SC-200T00: Defend against cyberthreats with Microsoft’s security operations platform

Leaf Learning 365 - All Courses - Microsoft Technical Training Courses - SC-200T00: Defend against cyberthreats with Microsoft’s security operations platform

SC-200T00: Defend against cyberthreats with Microsoft's security operations platform

Duration: 4 Days

Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender XDR and  Microsoft Defender for Cloud. In this course you will learn how to mitigate cyberthreats using these technologies. Specifically, you will configure and use Microsoft Sentinel as well as utilize Kusto Query Language (KQL) to perform detection, analysis, and reporting. The course was designed for people who work in a Security Operations job role and helps learners prepare for the exam SC-200: Microsoft Security Operations Analyst.

 

 

Audience Profile

The Microsoft Security Operations Analyst collaborates with organizational stakeholders to secure information technology systems for the organization. Their goal is to reduce organizational risk by rapidly remediating active attacks in the environment, advising on improvements to threat protection practices, and referring violations of organizational policies to appropriate stakeholders. Responsibilities include threat management, monitoring, and response by using a variety of security solutions across their environment. The role primarily investigates, responds to, and hunts for threats using Microsoft Sentinel, Microsoft Defender XDR, Microsoft Defender for Cloud, and third-party security products. Since the Security Operations Analyst consumes the operational output of these tools, they are also a critical stakeholder in the configuration and deployment of these technologies.

Course Content

Introduction to Microsoft Defender XDR threat protection

In this module, you'll learn how to use the Microsoft Defender XDR integrated threat protection suite.

  • Introduction
  • Explore Extended Detection & Response (XDR) response use cases
  • Understand Microsoft Defender XDR in a Security Operations Center (SOC)
  • Explore Microsoft Security Graph
  • Investigate security incidents in Microsoft Defender XDR

Mitigate incidents using Microsoft Defender

Learn how the Microsoft Defender portal provides a unified view of incidents from the Microsoft Defender family of products.

  • Introduction
  • Use the Microsoft Defender portal
  • Manage incidents
  • Investigate incidents
  • Manage and investigate alerts
  • Manage automated investigations
  • Use the action center
  • Explore advanced hunting
  • Investigate Microsoft Entra sign-in logs
  • Understand Microsoft Secure Score
  • Analyze threat analytics
  • Analyze reports
  • Configure the Microsoft Defender portal

Remediate risks with Microsoft Defender for Office 365

Learn about the Microsoft Defender for Office 365 component of Microsoft Defender XDR.

  • Introduction to Microsoft Defender for Office 365
  • Automate, investigate, and remediate
  • Configure, protect, and detect
  • Simulate attacks

Manage Microsoft Entra Identity Protection

Protecting a user's identity by monitoring their usage and sign-in patterns ensure a secure cloud solution. Explore how to design and implement Microsoft Entra Identity protection.

  • Introduction
  • Review identity protection basics
  • Implement and manage user risk policy
  • Exercise enable sign-in risk policy
  • Exercise configure Microsoft Entra multifactor authentication registration policy
  • Monitor, investigate, and remediate elevated risky users
  • Implement security for workload identities
  • Explore Microsoft Defender for Identity
  • Explore the Identity Risk Management Agent

Safeguard your environment with Microsoft Defender for Identity

Learn about the Microsoft Defender for Identity component of Microsoft Defender XDR.

  • Introduction to Microsoft Defender for Identity
  • Configure Microsoft Defender for Identity sensors
  • Review compromised accounts or data
  • Integrate with other Microsoft tools

Secure your cloud apps and services with Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services. Learn how to use Defender for Cloud Apps in your organization.

  • Introduction
  • Understand the Defender for Cloud Apps Framework
  • Explore your cloud apps with Cloud Discovery
  • Protect your data and apps with Conditional Access App Control
  • Walk through discovery and access control with Microsoft Defender for Cloud Apps
  • Classify and protect sensitive information
  • Detect Threats

Introduction to generative AI and agents

Generative AI powers applications that can create content, answer questions, and assist with tasks. In this module, you'll explore the fundamentals of generative AI, including large language models (LLMs), prompts, and AI agents.

  • Large language models (LLMs)
  • Prompts
  • AI agents
  • Exercise - Explore generative AI

Describe Microsoft Security Copilot

Get acquainted with Microsoft Security Copilot. You're introduced to some basic terminology, how Microsoft Security Copilot processes prompts, the elements of an effective prompt, and how to enable the solution.

