Audience Profile
The Microsoft Security Operations Analyst collaborates with organizational
stakeholders to secure information technology systems for the organization.
Their goal is to reduce organizational risk by rapidly remediating active
attacks in the environment, advising on improvements to threat protection
practices, and referring violations of organizational policies to appropriate
stakeholders.
Responsibilities include threat management, monitoring, and response by using a
variety of security solutions across their environment. The role primarily
investigates, responds to, and hunts for threats using Microsoft Azure Sentinel,
Azure Microsoft Defender for Cloud, Microsoft 365 Defender, and third-party
security products. Since the security operations analyst consumes the
operational output of these tools, they are also a critical stakeholder in the
configuration
and deployment of these technologies.
Skills Measured
NOTE: The bullets that follow each of the skills measured are intended to
illustrate how we are assessing that skill. This list is NOT definitive or
exhaustive.
NOTE: Most questions cover features that are general availability (GA). The exam
may contain questions on Preview features if those features are commonly used.
Mitigate threats using Microsoft 365 Defender (25-30%)
Detect, investigate, respond, and remediate threats to the productivity
environment by using Microsoft Defender for Office 365
detect, investigate, respond, and remediate threats to Microsoft Teams,
SharePoint, and OneDrive
detect, investigate, respond, remediate threats to email by using Defender for
Office 365
manage data loss prevention policy alerts
assess and recommend sensitivity labels
assess and recommend insider risk policies
Detect, investigate, respond, and remediate endpoint threats by using
Microsoft Defender for Endpoint
manage data retention, alert notification, and advanced features
configure device attack surface reduction rules
configure and manage custom detections and alerts
respond to incidents and alerts
manage automated investigations and remediations
assess and recommend endpoint configurations to reduce and remediate
vulnerabilities by using the Microsoft’s threat and vulnerability management
solution.
manage Microsoft Defender for Endpoint threat indicators
analyze Microsoft Defender for Endpoint threat analytics
Detect, investigate, respond, and remediate identity threats
identify and remediate security risks related to sign-in risk policies
identify and remediate security risks related to Conditional Access events
identify and remediate security risks related to Azure Active Directory
identify and remediate security risks using Secure Score
identify, investigate, and remediate security risks related to privileged
identities
configure detection alerts in Azure AD Identity Protection
identify and remediate security risks related to Active Directory Domain
Services using Microsoft Defender for Identity
Detect, investigate, respond, and remediate application threats
identify, investigate, and remediate security risks by using Microsoft
Cloud Application Security (MCAS)
configure MCAS to generate alerts and reports to detect threats
Manage cross-domain investigations in Microsoft 365 Defender portal
manage incidents across Microsoft 365 Defender products
manage actions pending approval across products
perform advanced threat hunting
Mitigate threats using Azure
Microsoft Defender for Cloud
(25-30%)
Design and configure an Azure DefenderMicrosoft
Defender for Cloud implementation
plan and configure Azure DefenderMicrosoft
Defender for Cloud settings, including selecting target subscriptions
and workspace
configure Azure DefenderMicrosoft
Defender for Cloud roles
configure data retention policies
assess and recommend cloud workload protection
Plan and implement the use of data connectors for ingestion of data sources
in AzureMicrosoft Defender for Cloud
Defender
identify data sources to be ingested for
Azure DefenderMicrosoft Defender for Cloud
configure automated onboarding for Azure resources
connect on-premises computers
connect AWS cloud resources
connect GCP cloud resources
configure data collection
Manage Azure DefenderMicrosoft
Defender for Cloud alert rules
validate alert configuration
setup email notifications
create and manage alert suppression rules
Configure automation and remediation
configure automated responses in Azure Security
CenterMicrosoft Defender for Cloud
design and configure playbook workflow automation in
Azure Security CenterMicrosoft Defender for Cloud
remediate incidents by using Azure Security
CenterMicrosoft Defender for Cloud recommendations
create an automatic response using an Azure Resource Manager template
