Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide
  • Toc
  • feedback
Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide

Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide

By : Trevor Stuart, Joe Anich
4.3 (8)
close
Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide

Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide

4.3 (8)
By: Trevor Stuart, Joe Anich

Overview of this book

Security in information technology has always been a topic of discussion, one that comes with various backgrounds, tools, responsibilities, education, and change! The SC-200 exam comprises a wide range of topics that introduce Microsoft technologies and general operations for security analysts in enterprises. This book is a comprehensive guide that covers the usefulness and applicability of Microsoft Security Stack in the daily activities of an enterprise security operations analyst. Starting with a quick overview of what it takes to prepare for the exam, you'll understand how to implement the learning in real-world scenarios. You'll learn to use Microsoft's security stack, including Microsoft 365 Defender, and Microsoft Sentinel, to detect, protect, and respond to adversary threats in your enterprise. This book will take you from legacy on-premises SOC and DFIR tools to leveraging all aspects of the M365 Defender suite as a modern replacement in a more effective and efficient way. By the end of this book, you'll have learned how to plan, deploy, and operationalize Microsoft's security stack in your enterprise and gained the confidence to pass the SC-200 exam.
Table of Contents (19 chapters)
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Reviews
Share Your Thoughts
1
Section 1 – Exam Overview and Evolution of Security Operations
Section 1 – Exam Overview and Evolution of Security Operations
Free Chapter
2
Chapter 1: Preparing for Your Microsoft Exam and SC-200 Objectives
chevron up
Chapter 1: Preparing for Your Microsoft Exam and SC-200 Objectives
Technical requirements
Preparing for a Microsoft exam
Creating a Microsoft demo tenant
Summary
3
Chapter 2: The Evolution of Security and Security Operations
Chapter 2: The Evolution of Security and Security Operations
A quick introduction to the terminology
Understanding the traditional approach to security
Introducing the modern approach to security
Getting to know traditional SOC issues
Exploring modern ways to resolve traditional SOC issues
Summary
4
Section 2 – Implementing Microsoft 365 Defender Solutions
Section 2 – Implementing Microsoft 365 Defender Solutions
5
Chapter 3: Implementing Microsoft Defender for Endpoint
Chapter 3: Implementing Microsoft Defender for Endpoint
Technical requirements
Understanding the prerequisites
Deployment options – onboarding
Troubleshooting
Sensor status and verification
Summary
6
Chapter 4: Implementing Microsoft Defender for Identity
Chapter 4: Implementing Microsoft Defender for Identity
Technical requirements
Understanding the prerequisites
Deployment options
A troubleshooting guide
Service status and verification
Summary
7
Chapter 5: Understanding and Implementing Microsoft Defender for Cloud (Microsoft Defender for Cloud Standard Tier)
Chapter 5: Understanding and Implementing Microsoft Defender for Cloud (Microsoft Defender for Cloud Standard Tier)
Technical requirements
Introduction to Microsoft Defender for Cloud and ASC
Implementing ASC
Implementing Microsoft Defender for Cloud
How do ASC and Microsoft Defender for Cloud fit into the security of an enterprise?
Summary
8
Section 3 – Familiarizing Yourself with Alerts, Incidents, Evidence, and Dashboards
Section 3 – Familiarizing Yourself with Alerts, Incidents, Evidence, and Dashboards
9
Chapter 6: An Overview: Microsoft Defender for Endpoint Alerts, Incidents, Evidence, and Dashboards
Chapter 6: An Overview: Microsoft Defender for Endpoint Alerts, Incidents, Evidence, and Dashboards
Before we get started – acronyms and creating your lab!
General portal navigation
Alerts and incidents
How to suppress an alert and create a new suppression rule
Summary
10
Chapter 7: Microsoft Defender for Identity, What Happened, Alerts, and Incidents
Chapter 7: Microsoft Defender for Identity, What Happened, Alerts, and Incidents
Technical requirements
MDI concepts
Understanding and investigating alerts
Triaging and responding to alerts
Summary
11
Chapter 8: Microsoft Defender for Office – Threats to Productivity
Chapter 8: Microsoft Defender for Office – Threats to Productivity
Technical requirements
Threat protection policies
Threat investigation and response capabilities
Automated investigation and response capabilities
Data loss prevention and insider risk
Summary
12
Chapter 9: Microsoft Defender for Cloud Apps and Protecting Your Cloud Apps
Chapter 9: Microsoft Defender for Cloud Apps and Protecting Your Cloud Apps
Technical requirements
The MDCA framework
Cloud Discovery
Conditional Access App Control
Classifying and protecting sensitive information
Detecting, investigating, and responding to application threats
Summary
13
Section 4 – Setting Up and Connecting Data Sources to Microsoft Sentinel
Section 4 – Setting Up and Connecting Data Sources to Microsoft Sentinel
14
Chapter 10: Setting Up and Configuring Microsoft Sentinel
Chapter 10: Setting Up and Configuring Microsoft Sentinel
Pre-deployment activities
Azure tenant-level prerequisites
Enabling and onboarding Microsoft Sentinel
Global requirements and prerequisites for Microsoft Sentinel
Data residency
Enabling Microsoft Sentinel for your organization
Connecting data sources to Microsoft Sentinel
Summary
15
Section 5 – Hunting Threats within Microsoft 365 Defender and Microsoft Sentinel
Section 5 – Hunting Threats within Microsoft 365 Defender and Microsoft Sentinel
16
Chapter 11: Advanced Threat Hunting, Microsoft 365 Defender Portal, and Sentinel
Chapter 11: Advanced Threat Hunting, Microsoft 365 Defender Portal, and Sentinel
Technical requirements
Kusto query overview
Advanced threat hunting and the M365 Defender portal
Hunting for threats in Microsoft Sentinel
Summary
17
Chapter 12: Knowledge Check
Chapter 12: Knowledge Check
Example exam questions
Answer key
Why subscribe?
18
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Creating a Microsoft demo tenant