  • Get acquainted with Microsoft Security Copilot
  • Describe Microsoft Security Copilot terminology
  • Describe how Microsoft Security Copilot processes prompt requests
  • Describe the elements of an effective prompt
  • Describe how to enable Microsoft Security Copilot

Describe the core features of Microsoft Security Copilot

Microsoft Security Copilot has a rich set of features. Learn about available plugins, promptbooks, the ways you can export and share information from Copilot, and much more.

  • Describe the features available in the standalone experience of Microsoft Security Copilot
  • Describe the features available in a session of the standalone experience
  • Describe workspaces
  • Describe the Microsoft plugins available in Microsoft Security Copilot
  • Describe the non-Microsoft plugins supported by Microsoft Security Copilot
  • Describe custom promptbooks
  • Describe knowledge base connections

Describe the embedded experiences of Microsoft Security Copilot

Microsoft Security Copilot is accessible directly from some Microsoft security products. This is referred to as the embedded experience. Learn about the scenarios supported by the Copilot embedded experience in Microsoft’s security solutions.

  • Describe Copilot in Microsoft Defender XDR
  • Copilot in Microsoft Purview
  • Copilot in Microsoft Entra
  • Copilot in Microsoft Intune
  • Copilot in Microsoft Defender for Cloud (Preview)

Explore use cases of Microsoft Security Copilot

Explore use cases of Microsoft Security Copilot in the standalone and embedded experiences, through lab-like exercises.

  • Explore the first run experience
  • Explore the standalone experience
  • Explore Security Copilot workspaces
  • Configure the Microsoft Sentinel plugin
  • Enable a custom plugin
  • Explore file uploads as a knowledge base
  • Create a custom promptbook
  • Explore the capabilities of Copilot in Microsoft Defender XDR
  • Explore the capabilities of Copilot in Microsoft Purview
  • Explore the capabilities of Copilot in Microsoft Entra

Investigate and respond to Microsoft Purview Data Loss Prevention alerts

Microsoft Purview and Microsoft Defender XDR help organizations detect potential data loss risks and respond quickly to protect sensitive information. Investigation and response activities include reviewing DLP alerts, applying appropriate remediation actions, and documenting findings in a structured and consistent way.

  • Understand data loss prevention (DLP) alerts
  • Understand the DLP alert lifecycle
  • Configure DLP policies to generate alerts
  • Investigate DLP alerts in Microsoft Purview
  • Investigate DLP alerts in Microsoft Defender XDR
  • Investigate DLP alerts with Security Copilot and AI agents
  • Respond to DLP alerts
  • Exercise - Investigate a DLP alert and related incident

Investigate insider risk alerts and related activity

Investigate insider risk alerts and manage related cases in Microsoft Purview to assess user behavior, take appropriate action, and coordinate deeper reviews across teams.

  • Understand insider risk alerts and investigations
  • Manage alert volume in insider risk management
  • Investigate and triage insider risk alerts in Microsoft Purview
  • Investigate insider risk alerts with Security Copilot and AI agents
  • Analyze alert context with the All risk factors tab
  • Investigate activity details with the Activity explorer tab
  • Review patterns over time with the User activity tab
  • Investigate insider risk alerts in Microsoft Defender XDR
  • Manage and take action on insider risk cases
  • Exercise - Investigate potential data theft using Insider Risk Management

Search and investigate with Microsoft Purview Audit

Enhance data security and compliance with Microsoft Purview Audit by configuring detailed audits, managing logs, and analyzing access patterns.

  • Microsoft Purview Audit overview
  • Configure and manage Microsoft Purview Audit
  • Conduct searches with Audit (Standard)
  • Audit Microsoft Copilot for Microsoft 365 interactions
  • Investigate activities with Audit (Premium)
  • Export audit log data
  • Configure audit retention with Audit (Premium)

Search for content with Microsoft Purview eDiscovery

Use Microsoft Purview eDiscovery to search for content across Microsoft 365. This module covers how to configure cases, define search criteria, and locate messages, files, and other organizational data.

  • Understand eDiscovery and content search capabilities
  • Prerequisites for using eDiscovery in Microsoft Purview
  • Create an eDiscovery search
  • Conduct an eDiscovery search
  • Export eDiscovery search results

Protect against threats with Microsoft Defender for Endpoint

Learn how Microsoft Defender for Endpoint can help your organization stay secure.

  • Introduction to Microsoft Defender for Endpoint
  • Practice security administration
  • Hunt threats within your network

Deploy the Microsoft Defender for Endpoint environment

Learn how to deploy the Microsoft Defender for Endpoint environment, including onboarding devices and configuring security.