Investigate Azure Security CenterMicrosoft
Defender for Cloud alerts and incidents
describe alert types for Azure workloads
manage security alerts
manage security incidents
analyze Azure Security CenterMicrosoft Defender for Cloud threat intelligence
respond to Azure DefenderMicrosoft Defender Cloud for Key Vault alerts
manage user data discovered during an investigation
Mitigate threats using Azure SentinelMicrosoft
Sentinel (40-45%)
Design and configure an Azure SentinelMicrosoft
Sentinel workspace
plan an Azure SentinelMicrosoft
Sentinel workspace
configure Azure SentinelMicrosoft
Sentinel roles
design Azure SentinelMicrosoft
Sentinel data storage
configure security settings and access for
Azure Microsoft Sentinel
service security
Plan and Implement the use of data connectors for ingestion of data sources
in Azure SentinelMicrosoft Sentinel
identify data sources to be ingested for
Azure SentinelMicrosoft Sentinel
identify the prerequisites for a data connector
configure and use Azure SentinelMicrosoft
Sentinel data connectors
configure data connectors by using Azure Policy
design and configure Syslog and CEF event collections
design and Configure Windows Security events collections
configure custom threat intelligence connectors
create custom logs in Azure Log Analytics to store custom data
Manage Azure SentinelMicrosoft Sentinel analytics rules
design and configure analytics rules
create custom analytics rules to detect threats
activate Microsoft security analytics rules
configure connector provided scheduled queries
configure custom scheduled queries
define incident creation logic
Configure Security Orchestration Automation and Response (SOAR) in
Azure SentinelMicrosoft Sentinel
create Azure Microsoft
Sentinel playbooks
configure rules and incidents to trigger playbooks
use playbooks to remediate threats
use playbooks to manage incidents
use playbooks across Microsoft Defender solutions
Manage Azure SentinelMicrosoft
Sentinel Incidents
investigate incidents in Azure SentinelMicrosoft
Sentinel
triage incidents in Azure SentinelMicrosoft
Sentinel
respond to incidents in Azure SentinelMicrosoft
Sentinel
investigate multi-workspace incidents
identify advanced threats with User and Entity Behavior Analytics (UEBA)
Use Azure SentinelMicrosoft
Sentinel workbooks to analyze and interpret data
activate and customize Azure SentinelMicrosoft
Sentinel workbook templates
create custom workbooks
configure advanced visualizations
view and analyze Azure Microsoft
Sentinel data using workbooks
track incident metrics using the security operations efficiency workbook
Hunt for threats using the Azure SentinelMicrosoft
Sentinel portal
create custom hunting queries
run hunting queries manually
monitor hunting queries by using Livestream
perform advanced hunting with notebooks
track query results with bookmarks
use hunting bookmarks for data investigations
convert a hunting query to an analytical
QUESTION 1
The issue for which team can be resolved by using Microsoft Defender for
Endpoint?
A. executive
B. sales
C. marketing
Answer: B
QUESTION 2
The issue for which team can be resolved by using Microsoft Defender for
Office 365?
A. executive
B. marketing
C. security
D. sales
Answer: B
QUESTION 3
Your company uses Microsoft Defender for Endpoint.
The company has Microsoft Word documents that contain macros. The documents are
used frequently on the
devices of the company’s accounting team.
You need to hide false positive in the Alerts queue, while maintaining the
existing security posture.
Which three actions should you perform? Each correct answer presents part of the
solution.
NOTE: Each correct selection is worth one point.
A. Resolve the alert automatically.
B. Hide the alert.
C. Create a suppression rule scoped to any device.
D. Create a suppression rule scoped to a device group.
E. Generate the alert.
Answer: B,C,E
QUESTION 4
You are investigating a potential attack that deploys a new ransomware
strain.
You have three custom device groups. The groups contain devices that store
highly sensitive information.
You plan to perform automated actions on all devices.
You need to be able to temporarily group the machines to perform actions on the
devices.
Which three actions should you perform? Each correct answer presents part of the
solution.
NOTE: Each correct selection is worth one point.
A. Assign a tag to the device group.
B. Add the device users to the admin role.
C. Add a tag to the machines.
D. Create a new device group that has a rank of 1.
E. Create a new admin role.
F. Create a new device group that has a rank of 4.
Answer: A,C,D
Examkingdom Microsoft SC-200 Exam pdf, Certkingdom Microsoft SC-200 PDF
Best Microsoft SC-200 Certification, Microsoft SC-200 Training at certkingdom.com