Security Operations Analyst - Threat Hunter & Defender

Course Overview

The "SC-200:
Microsoft Security Operations Analyst" course teaches how to investigate, respond to, and hunt for threats using Microsoft Azure Sentinel, Azure Defender, and Microsoft 365 Defender. It covers configuring these solutions, performing detection, analysis, and reporting with Kusto Query Language (KQL), and mitigating cyber threats. Designed for security operations professionals, this course prepares learners for the SC-200 exam.

The Microsoft Security Operations Analyst works closely with organizational stakeholders to secure IT systems, aiming to minimize risk by quickly addressing active threats, recommending improvements to threat protection practices, and reporting policy violations. This role involves threat management, monitoring, and response using Microsoft Azure Sentinel, Azure Defender, Microsoft 365 Defender, and third‑party security products. Analysts also play a key role in the configuration and deployment of these technologies.

• Explain how Microsoft Defender for Endpoint can remediate risks and create a Defender for Endpoint environment.
• Configure Attack Surface Reduction rules on Windows 10 devices and perform actions using Microsoft Defender for Endpoint.
• Investigate domains, IP addresses, and user accounts in Microsoft Defender for Endpoint.
• Configure alert settings and understand the evolving threat landscape.
• Conduct advanced hunting and manage incidents in Microsoft 365 Defender.
• Explain how Microsoft Defender for Identity can remediate risks and investigate DLP alerts in Microsoft Cloud App Security.
• Configure auto‑provisioning and remediate alerts in Azure Defender.
• Construct and use KQL statements for filtering, extracting, and managing data.
• Manage an Azure Sentinel workspace, including configuring Log Analytics agents, creating analytics rules and queries, and automating incident responses.
• Use queries to hunt for threats and monitor them over time with livestream.

• Basic understanding of Microsoft 365 and fundamental Microsoft security, compliance, and identity products.
• Intermediate understanding of Windows 10.
• Familiarity with Azure services, including Azure SQL Database, Azure Storage, Azure virtual machines, and virtual networking.
• Basic understanding of scripting concepts.

• Implement the Microsoft Defender for Endpoint platform to detect, investigate, and respond to advanced threats.
• Deploy the Microsoft Defender for Endpoint environment, onboard devices, and configure security.
• Investigate incidents and alerts using Microsoft Defender for Endpoint.
• Perform advanced hunting and consult with threat experts.
• Configure automation by managing environmental settings.
• Use Threat and Vulnerability Management to identify environment weaknesses.

• Analyze threat data across domains and remediate threats with built‑in orchestration and automation.
• Protect Azure Active Directory identities and applications from compromise.
• Mitigate incidents and manage insider risk in Microsoft 365.
• Respond to data loss prevention alerts and safeguard the environment with Microsoft Cloud App Security.

• Enable Azure Defender integrated with Azure Security Center for Azure, hybrid, and on‑premises workloads.
• Connect Azure assets to Azure Defender and remediate security alerts.
• Provide protection for non‑Azure machines and understand workload coverage.

• Write KQL statements to query log data for detections, analysis, and reporting.
• Summarize and visualize data; build multi‑table queries.
• Manipulate string data from log sources to extract structured and unstructured information.

• Install and create Azure Sentinel work spaces.
• Query logs and use watchlists in Azure Sentinel.
• Leverage threat intelligence and create threat indicators.
• Manage workspace architecture and access data tables.

• Use Azure Sentinel data connectors to import logs from Microsoft 365 Defender, Windows hosts, Common Event Format, syslog, and threat intelligence.
• Configure Log Analytics agents and TAXII connector for incident auto‑creation.

• Build Azure Sentinel analytics rules and playbooks for automated response.
• Investigate incident management, entity behavior analytics, and visualise data with workbooks.
• Advance rule creation, modification, and incident resolution.

• Develop threat hunting hypotheses and use notebooks for advanced hunting.
• Utilise livestream to observe threats over time.
• Explore API libraries for extended hunting capabilities.