign-in logs
- Understand Microsoft Secure Score
- Analyse threat analytics
- Analyse reports
- Configure the Microsoft Defender portal
- Knowledge check
- Summary and resources
Learning Objectives
- Manage incidents in Microsoft 365 Defender
- Investigate incidents in Microsoft 365 Defender
- Conduct advanced hunting in Microsoft 365 Defender
Protecting a user's identity by monitoring their usage and sign-in patterns ensure a secure cloud solution. Explore how to design and implement Microsoft Entra Identity protection.
Lessons
- Introduction
- Review identity protection basics
- Implement and manage user risk policy
- Exercise enable sign-in risk policy
- Exercise configure Microsoft Entra multifactor authentication registration policy
- Monitor, investigate, and remediate elevated risky users
- Implement security for workload identities
- Explore Microsoft Defender for Identity
- Knowledge check
- Summary and resources
Learning objectives
- Implement and manage a user risk policy.
- Implement and manage sign-in risk policies.
- Implement and manage MFA registration policy.
- Monitor, investigate, and remediate elevated risky users.
Learn about the Microsoft Defender for Identity component of Microsoft 365 Defender.
Lessons
- Introduction to Microsoft Defender for Identity
- Configure Microsoft Defender for Identity sensors
- Review compromised accounts or data
- Integrate with other Microsoft tools
- Summary and knowledge check
Learning objectives
- Define the capabilities of Microsoft Defender for Identity.
- Understand how to configure Microsoft Defender for Identity sensors.
- Explain how Microsoft Defender for Identity can remediate risks in your environment.
Learn about the Microsoft Defender for Office 365 component of Microsoft 365 Defender.
Lessons
- Introduction to Microsoft Defender for Office 365
- Automate, investigate, and remediate
- Configure, protect, and detect
- Simulate attacks
- Summary and knowledge check
Learning objectives
- Define the capabilities of Microsoft Defender for Office 365.
- Understand how to simulate attacks within your network.
- Explain how Microsoft Defender for Office 365 can remediate risks in your environment.
Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services. Learn how to use Defender for Cloud Apps in your organization.
Lessons
- Introduction
- Understand the Defender for Cloud Apps Framework
- Explore your cloud apps with Cloud Discovery
- Protect your data and apps with Conditional Access App Control
- Walk through discovery and access control with Microsoft Defender for Cloud Apps
- Classify and protect sensitive information
- Detect Threats
- Knowledge check
- Summary
Learning objectives
- Define the Defender for Cloud Apps framework
- Explain how Cloud Discovery helps you see what's going on in your organization
- Understand how to use Conditional Access App Control policies to control access to the apps in your organization
In this module, you explore the way in which language models enable AI applications and services to generate original content based on natural language input. You also learn how generative AI enables the creation of copilots that can assist humans in creative tasks.
Lessons
- Introduction
- What is generative Al?
- What are language models?
- Using language models
- What are copilots?
- Microsoft Copilot
- Considerations for Copilot prompts
- Extending and developing copilots
- Exercise - Explore Microsoft Copilot
- Knowledge check
- Summary
Learning Objectives
- Understand generative AI's place in the development of artificial intelligence.
- Understand language models and their role in intelligent applications.
- Describe examples of copilots and good prompts.
Get acquainted with Microsoft Copilot for Security. You are introduced to some basic terminology, how Microsoft Copilot for Security processes prompts, the elements of an effective prompt, and how to enable the solution.
Lessons
- Introduction
- Get acquainted with Microsoft Copilot for Security
- Describe Microsoft Copilot for Security terminology
- Describe how Microsoft Copilot for Security processes prompt requests
- Describe the elements of an effective prompt
- Describe how to enable Microsoft Copilot for Security
- Knowledge check
- Summary and resources
Learning Objectives
- Describe what Microsoft Copilot for Security is.
- Describe the terminology of Microsoft Copilot for Security.
- Describe how Microsoft Copilot for Security processes prompt requests.
- Describe the elements of an effective prompt
- Describe how to enable Microsoft Copilot for Security.
