Microsoft Security Operations Analyst (SC-200T00)

Module 1 :Introduction to Microsoft 365 threat protection

• Understand Microsoft 365 Defender solution by domain
• Understand Microsoft 365 Defender role in a Modern SOC

Module 2 :Mitigate incidents using Microsoft 365 Defender

• Manage incidents in Microsoft 365 Defender
• Investigate incidents in Microsoft 365 Defender
• Conduct advanced hunting in Microsoft 365 Defender

Module 3 :Protect your identities with Azure AD Identity Protection

• Describe the features of Azure Active Directory Identity Protection.
• Describe the investigation and remediation features of Azure Active Directory Identity Protection.

Module 4 :Remediate risks with Microsoft Defender for Office 365

• Define the capabilities of Microsoft Defender for Office 365.
• Understand how to simulate attacks within your network.
• Explain how Microsoft Defender for Office 365 can remediate risks in your environment.

Module 5 :Safeguard your environment with Microsoft Defender for Identity

• Define the capabilities of Microsoft Defender for Identity.
• Understand how to configure Microsoft Defender for Identity sensors.
• Explain how Microsoft Defender for Identity can remediate risks in your environment.

Module 6 :Secure your cloud apps and services with Microsoft Defender for Cloud Apps

• Define the Defender for Cloud Apps framework
• Explain how Cloud Discovery helps you see what's going on in your organization
• Understand how to use Conditional Access App Control policies to control access to the apps in your organization

Module 7 :Respond to data loss prevention alerts using Microsoft 365

• Describe data loss prevention (DLP) components in Microsoft 365
• Investigate DLP alerts in the Microsoft Purview compliance portal
• Investigate DLP alerts in Microsoft Defender for Cloud Apps

Module 8 :Manage insider risk in Microsoft Purview

• Explain how Microsoft Purview Insider Risk Management can help prevent, detect, and contain internal risks in an organization.
• Describe the types of built-in, pre-defined policy templates.
• List the prerequisites that need to be met before creating insider risk policies.
• Explain the types of actions you can take on an insider risk management case.

Module 9: Investigate threats by using audit features in Microsoft 365 Defender and Microsoft Purview Standard

• Describe the differences between Audit (Standard) and Audit (Premium).
• Start recording user and admin activity in the Unified Audit Log (UAL).
• Identify the core features of the Audit (Standard) solution.
• Set up and implement audit log searching using the Audit (Standard) solution.
• Export, configure, and view audit log records.
• Use audit log searching to troubleshoot common support issues.

Module 10: Investigate threats using audit in Microsoft 365 Defender and Microsoft Purview (Premium)

• Describe the differences between Audit (Standard) and Audit (Premium).
• Set up and implement Microsoft Purview Audit (Premium).
• Create audit log retention policies.
• Perform forensic investigations of compromised user accounts.

Module 11: Investigate threats with Content search in Microsoft Purview

• Describe how to use content search in the Microsoft Purview compliance portal.
• Design and create a content search.
• Preview the search results.
• View the search statistics.
• Export the search results and search report.
• Configure search permission filtering.

Module 12 :Protect against threats with Microsoft Defender for Endpoint

• Define the capabilities of Microsoft Defender for Endpoint.
• Understand how to hunt threats within your network.
• Explain how Microsoft Defender for Endpoint can remediate risks in your environment.

Module 13 :Deploy the Microsoft Defender for Endpoint environment

• Create a Microsoft Defender for Endpoint environment
• Onboard devices to be monitored by Microsoft Defender for Endpoint
• Configure Microsoft Defender for Endpoint environment settings

Module 14 :Implement Windows security enhancements with Microsoft Defender for Endpoint

• Explain Attack Surface Reduction in Windows
• Enable Attack Surface Reduction rules on Windows 10 devices
• Configure Attack Surface Reduction rules on Windows 10 devices

Module 15 :Perform device investigations in Microsoft Defender for Endpoint

• Use the device page in Microsoft Defender for Endpoint
• Describe device forensics information collected by Microsoft Defender for Endpoint
• Describe behavioral blocking by Microsoft Defender for Endpoint

