Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide
  • Toc
  • feedback
Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide

Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide

By : Trevor Stuart, Joe Anich
4.3 (8)
close
Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide

Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide

4.3 (8)
By: Trevor Stuart, Joe Anich

Overview of this book

Security in information technology has always been a topic of discussion, one that comes with various backgrounds, tools, responsibilities, education, and change! The SC-200 exam comprises a wide range of topics that introduce Microsoft technologies and general operations for security analysts in enterprises. This book is a comprehensive guide that covers the usefulness and applicability of Microsoft Security Stack in the daily activities of an enterprise security operations analyst. Starting with a quick overview of what it takes to prepare for the exam, you'll understand how to implement the learning in real-world scenarios. You'll learn to use Microsoft's security stack, including Microsoft 365 Defender, and Microsoft Sentinel, to detect, protect, and respond to adversary threats in your enterprise. This book will take you from legacy on-premises SOC and DFIR tools to leveraging all aspects of the M365 Defender suite as a modern replacement in a more effective and efficient way. By the end of this book, you'll have learned how to plan, deploy, and operationalize Microsoft's security stack in your enterprise and gained the confidence to pass the SC-200 exam.
Table of Contents (19 chapters)
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Reviews
Share Your Thoughts
1
Section 1 – Exam Overview and Evolution of Security Operations
Section 1 – Exam Overview and Evolution of Security Operations
Free Chapter
2
Chapter 1: Preparing for Your Microsoft Exam and SC-200 Objectives
Chapter 1: Preparing for Your Microsoft Exam and SC-200 Objectives
Technical requirements
Preparing for a Microsoft exam
Creating a Microsoft demo tenant
Summary
3
Chapter 2: The Evolution of Security and Security Operations
Chapter 2: The Evolution of Security and Security Operations
A quick introduction to the terminology
Understanding the traditional approach to security
Introducing the modern approach to security
Getting to know traditional SOC issues
Exploring modern ways to resolve traditional SOC issues
Summary
4
Section 2 – Implementing Microsoft 365 Defender Solutions
Section 2 – Implementing Microsoft 365 Defender Solutions
5
Chapter 3: Implementing Microsoft Defender for Endpoint
Chapter 3: Implementing Microsoft Defender for Endpoint
Technical requirements
Understanding the prerequisites
Deployment options – onboarding
Troubleshooting
Sensor status and verification
Summary
6
Chapter 4: Implementing Microsoft Defender for Identity
Chapter 4: Implementing Microsoft Defender for Identity
Technical requirements
Understanding the prerequisites
Deployment options
A troubleshooting guide
Service status and verification
Summary
7
Chapter 5: Understanding and Implementing Microsoft Defender for Cloud (Microsoft Defender for Cloud Standard Tier)
Chapter 5: Understanding and Implementing Microsoft Defender for Cloud (Microsoft Defender for Cloud Standard Tier)
Technical requirements
Introduction to Microsoft Defender for Cloud and ASC
Implementing ASC
Implementing Microsoft Defender for Cloud
How do ASC and Microsoft Defender for Cloud fit into the security of an enterprise?
Summary
8
Section 3 – Familiarizing Yourself with Alerts, Incidents, Evidence, and Dashboards
Section 3 – Familiarizing Yourself with Alerts, Incidents, Evidence, and Dashboards
9
Chapter 6: An Overview: Microsoft Defender for Endpoint Alerts, Incidents, Evidence, and Dashboards
Chapter 6: An Overview: Microsoft Defender for Endpoint Alerts, Incidents, Evidence, and Dashboards
Before we get started – acronyms and creating your lab!
General portal navigation
Alerts and incidents
How to suppress an alert and create a new suppression rule
Summary
10
Chapter 7: Microsoft Defender for Identity, What Happened, Alerts, and Incidents
Chapter 7: Microsoft Defender for Identity, What Happened, Alerts, and Incidents
Technical requirements
MDI concepts
Understanding and investigating alerts
Triaging and responding to alerts
Summary
11
Chapter 8: Microsoft Defender for Office – Threats to Productivity
Chapter 8: Microsoft Defender for Office – Threats to Productivity
Technical requirements
Threat protection policies
Threat investigation and response capabilities
Automated investigation and response capabilities
Data loss prevention and insider risk
Summary
12
Chapter 9: Microsoft Defender for Cloud Apps and Protecting Your Cloud Apps
chevron up
Chapter 9: Microsoft Defender for Cloud Apps and Protecting Your Cloud Apps
Technical requirements
The MDCA framework
Cloud Discovery
Conditional Access App Control
Classifying and protecting sensitive information
Detecting, investigating, and responding to application threats
Summary
13
Section 4 – Setting Up and Connecting Data Sources to Microsoft Sentinel
Section 4 – Setting Up and Connecting Data Sources to Microsoft Sentinel
14
Chapter 10: Setting Up and Configuring Microsoft Sentinel
Chapter 10: Setting Up and Configuring Microsoft Sentinel
Pre-deployment activities
Azure tenant-level prerequisites
Enabling and onboarding Microsoft Sentinel
Global requirements and prerequisites for Microsoft Sentinel
Data residency
Enabling Microsoft Sentinel for your organization
Connecting data sources to Microsoft Sentinel
Summary
15
Section 5 – Hunting Threats within Microsoft 365 Defender and Microsoft Sentinel
Section 5 – Hunting Threats within Microsoft 365 Defender and Microsoft Sentinel
16
Chapter 11: Advanced Threat Hunting, Microsoft 365 Defender Portal, and Sentinel
Chapter 11: Advanced Threat Hunting, Microsoft 365 Defender Portal, and Sentinel
Technical requirements
Kusto query overview
Advanced threat hunting and the M365 Defender portal
Hunting for threats in Microsoft Sentinel
Summary
17
Chapter 12: Knowledge Check
Chapter 12: Knowledge Check
Example exam questions
Answer key
Why subscribe?
18
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Detecting, investigating, and responding to application threats

At the core of detecting threats with MDCA, we have anomaly detection policies. Anomaly detection policies evaluate and detect threats by evaluating over 30 different indicators of risk. We listed these earlier when we talked about UEBA. It looks at all users' sessions to evaluate whether the behavior deviates from normal behavior. These policies include the following:

  • Impossible travel
  • Activity from unusual countries
  • Malware detection
  • Ransomware activity
  • Activity from suspicious IP addresses
  • Suspicious inbox forwarding

The following screenshot shows the portal where you can filter on different statuses and severity levels for these alert types, as well as the alert counts for each:

Figure 9.14 – MDCA settings and MIP integration

When it comes to investigating applications, MDCA provides many different dashboards for you to use while digging into alerts...

End of Section 7
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete