This exam measures your ability to accomplish the following technical tasks: mitigate threats by using Microsoft 365 Defender; mitigate threats by using Defender for Cloud; and mitigate threats by using Microsoft Sentinel.
As a Microsoft security operations analyst, you reduce organizational risk by:
◉ Rapidly remediating active attacks in the environment.
◉ Advising on improvements to threat protection practices.
◉ Referring violations of organizational policies to appropriate stakeholders.
You perform:
◉ Triage.
◉ Incident response.
◉ Vulnerability management.
◉ Threat hunting.
◉ Cyber threat intelligence analysis.
As a Microsoft security operations analyst, you monitor, identify, investigate, and respond to threats in multicloud environments by using:
◉ Microsoft Sentinel
◉ Microsoft Defender for Cloud
◉ Microsoft 365 Defender
◉ Third-party security solutions
In this role, you collaborate with business stakeholders, architects, identity administrators, Azure administrators, and endpoint administrators to secure IT systems for the organization.
As a candidate, you should be familiar with:
◉ Microsoft 365
◉ Azure cloud services
◉ Windows and Linux operating systems
Microsoft Security Operations Analyst Exam Summary:
| Exam Name | Microsoft Certified - Security Operations Analyst Associate |
| Exam Code | SC-200 |
| Exam Price | $165 (USD) |
| Exam Price | 120 mins |
| Number of Questions | 40-60 |
| Passing Score | 700 / 1000 |
| Books / Training | Course SC-200T00: Microsoft Security Operations Analyst |
| Sample Questions | Microsoft Security Operations Analyst Sample Questions |
| Practice Exam | Microsoft SC-200 Certification Practice Exam |
Microsoft SC-200 Exam Syllabus Topics:
| Topic | Details |
| Mitigate threats by using Microsoft 365 Defender (25-30%) | |
| Mitigate threats to the Microsoft 365 environment by using Microsoft 365 Defender | - Investigate, respond, and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive - Investigate, respond, and remediate threats to email by using Microsoft Defender for Office 365 - Investigate and respond to alerts generated by data loss Prevention (DLP) policies - Investigate and respond to alerts generated by insider risk policies - Discover and manage apps by using Microsoft Defender for Cloud Apps - Identify, investigate, and remediate security risks by using Defender for Cloud Apps |
| Mitigate endpoint threats by using Microsoft Defender for Endpoint | - Manage data retention, alert notification, and advanced features - Recommend attack surface reduction (ASR) for devices - Respond to incidents and alerts - Configure and manage device groups - Identify devices at risk by using the Microsoft Defender Vulnerability Management - Manage endpoint threat indicators - Identify unmanaged devices by using device discovery |
| Mitigate identity threats | - Mitigate security risks related to events for Microsoft Entra ID - Mitigate security risks related to Microsoft Entra Identity Protection events - Mitigate security risks related to Active Directory Domain Services (AD DS) by using Microsoft Defender for Identity |
| Manage extended detection and response (XDR) in Microsoft 365 Defender | - Manage incidents and automated investigations in the Microsoft 365 Defender portal - Manage actions and submissions in the Microsoft 365 Defender portal - Identify threats by using Kusto Query Language (KQL) - Identify and remediate security risks by using Microsoft Secure Score - Analyze threat analytics in the Microsoft 365 Defender portal - Configure and manage custom detections and alerts |
| Investigate threats by using audit features in Microsoft 365 Defender and Microsoft Purview | - Perform threat hunting by using unified audit log - Perform threat hunting by using Content Search - Use the guided hunting mode in Microsoft 365 Defender - Use the advanced hunting mode in Microsoft 365 Defender |
| Mitigate threats by using Defender for Cloud (15-20%) | |
| Implement and maintain cloud security posture management | - Assign and manage regulatory compliance policies, including Microsoft cloud security benchmark (MCSB) - Improve the Microsoft Defender for Cloud secure score by applying recommended remediations - Configure plans and agents for Microsoft Defender for Servers - Configure and manage Microsoft Defender for DevOps - Configure and manage Microsoft Defender External Attack Surface Management (EASM) |
| Configure environment settings in Microsoft Defender for Cloud | - Plan and configure Microsoft Defender for Cloud settings, including selecting target subscriptions and workspaces - Configure Microsoft Defender for Cloud roles - Assess and recommend cloud workload protection - Enable plans for Microsoft Defender for Cloud - Configure automated onboarding of Azure resources - Connect compute resources by using Azure Arc - Connect multi-cloud resources by using Environment settings |
| Respond to alerts and incidents in Microsoft Defender for Cloud | - Set up email notifications - Create and manage alert suppression rules - Design and configure workflow automation in Microsoft Defender for Cloud - Remediate alerts and incidents by using Microsoft Defender for Cloud recommendations - Manage security alerts and incidents - Analyze Microsoft Defender for Cloud threat intelligence reports |
| Mitigate threats by using Microsoft Sentinel (50-55%) | |
| Design and configure a Microsoft Sentinel workspace | - Plan a Microsoft Sentinel workspace - Configure Microsoft Sentinel roles - Design and configure Microsoft Sentinel data storage, including log types and log retention |
| Plan and Implement the use of data connectors for ingestion of data sources in Microsoft Sentinel | - Identify data sources to be ingested for Microsoft Sentinel - Configure and use Microsoft Sentinel connectors for Azure resources, including Azure Policy and diagnostic settings - Configure Microsoft Sentinel connectors for Microsoft 365 Defender and Defender for Cloud - Design and configure Syslog and Common Event Format (CEF) event collections - Design and configure Windows Security event collections - Configure threat intelligence connectors - Create custom log tables in the workspace to store ingested data |
| Manage Microsoft Sentinel analytics rules | - Configure the Fusion rule - Configure Microsoft security analytics rules - Configure built-in scheduled query rules - Configure custom scheduled query rules - Configure near-real-time (NRT) analytics rules - Manage analytics rules from Content hub - Manage and use watchlists - Manage and use threat indicators |
| Perform data classification and normalization | - Classify and analyze data by using entities - Query Microsoft Sentinel data by using Advanced Security Information Model (ASIM) parsers - Develop and manage ASIM parsers |
| Configure Security Orchestration automated response (SOAR) in Microsoft Sentinel | - Create and configure automation rules - Create and configure Microsoft Sentinel playbooks - Configure analytic rules to trigger automation rules - Trigger playbooks from alerts and incidents |
| Manage Microsoft Sentinel incidents | - Configure an incident generation - Triage incidents in Microsoft Sentinel - Investigate incidents in Microsoft Sentinel - Respond to incidents in Microsoft Sentinel - Investigate multi-workspace incidents |
| Use Microsoft Sentinel workbooks to analyze and interpret data | - Activate and customize Microsoft Sentinel workbook templates - Create custom workbooks - Configure advanced visualizations |
| Hunt for threats by using Microsoft Sentinel | - Analyze attack vector coverage by using MITRE ATT&CK in Microsoft Sentinel - Customize content gallery hunting queries - Create custom hunting queries - Use hunting bookmarks for data investigations - Monitor hunting queries by using Livestream - Retrieve and manage archived log data - Create and manage search jobs |
| Manage threats by using User and Entity behavior analytics | - Configure User and Entity Behavior Analytics settings - Investigate threats by using entity pages - Configure anomaly detection analytics rules |
Posts
0 comments:
Post a Comment