Module 16 :Perform actions on a device using Microsoft Defender for Endpoint

• Perform actions on a device using Microsoft Defender for Endpoint
• Conduct forensics data collection using Microsoft Defender for Endpoint
• Access devices remotely using Microsoft Defender for Endpoint

Module 17 :Perform evidence and entities investigations using Microsoft Defender for Endpoint

• Investigate files in Microsoft Defender for Endpoint
• Investigate domains and IP addresses in Microsoft Defender for Endpoint
• Investigate user accounts in Microsoft Defender for Endpoint

Module 18 :Configure and manage automation using Microsoft Defender for Endpoint

• Configure advanced features of Microsoft Defender for Endpoint
• Manage automation settings in Microsoft Defender for Endpoint

Module 19 :Configure for alerts and detections in Microsoft Defender for Endpoint

• Configure alert settings in Microsoft Defender for Endpoint
• Manage indicators in Microsoft Defender for Endpoint

Module 20 :Utilize Vulnerability Management in Microsoft Defender for Endpoint

• Describe Vulnerability Management in Microsoft Defender for Endpoint
• Identify vulnerabilities on your devices with Microsoft Defender for Endpoint
• Track emerging threats in Microsoft Defender for Endpoint

Module 21 :Plan for cloud workload protections using Microsoft Defender for Cloud

• Describe Microsoft Defender for Cloud features
• Microsoft Defender for Cloud workload protections
• Enable Microsoft Defender for Cloud

Module 22 :Connect Azure assets to Microsoft Defender for Cloud

• Explore Azure assets
• Configure auto-provisioning in Microsoft Defender for Cloud
• Describe manual provisioning in Microsoft Defender for Cloud

Module 23 :Connect non-Azure resources to Microsoft Defender for Cloud

• Connect non-Azure machines to Microsoft Defender for Cloud
• Connect AWS accounts to Microsoft Defender for Cloud
• Connect GCP accounts to Microsoft Defender for Cloud

Module 24 :Manage your cloud security posture management

• Describe Microsoft Defender for Cloud features.
• Explain the Microsoft Defender for Cloud security posture management protections for your resources.

Module 25 :Explain cloud workload protections in Microsoft Defender for Cloud

• Explain which workloads are protected by Microsoft Defender for Cloud
• Describe the benefits of the protections offered by Microsoft Defender for Cloud
• Explain how Microsoft Defender for Cloud protections function

Module 26 :Remediate security alerts using Microsoft Defender for Cloud

• Describe alerts in Microsoft Defender for Cloud
• Remediate alerts in Microsoft Defender for Cloud
• Automate responses in Microsoft Defender for Cloud

Module 27 :Construct KQL statements for Microsoft Sentinel

• Construct KQL statements
• Search log files for security events using KQL
• Filter searches based on event time, severity, domain, and other relevant data using KQL

Module 28 :Analyze query results using KQL

• Summarize data using KQL statements
• Render visualizations using KQL statements

Module 29 :Build multi-table statements using KQL

• Create queries using unions to view results across multiple tables using KQL
• Merge two tables with the join operator using KQL

Module 30 :Work with data in Microsoft Sentinel using Kusto Query Language

• Extract data from unstructured string fields using KQL
• Extract data from structured string data using KQL
• Create Functions using KQL

Module 31 :Introduction to Microsoft Sentinel

• Identify the various components and functionality of Microsoft Sentinel.
• Identify use cases where Microsoft Sentinel would be a good solution.