Microsoft Copilot for Security has a rich set of features. Learn about available plugins, promptbooks, the ways you can export and share information from Copilot, and much more.
Lessons
- Introduction
- Describe the features available in the standalone experience of Microsoft Copilot for Security
- Describe the features available in a session of the standalone experience
- Describe the Microsoft plugins available in Microsoft Copilot for Security
- Describe the non-Microsoft plugins supported by Microsoft Copilot for Security
- Describe custom promptbooks
- Describe knowledge base connections
- Knowledge check
- Summary and resources
Learning Objectives
- Describe the features available in the standalone Copilot experience.
- Describe the plugins available in Copilot.
- Describe custom promptbooks.
- Describe knowledge base connections.
Microsoft Copilot for Security is accessible directly from some Microsoft security products. This is referred to as the embedded experience. Learn about the scenarios supported by the Copilot embedded experience in Microsoft’s security solutions.
Lessons
- Introduction
- Describe Microsoft Copilot in Microsoft Defender XDR
- Microsoft Copilot in Microsoft Purview
- Microsoft Copilot in Microsoft Entra
- Microsoft Copilot in Microsoft Intune
- Microsoft Copilot in Microsoft Defender for Cloud (Preview)
- Knowledge check
- Summary and resources
Learning Objectives
- Describe Microsoft Copilot in Microsoft Defender XDR.
- Describe Microsoft Copilot in Microsoft Purview.
- Describe Microsoft Copilot in Microsoft Entra.
- Describe Microsoft Copilot in Microsoft Intune.
- Describe Microsoft Copilot in Microsoft Defender for Cloud.
Lessons
- Introduction
- Explore the first run experience
- Explore the standalone experience
- Configure the Microsoft Sentinel plugin
- Enable a custom plugin
- Explore file uploads as a knowledge base
- Create a custom promptbook
- Explore the capabilities of Copilot in Microsoft Defender XDR
- Explore the capabilities of Copilot in Microsoft Purview
- Knowledge check
-Summary and resources
Learning Objectives
- “Set up Microsoft Copilot for Security."
- "Work with sources in Copilot."
- "Create a custom promptbook."
- "Use the capabilities of Copilot in Defender XDR."
- "Use the capabilities of Copilot in Microsoft Purview."
As a Security Operations Analyst, you need to understand compliance related terminology and alerts. Learn how the data loss prevention alerts will help in your investigation to find the full scope of the incident.
Lessons
- Introduction
- Describe data loss prevention alerts
- Investigate data loss prevention alerts in Microsoft Purview
- Investigate data loss prevention alerts in Microsoft Defender for Cloud Apps
- Knowledge check
- Summary and resources
Learning objectives
- Describe data loss prevention (DLP) components in Microsoft 365
- Investigate DLP alerts in the Microsoft Purview compliance portal
- Investigate DLP alerts in Microsoft Defender for Cloud Apps
Microsoft Purview Insider Risk Management helps organizations address internal risks, such as IP theft, fraud, and sabotage. Learn about insider risk management and how Microsoft technologies can help you detect, investigate, and take action on risky activities in your organization.
Lessons
- Insider risk management overview
- Introduction to managing insider risk policies
- Create and manage insider risk policies
- Knowledge Check
- Investigate insider risk alerts
- Take action on insider risk alerts through cases
- Manage insider risk management forensic evidence
- Create insider risk management notice templates
- Summary and knowledge check
Learning objectives
- Explain how Microsoft Purview Insider Risk Management can help prevent, detect, and contain internal risks in an organization.
- Describe the types of built-in, pre-defined policy templates.
- List the prerequisites that need to be met before creating insider risk policies.
- Explain the types of actions you can take on an insider risk management case.
Lessons
- Introduction
- Microsoft Purview Audit overview
- Configure and manage Microsoft Purview Audit
- Conduct searches with Audit (Standard)
- Audit Microsoft Copilot for Microsoft 365 interactions
- Investigate activities with Audit (Premium)
- Export audit log data
- Configure audit retention with Audit (Premium)
- Knowledge check
- Summary
Learning Objectives
- Identify the differences between Microsoft Purview Audit (Standard) and Audit (Premium).
