O'Reilly Archive: Exam SC-200 Microsoft Security Operations Analyst Bootcamp
Level: Intermediate. Theme: Investigate, respond to, and remediate threats using Microsoft Defender and Azure Sentinel.
A two day bootcamp to prepare for and pass the Microsoft Security Operations Analyst exam (SC-200). Focuses on the essential skills required for modern security professionals: identifying, mitigating, and responding to threats across cloud and on premises environments using Microsoft Defender XDR, Microsoft Sentinel, Microsoft Defender for Cloud, and Copilot for Security. Covers Kusto Query Language (KQL) for threat hunting, reporting, and investigations, plus designing and configuring solutions to automate remediation.
What you’ll learn
- Identify and mitigate security threats using Microsoft Defender for XDR, Office 365, and Endpoint
- Perform advanced threat hunting with Kusto Query Language (KQL)
- Conduct effective incident response with Microsoft Sentinel
- Leverage Microsoft Copilot for Security to enhance threat detection and streamline response workflows
This course is for you if
- You’re preparing for the SC-200 Microsoft Security Operations Analyst exam
- You’re a current or aspiring security specialist looking to mitigate threats using Microsoft Azure security services
- You want to stay current with cutting edge security practices and technologies
- You’re a Microsoft Partner or consultant seeking certification
Prerequisites
- A Microsoft account (needed to set up a 30 day trial Azure account)
- A Microsoft Azure account (needed to practice exercises)
- A web browser and working internet connection
- Basic understanding of security concepts: defense in depth, least privileged access, threats, SIEM, SOAR
- Fundamental knowledge of Microsoft security, compliance, and identity products
- Familiarity with Microsoft 365 and Azure Cloud
Schedule
Day 1: Microsoft Defender
Introduction (15 minutes). Day 1 content overview. Exam objectives. Study tips and resources.
Mitigate threats using Microsoft Defender (75 minutes). Threat protection with Microsoft 365. Mitigating incidents using Microsoft 365 Defender. Remediating risks with Microsoft Defender for Office 365. Microsoft Defender for Identity. Azure AD Identity Protection. Microsoft Cloud App Security. Responding to data loss prevention alerts. Managing insider risk in Microsoft 365. Cross domain investigations in the Microsoft 365 Defender portal. Hands-on exercises. Group discussion on advanced scenario based multiple choice questions. Q&A.
Mitigate threats using Microsoft 365 Defender for Endpoint (75 minutes). Protecting against threats with Microsoft Defender for Endpoint. Deploying the environment. Implementing Windows 10 security enhancements. Performing device investigations. Performing actions on a device. Evidence and entities investigations. Configuring alerts and detections. Threat and vulnerability management. Hands-on exercises. Group discussion on drag and drop style exam questions.
Wrap up and Q&A (15 minutes). Practice exam. Takeaways. Topic coverage for Day 2.
Day 2: Microsoft Defender for Cloud and Azure Sentinel
Introduction (10 minutes). Recap of Day 1. Day 2 content overview. Q&A.
Mitigate threats using Microsoft Defender for Cloud (75 minutes). Designing and configuring a Microsoft Defender for Cloud implementation. Planning and implementing data connectors for ingestion of data sources. Managing Microsoft Defender for Cloud alert rules. Configuring automation and remediation. Investigating Microsoft Defender for Cloud alerts and incidents. Hands-on exercises. Group discussion on removing incorrect choices from multiple choice questions. Q&A.
Mitigate threats using Azure Sentinel (60 minutes). Designing and configuring an Azure Sentinel workspace. Planning and implementing data connectors. Managing Azure Sentinel analytics rules. Configuring SOAR. Managing Azure Sentinel incidents. Using workbooks to analyze and interpret data. Hunting for threats using the Azure Sentinel portal. Hands-on exercises. Q&A.
Exam SC-200 certification practice and tips (30 minutes). Developing an effective study plan. Resources. Exam registration process. What happens after the exam. Practice exam questions. Q&A.
Wrap up (5 minutes).
Read next
- Digital Identity
Speaking at RSA Conference 2024: GM's Road to Modern Consumer Identity
Notes from co-presenting at RSAC 2024 on General Motors' multi-year consumer identity modernization, and what it takes to do CIAM at automotive scale.
- Digital Identity
Entra Agent ID Across Clouds: Part 5, Anti-Patterns
Final article in the five-part series on running Microsoft Entra Agent ID against third-party clouds. Closes the loop with the variants and failure modes that consume the same operational budget as the federated pattern without delivering its security properties, and ends with the takeaways worth pinning to the team wiki.
- Digital Identity
Entra Agent ID Across Clouds: Part 4, FIC, Cross-Tenant, and OBO
Fourth article in the five-part series on running Microsoft Entra Agent ID against third-party clouds. Opens up the Federated Identity Credential as a first-class object: single-tenant, cross-tenant SaaS shape, and the orthogonal world of on-behalf-of (OBO) where the agent acts for a signed-in user.
Worth reading again?
Get the next one in your inbox.