Module 32 :Create and manage Microsoft Sentinel workspaces

• Describe Microsoft Sentinel workspace architecture
• Install Microsoft Sentinel workspace
• Manage a Microsoft Sentinel workspace

Module 33 :Query logs in Microsoft Sentinel

• Use the Logs page to view data tables in Microsoft Sentinel
• Query the most used tables using Microsoft Sentinel

Module 34 :Use watchlists in Microsoft Sentinel

• Create a watchlist in Microsoft Sentinel
• Use KQL to access the watchlist in Microsoft Sentinel

Module 35 :Utilize threat intelligence in Microsoft Sentinel

• Manage threat indicators in Microsoft Sentinel
• Use KQL to access threat indicators in Microsoft Sentinel

Module 36 :Connect data to Microsoft Sentinel using data connectors

• Explain the use of data connectors in Microsoft Sentinel
• Describe the Microsoft Sentinel data connector providers
• Explain the Common Event Format and Syslog connector differences in Microsoft Sentinel

Module 37 :Connect Microsoft services to Microsoft Sentinel

• Connect Microsoft service connectors
• Explain how connectors auto-create incidents in Microsoft Sentinel

Module 38 :Connect Microsoft 365 Defender to Microsoft Sentinel

• Activate the Microsoft 365 Defender connector in Microsoft Sentinel
• Activate the Microsoft Defender for Cloud connector in Microsoft Sentinel
• Activate the Microsoft Defender for IoT connector in Microsoft Sentinel

Module 39 :Connect Windows hosts to Microsoft Sentinel

• Connect Azure Windows Virtual Machines to Microsoft Sentinel
• Connect non-Azure Windows hosts to Microsoft Sentinel
• Configure Log Analytics agent to collect Sysmon events

Module 40 :Connect Common Event Format logs to Microsoft Sentinel

• Explain the Common Event Format connector deployment options in Microsoft Sentinel
• Run the deployment script for the Common Event Format connector

Module 41 :Connect syslog data sources to Microsoft Sentinel

• Describe the Syslog connector deployment options in Microsoft Sentinel
• Run the connector deployment script to send data to Microsoft Sentinel
• Configure the Log Analytics agent integration for Microsoft Sentinel
• Create a parse using KQL in Microsoft Sentinel

Module 42 :Connect threat indicators to Microsoft Sentinel

• Configure the TAXII connector in Microsoft Sentinel
• Configure the Threat Intelligence Platform connector in Microsoft Sentinel
• View threat indicators in Microsoft Sentinel

Module 43 :Threat detection with Microsoft Sentinel analytics

• Explain the importance of Microsoft Sentinel Analytics.
• Explain different types of analytics rules.
• Create rules from templates.
• Create new analytics rules and queries using the analytics rule wizard.
• Manage rules with modifications.

Module 44 :Automation in Microsoft Sentinel

• Explain automation options in Microsoft Sentinel
• Create automation rules in Microsoft Sentinel

Module 45 :Security incident management in Microsoft Sentinel

• Understand Microsoft Sentinel incident management
• Explore Microsoft Sentinel evidence and entity management
• Investigate and manage incident resolution

Module 46 :Identify threats with Behavioral Analytics

• Explain User and Entity Behavior Analytics in Azure Sentinel
• Explore entities in Microsoft Sentinel

Module 47 :Data normalization in Microsoft Sentinel

• Use ASIM Parsers
• Create ASIM Parser
• Create parameterized KQL functions

Module 48 :Query, visualize, and monitor data in Microsoft Sentinel

• Visualize security data using Microsoft Sentinel Workbooks.
• Understand how queries work.
• Explore workbook capabilities.
• Create a Microsoft Sentinel Workbook.

Module 49 :Manage content in Microsoft Sentinel

• Install a content hub solution in Microsoft Sentinel
• Connect a GitHub repository to Microsoft Sentinel

Module 50 :Explain threat hunting concepts in Microsoft Sentinel

• Describe threat hunting concepts for use with Microsoft Sentinel
• Define a threat hunting hypothesis for use in Microsoft Sentinel

Module 51 :Threat hunting with Microsoft Sentinel

• Use queries to hunt for threats.
• Save key findings with bookmarks.
• Observe threats over time with livestream.

Module 52 :Use Search jobs in Microsoft Sentinel

• Use Search Jobs in Microsoft Sentinel
• Restore archive logs in Microsoft Sentinel

Module 53 :Hunt for threats using notebooks in Microsoft Sentinel

• Explore API libraries for advanced threat hunting in Microsoft Sentinel
• Describe notebooks in Microsoft Sentinel
• Create and use notebooks in Microsoft Sentinel