Exam SC-200
Microsoft Security Operations
Analyst – Skills Measured
Address
Level 1, 42 Murray Street, Hobart,
Tasmania 7000 Australia
Phone Email
03 6234 3883
Web
www.quill.com.au
,PAGE 2 Exam SC-200 Microsoft Security Operations Analyst – Skills Measured
Audience Profile
The Microsoft security operations analyst collaborates with organizational stakeholders to
secure information technology systems for the organization. Their goal is to reduce
organizational risk by rapidly remediating active attacks in the environment, advising on
improvements to threat protection practices, and referring violations of organizational policies
to appropriate stakeholders.
Responsibilities include threat management, monitoring, and response by using a variety of
security solutions across their environment. The role primarily investigates, responds to, and
hunts for threats using Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft 365
Defender, and third-party security products. Since the security operations analyst consumes
the operational output of these tools, they are also a critical stakeholder in the configuration
and deployment of these technologies.
You may be eligible for ACE college credit if you pass this certification exam. See ACE college
credit for certification exams for details.
,PAGE 3 Exam SC-200 Microsoft Security Operations Analyst – Skills Measured
Contents
Audience Profile ……………………………………………………………………………………………………………. 2
How to use this guide ……………………………………………………………………………………………………. 5
In the exam …………………………………………………………………………………………………………………… 5
Key Learning Objectives ………………………………………………………………………………………………… 6
Mitigate threats using Microsoft 365 Defender (25-30%) ……………………………………….. 7
Detect, investigate, respond, and remediate threats to the
productivity environment by using Microsoft Defender for Office 365 ……………….. 7
Detect, investigate, respond, and remediate endpoint
threats by using Microsoft Defender for Endpoint ………………………………………………. 14
Detect, investigate, respond, and remediate identity threats …………………………….. 23
Detect, investigate, respond, and remediate application threats ………………………...27
Manage cross-domain investigations in Microsoft 365 Defender portal ……………… 30
Mitigate threats using Microsoft Defender for Cloud (25-30%) ……………………………… 32
Design and configure a Microsoft Defender for Cloud implementation ………………. 32
Plan and implement the use of data connectors for ingestion of
data sources in Microsoft Defender for Cloud ……………………………………………………. 35
Manage Microsoft Defender for Cloud alert rules ……………………………………………… 39
Configure automation and remediation ……………………………………………………………. 40
Investigate Microsoft Defender for Cloud alerts and incidents ………………………….. 42
, PAGE 4 Exam SC-200 Microsoft Security Operations Analyst – Skills Measured
Contents
Mitigate threats using Microsoft Sentinel (40-45%)
Design and configure a Microsoft Sentinel workspace ……………………………………….. 47
Plan and Implement the use of data connectors for ingestion of
data sources in Microsoft Sentinel ……………………………………………………………………. 52
Manage Microsoft Sentinel analytics rules ………………………………………………………… 60
Configure Security Orchestration Automation and Response
SOAR) in Microsoft Sentinel ……………………………………………………………………………… 64
Manage Microsoft Sentinel Incidents ………………………………………………………………… 69
Use Microsoft Sentinel workbooks to analyze and interpret data ………………………. 75
Hunt for threats using Microsoft Sentinel ………………………………………………………….. 78
Microsoft Security Operations
Analyst – Skills Measured
Address
Level 1, 42 Murray Street, Hobart,
Tasmania 7000 Australia
Phone Email
03 6234 3883
Web
www.quill.com.au
,PAGE 2 Exam SC-200 Microsoft Security Operations Analyst – Skills Measured
Audience Profile
The Microsoft security operations analyst collaborates with organizational stakeholders to
secure information technology systems for the organization. Their goal is to reduce
organizational risk by rapidly remediating active attacks in the environment, advising on
improvements to threat protection practices, and referring violations of organizational policies
to appropriate stakeholders.
Responsibilities include threat management, monitoring, and response by using a variety of
security solutions across their environment. The role primarily investigates, responds to, and
hunts for threats using Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft 365
Defender, and third-party security products. Since the security operations analyst consumes
the operational output of these tools, they are also a critical stakeholder in the configuration
and deployment of these technologies.
You may be eligible for ACE college credit if you pass this certification exam. See ACE college
credit for certification exams for details.
,PAGE 3 Exam SC-200 Microsoft Security Operations Analyst – Skills Measured
Contents
Audience Profile ……………………………………………………………………………………………………………. 2
How to use this guide ……………………………………………………………………………………………………. 5
In the exam …………………………………………………………………………………………………………………… 5
Key Learning Objectives ………………………………………………………………………………………………… 6
Mitigate threats using Microsoft 365 Defender (25-30%) ……………………………………….. 7
Detect, investigate, respond, and remediate threats to the
productivity environment by using Microsoft Defender for Office 365 ……………….. 7
Detect, investigate, respond, and remediate endpoint
threats by using Microsoft Defender for Endpoint ………………………………………………. 14
Detect, investigate, respond, and remediate identity threats …………………………….. 23
Detect, investigate, respond, and remediate application threats ………………………...27
Manage cross-domain investigations in Microsoft 365 Defender portal ……………… 30
Mitigate threats using Microsoft Defender for Cloud (25-30%) ……………………………… 32
Design and configure a Microsoft Defender for Cloud implementation ………………. 32
Plan and implement the use of data connectors for ingestion of
data sources in Microsoft Defender for Cloud ……………………………………………………. 35
Manage Microsoft Defender for Cloud alert rules ……………………………………………… 39
Configure automation and remediation ……………………………………………………………. 40
Investigate Microsoft Defender for Cloud alerts and incidents ………………………….. 42
, PAGE 4 Exam SC-200 Microsoft Security Operations Analyst – Skills Measured
Contents
Mitigate threats using Microsoft Sentinel (40-45%)
Design and configure a Microsoft Sentinel workspace ……………………………………….. 47
Plan and Implement the use of data connectors for ingestion of
data sources in Microsoft Sentinel ……………………………………………………………………. 52
Manage Microsoft Sentinel analytics rules ………………………………………………………… 60
Configure Security Orchestration Automation and Response
SOAR) in Microsoft Sentinel ……………………………………………………………………………… 64
Manage Microsoft Sentinel Incidents ………………………………………………………………… 69
Use Microsoft Sentinel workbooks to analyze and interpret data ………………………. 75
Hunt for threats using Microsoft Sentinel ………………………………………………………….. 78