- Configure Microsoft Purview Audit for optimal log management.
- Perform audits to assess compliance and security measures.
- Analyze irregular access patterns using advanced tools in Purview Audit (Premium) and PowerShell.
- Ensure regulatory compliance through strategic data management.
This module examines how to search for content in the Microsoft Purview compliance portal using Content Search functionality, including how to view and export the search results, and configure search permissions filtering.
Lessons
- Introduction
- Explore Microsoft Purview eDiscovery solutions
- Create a content search
- View the search results and statistics
- Export the search results and search report
- Configure search permissions filtering
- Search for and delete email messages
- Knowledge check
- Summary
Learning objectives
- Describe how to use content search in the Microsoft Purview compliance portal.
- Design and create a content search.
- Preview the search results.
- View the search statistics.
- Export the search results and search report.
- Configure search permission filtering.
Learn how Microsoft Defender for Endpoint can help your organization stay secure.
Lessons
- Introduction to Microsoft Defender for Endpoint
- Practice security administration
- Hunt threats within your network
- Summary and knowledge check
Learning objectives
- Define the capabilities of Microsoft Defender for Endpoint.
- Understand how to hunt threats within your network.
- Explain how Microsoft Defender for Endpoint can remediate risks in your environment.
Learn how to deploy the Microsoft Defender for Endpoint environment, including onboarding devices and configuring security.
Lessons
- Introduction
- Create your environment
- Understand operating systems compatibility and features
- Onboard devices
- Manage access
- Create and manage roles for role-based access control
- Configure device groups
- Configure environment advanced features
- Knowledge check
- Summary and resources
Learning objectives
- Create a Microsoft Defender for Endpoint environment
- Onboard devices to be monitored by Microsoft Defender for Endpoint
- Configure Microsoft Defender for Endpoint environment settings
Microsoft Defender for Endpoint gives you various tools to eliminate risks by reducing the surface area for attacks without blocking user productivity. Learn about Attack Surface Reduction (ASR) with Microsoft Defender for Endpoint.
Lessons
- Introduction
- Understand attack surface reduction
- Enable attack surface reduction
- Knowledge Check
- Summary and resources
Learning objectives
- Explain Attack Surface Reduction in Windows
- Enable Attack Surface Reduction rules on Windows 10 devices
- Configure Attack Surface Reduction rules on Windows 10 devices
Microsoft Defender for Endpoint provides detailed device information, including forensics information. Learn about information available to you through Microsoft Defender for Endpoint that will aid in your investigations.
Lessons
- Introduction
- Use the device inventory list
- Investigate the device
- Use behavioral blocking
- Detect devices with device discovery
- Knowledge check
- Summary and resources
Learning objectives
- Upon completion of this module, the learner will be able to:
- Use the device page in Microsoft Defender for Endpoint
- Describe device forensics information collected by Microsoft Defender for Endpoint
- Describe behavioral blocking by Microsoft Defender for Endpoint
Microsoft Defender for Endpoint
Learn how Microsoft Defender for Endpoint provides the remote capability to contain devices and collect forensics data.
Lessons
- Introduction
- Explain device actions
- Run Microsoft Defender antivirus scan on devices
- Collect investigation package from devices
- Initiate live response session
- Knowledge check
- Summary and resources
Learning objectives
Upon completion of this module, the learner will be able to:
- Perform actions on a device using Microsoft Defender for Endpoint
- Conduct forensics data collection using Microsoft Defender for Endpoint
- Access devices remotely using Microsoft Defender for Endpoint
Learn about your environment's weaknesses by using Vulnerability Management in Microsoft Defender for Endpoint.
Lessons
- Introduction
- Understand vulnerability management
- Explore vulnerabilities on your devices
- Manage remediation
- Knowledge check
- Summary and resources
Learning objectives
- Describe Vulnerability Management in Microsoft Defender for Endpoint
- Identify vulnerabilities on your devices with Microsoft Defender for Endpoint
- Track emerging threats in Microsoft Defender for Endpoint