  • Create your environment
  • Understand operating systems compatibility and features
  • Onboard devices
  • Manage access
  • Create and manage roles for role-based access control
  • Configure device groups
  • Configure environment advanced features

Implement Windows security enhancements with Microsoft Defender for Endpoint

Microsoft Defender for Endpoint gives you various tools to eliminate risks by reducing the surface area for attacks without blocking user productivity. Learn about Attack Surface Reduction (ASR) with Microsoft Defender for Endpoint.

  • Understand attack surface reduction
  • Enable attack surface reduction rules
  • Module assessment

Perform device investigations in Microsoft Defender for Endpoint

Microsoft Defender for Endpoint provides detailed device information, including forensics information. Learn about information available to you through Microsoft Defender for Endpoint that aids in your investigations.

  • Use the device inventory list
  • Investigate the device
  • Use behavioral blocking
  • Detect devices with device discovery

Perform actions on a device using Microsoft Defender for Endpoint

Learn how Microsoft Defender for Endpoint provides the remote capability to contain devices and collect forensics data.

  • Explain device actions
  • Run Microsoft Defender antivirus scan on devices
  • Collect investigation package from devices
  • Initiate live response session

Perform evidence and entities investigations using Microsoft Defender for Endpoint

Learn about the artifacts in your environment and how they relate to other artifacts and alerts that provide you with insight to understand the overall impact to your environment.

  • Investigate a file
  • Investigate a user account
  • Investigate an IP address
  • Investigate a domain

Configure and manage automation using Microsoft Defender for Endpoint

Learn how to configure automation in Microsoft Defender for Endpoint by managing environmental settings.

  • Configure advanced features
  • Manage automation upload and folder settings
  • Configure automated investigation and remediation capabilities
  • Block at risk devices

Configure for alerts and detections in Microsoft Defender for Endpoint

Learn how to configure settings to manage alerts and notifications. You'll also learn to enable indicators as part of the detection process.

  • Configure advanced features
  • Configure alert notifications
  • Manage alert suppression
  • Manage indicators

Utilize Vulnerability Management in Microsoft Defender for Endpoint

Learn about your environment's weaknesses by using Vulnerability Management in Microsoft Defender for Endpoint.

  • Understand vulnerability management
  • Explore vulnerabilities on your devices
  • Manage remediation

Plan for cloud workload protections using Microsoft Defender for Cloud

Learn the purpose of Microsoft Defender for Cloud and how to enable the system.

  • Explain Microsoft Defender for Cloud
  • Describe Microsoft Defender for Cloud workload protections
  • Exercise – Microsoft Defender for Cloud interactive guide
  • Enable Microsoft Defender for Cloud

Connect Azure assets to Microsoft Defender for Cloud

Learn how to connect your various Azure assets to Microsoft Defender for Cloud to detect threats.

  • Explore and manage your resources with asset inventory
  • Configure auto provisioning
  • Manual agent provisioning

Connect non-Azure resources to Microsoft Defender for Cloud

Learn how you can add Microsoft Defender for Cloud capabilities to your hybrid environment.

  • Protect non-Azure resources
  • Connect non-Azure machines
  • Connect your AWS accounts
  • Connect your GCP accounts

Manage your cloud security posture management

Microsoft Defender for Cloud, Cloud Security Posture Management (CSPM) provides visibility into vulnerable resources and provides hardening guidance.

  • Explore Secure Score
  • Explore Recommendations
  • Measure and enforce regulatory compliance
  • Understand Workbooks

Explain cloud workload protections in Microsoft Defender for Cloud

Learn about the protections and detections provided by Microsoft Defender for Cloud with each cloud workload.

  • Understand Microsoft Defender for servers
  • Understand Microsoft Defender for App Service
  • Understand Microsoft Defender for Storage
  • Understand Microsoft Defender for SQL
  • Understand Microsoft Defender for open-source databases
  • Understand Microsoft Defender for Key Vault
  • Understand Microsoft Defender for Resource Manager
  • Understand Microsoft Defender for DNS
  • Understand Microsoft Defender for Containers
  • Understand Microsoft Defender additional protections

Remediate security alerts using Microsoft Defender for Cloud

Learn how to remediate security alerts in Microsoft Defender for Cloud.

  • Understand security alerts
  • Remediate alerts and automate responses
  • Suppress alerts from Defender for Cloud
  • Generate threat intelligence reports
  • Respond to alerts from Azure resources

Labs/Hands-On Exercises

This class has hands-on labs provided by Go Deploy.