The following are two URLs that are mentioned a few times in the section. These will be handy to keep bookmarked so that you can quickly get back to them:

One of the absolute best things you can do to get hands-on experience is to build a lab! Many will do this first, and that's totally fine – everyone has their own style of learning. My hesitation for doing that first is that I end up bouncing around all over the place because I don't have any context for what to do or where to start. There are many shiny things to distract me.

Having gone through the learning paths, with various knowledge checks and additional documentation articles, I'm ready to tackle the real thing! I have a sense of structure, where to start, where to end, and what is in between.

To get started with setting up your lab, you'll need to satisfy one of the following licensing requirements. The reason for E5 and A5 is because those contain everything you'll be learning about in the learning paths in one easy package:

  • Windows 10 Enterprise E5
  • Windows 10 Education A5
  • Microsoft 365 E5 (M365 E5), which includes Windows 10 Enterprise E5
  • Microsoft 365 A5 (M365 A5)
  • Microsoft 365 E5 Security
  • Microsoft 365 A5 Security
  • MDE

With these subscriptions, you can more freely test with onboarding your own lab devices too, as well as configuring the other components of the license, such as Microsoft Endpoint Manager, formerly Intune. With that, you can learn to configure a host of security features that are otherwise already enabled in the pre-provisioned devices in the evaluation lab aspect of the license.

Some things to note about the evaluation lab aspect of the trial are as follows:

  • Enough device allotment for a month of testing.
  • Renewing resources allowed once a month.
  • Pre-provisioned machines for testing.
  • Full access to the capabilities of MDE.
  • Threat simulators.
  • To get a wonderful overarching picture of the lab itself and what you can get from it, please watch the video at the following link: aka.ms/MDEEvaluation.

The following screenshot shows what the lab section of the portal will look like before you configure it:

Figure 1.2 – The Evaluation Lab setup

Figure 1.2 – The Evaluation Lab setup

Note that when you get to the provisioning screen, you'll select the number of devices you want as well as the duration of each. Now, remember, whatever you select, that's all you get for 30 days, so carefully plan out how you want to test these machines. If you're after more specific tests, perhaps to see how MDE handles various attacks, then the shorter durations may be better suited, but for the use case of studying for an exam, the longer-duration machines may be best.

End of Section 4
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete