SC-200 Microsoft Security Operations Analyst Course & SIMs

navigate assignments and simulations in the sc-200 course, understand that only videos matter for certification, and follow step-by-step guidance to run simulations and resolve occasional check-off glitches.

Set up a lab environment by obtaining a free Microsoft 365 E5 trial, activate the subscription, and explore a 30-day Teams trial while noting regional availability.

Create a free Microsoft 365 account with a new email, verify by phone, start a 30-day trial, and learn to navigate marketplace, assign a license, and cancel.

Start the Azure free trial to receive $200 credit for 30 days and access free services for up to a year, then switch to pay-as-you-go if needed.

Configure devices to join Microsoft Entra ID and enable automatic enrollment with Microsoft Intune for device management, including MDM and Windows information protection settings.

Disable security defaults in Microsoft Entra ID to unlock granular controls, balance MFA requirements, and transition to conditional access policies. Navigate to portal.azure.com, Entra ID, properties, to disable the feature.

Explore the Microsoft 365 Defender suite, linking endpoints, identity, cloud apps, and data loss prevention to orchestrate detections, alerts, and automated responses across Microsoft 365 and Azure.

Understand how Microsoft Defender functions as an extended detection and response (XDR) platform, unifying logs, threat intelligence, and automated responses across on-prem and cloud environments.

Explore how Microsoft 365 Defender and Purview relate, navigate their admin centers on portal.azure.com, and note licensing activation delays before diving deeper into security and compliance.

Leverage Microsoft Defender for Endpoint to detect and remediate threats across devices with endpoint detection and response, threat and vulnerability management, attack surface reduction, and cloud security analytics.

Create a Microsoft Defender admin role with read and manage permissions, covering security operations, security posture, and authorization settings; assign it to a user and apply principle of least privilege.

Onboard a device to defender for endpoint using the local script method, from download to enrollment in the portal, with options across Windows, Mac, Linux, and servers.

Learn how to onboard hundreds of Windows devices automatically by enabling automatic enrollment in Microsoft Entra ID and Intune, and connect Defender for Endpoint for seamless device security.

Verify Windows device onboarding by checking Defender for Endpoint assets for an active sensor health, or confirm on the device with Task Manager services 'sense' and a registry onboarding state.

Explore Defender for Endpoint in portal security, noting that extra features appear after license activation, with emphasis on configuration management and upcoming vulnerability management topics.

Explore configuring Defender for Endpoint in Microsoft 365 Defender, including advanced settings, device groups, alert rules, licenses, roles, SIEM integration, and Intune enforcement.

Review and respond to endpoint vulnerabilities in defender for endpoint by running a PowerShell test script, then view incidents and the plan two vulnerability dashboard.

Learn to configure device groups in Defender for Endpoint, choose remediation levels from no automated response to full remediation, and assign admin access to NYC device admins.

Identify unmanaged devices with Microsoft Defender for Endpoint's device discovery. Explore basic and standard discovery modes, Intune, network discovery, log analytics, and authenticated scans to uncover unmonitored devices.

Explore attack surface reduction rules in Microsoft Defender for Endpoint, configuring an ASR policy for Windows, auditing first, and reviewing audit reports to reduce the device attack surface.

Centralize and normalize logs from Azure, Microsoft 365, on-premises, and third-party sources with Microsoft Sentinel’s CIM/SIEM and SOAR. Automate detection, investigation, and response using AI-powered analytics, playbooks, and data connectors.

Plan and configure a Microsoft Sentinel workspace by creating a Log Analytics workspace, review prerequisites and pricing, and enable the Sentinel integration, including the 30-day free trial.

Learn how to redo simulations in the course by navigating from the assignment screen: go to summary, return to assignment, open instructions, and access the simulation link anytime.

Configure Microsoft Sentinel roles and Azure RBAC by selecting roles like Microsoft Sentinel reader, responder, contributor, and Playbook Operator, then assign them via access control IAM in Sentinel resource group.

Sentinel stores log types in a log analytics workspace and organizes data into tables from connected resources, with retention adjustable from 30 days to up to 12 years.

Activate and customize workbook templates in Microsoft Sentinel to visualize data from audit logs and role management, with templates sourced from Content Hub and AWS.

Create a custom workbook in Microsoft Sentinel by adding text, parameters, actions, and a KQL data source visualization to display sign-in logs in interactive charts.

Explore visualization options in Sentinel workbooks, including adding images and videos, editing queries, and applying visual formatting such as pie charts. Customize colors and values, then save the workbook.

Identify data connectors to ingest and normalize diverse logs into a central sentinel workspace for unified cloud and on-premises analysis.

Explore Content Hub in Microsoft Sentinel to discover data connectors, learn how to access Content Hub from the Azure and Defender portals, and connect sources for security telemetry.

Discover how Kusto Query Language (KQL), a SQL-like language, enables querying information within Microsoft Defender and Microsoft Sentinel for investigations, incidents, alerts, and hunting data.

Configure and use Microsoft Sentinel connectors from Azure and Defender, install Azure Activity, and manage Content Hub data sources to ingest diagnostic settings and Sentinel data.

Plan and configure the azure monitor agent (ama) to collect logs from windows and linux devices, and define data collection rules to control what is ingested into azure monitor logs.

Explore syslog and the common event format (CEF), and configure their data connectors in Microsoft Sentinel using the Azure Monitor agent (AMA) and a Linux forwarder.

Explore how windows security events are collected via Event Viewer and forwarded with Windows Event Forwarding (WEF) into Microsoft Sentinel through data connectors and the Azure Monitor Agent.

Create custom log tables in a Log Analytics workspace to store ingested data, then use a data collection rule to route logs to the Microsoft Sentinel workspace.

Configure sentinel to ingest azure activity and entra id data by setting up diagnostic exports to log analytics, launching an azure policy, and enabling sign-in, audit, and graph activity logs.

Visualize and optimize data ingestion in Microsoft Sentinel using workbooks and templates. Explore data sources, apply data connectors and data collection rules to filter and refine what gets ingested.

Run a phishing simulation using the attack simulator in Microsoft 365 Defender to test users, trigger training, and reinforce secure behavior through built-in training and reporting.

Explore the actions and submissions area of Microsoft 365 Defender, submit files or messages for analysis, and manage automated or manual investigations with actions like isolate, quarantine, or remove.

Identify and remediate security risks with Microsoft Secure Score in Defender, tracking security posture across identity, data, device, and apps, and following actionable recommendations to improve over time.

Analyze the latest threats in the microsoft 365 defender threat analytics dashboard, including ransomware and phishing, and assess their impact on your environment with analyst reports and recommended actions.

Configure and manage custom alert detections in Microsoft Defender by creating alert policies, selecting threat activities like detected malware in email, setting severity, triggers, and notifications.

Explore how Microsoft Sentinel uses entities to classify and enrich security data, map fields to accounts and IPs, and enable incident investigations, threat hunting, and automated responses.

Understand how sentinel analytics rules detect threats and anomalies using scheduled query rules, fusion, ml behavior analytics, and near real-time analytics, with customizable thresholds and automated responses via playbooks.

Create and manage analytics rules in Microsoft Sentinel using KQL queries to detect threats and generate alerts or incidents. Compare scheduled and near real-time queries, configure thresholds, and alert details.

Learn how ASIM normalizes diverse sources in Microsoft Sentinel with custom parsers and built-in schemas for cross-source detection, using kql-based queries.

Turn on behavioral analytics (ueba) in Microsoft Sentinel to create baselines for users, devices, and identities, and detect anomalies, reduce false positives, and catch insider threats or compromised accounts.

Learn how to configure threat policies in Microsoft Defender for Office 365, including anti-phishing, anti-spam, anti-malware, safe attachments and safe links, plus impersonation protection and quarantine management.

Investigate threats in Defender for Office 365 using Threat Explorer and threat analytics. Take actions to block, delete, or report emails, and remediate with automated investigations.

Explore how data loss prevention in Microsoft 365 Defender detects and blocks sensitive data across email, SharePoint, Teams, and endpoints, with policy tips and regulatory use cases.

Learn data loss prevention roles and permissions in Microsoft Purview, including compliance administrator, compliance data administrator, information protection admin, role groups, and custom roles, for assigning DLP privileges in admin.microsoft.com.

Create and customize a data loss prevention policy in Microsoft Purview, selecting U.S. financial data, applying to Exchange, SharePoint, OneDrive, and more, with policy tips, alerts, and simulation before activation.

Implement adaptive protection for data loss prevention in Microsoft Purview using Insider Risk Management, a dynamic ML-based system that adjusts enforcement by user risk levels.

Discover how data loss prevention policies use lower-numbered priorities to set precedence, with the most restrictive rule resolving conflicts across policies and their low volume and high volume rules.

Discover insider risk management in the Microsoft Purview toolset, defining policies, detecting and investigating insider threats, triaging alerts, and escalating cases to eDiscovery Premium for legal action.

Configure insider risk management connectors to ingest third-party data into Microsoft Purview, review permissions, and add 17a-4 connectors via the wizard to support policies, e-discovery, and retention.

Configure a custom insider risk policy in Microsoft Purview, selecting templates like data leaks, setting thresholds, prioritizing sensitive info types, and enabling alerts across users.

Explore Microsoft Defender for cloud, a cloud-native protection platform (CNAP) for multi-cloud environments that unifies DevSecOps, cloud security posture management, and cloud workload protection across Azure, AWS, and Google Cloud.

Explore Microsoft Defender for cloud, the cloud workload protection platform shielding servers, storage, containers, databases, and APIs. Learn to enable and manage protection plans in the Azure portal.

Discover and manage cloud apps with Defender for Cloud Apps, a cloud access security broker that monitors user activity, prevents shadow IT, and enforces data sensitivity and regulatory compliance.

Identify, investigate, and remediate security risks using Defender for cloud apps; learn policy management, app discovery, and incident investigation across cloud services.

Learn to investigate incidents in Microsoft Sentinel by configuring access with the Microsoft Sentinel Responder role, reviewing incidents and alerts in Defender, and understanding incident details, assets, and evidence.

Learn how automation rules automatically trigger actions on alerts and incidents to standardize triage and speed responses, and how playbooks built with Azure Logic Apps perform enrichment, remediation, and notifications.

Create an automation rule in Microsoft Sentinel to auto assign medium or high incidents on creation, based on severity, with playbook actions, ownership assignment, and serial execution by priority.

Create and configure Microsoft Sentinel playbooks using incident, alert, or entity triggers, leveraging Logic Apps templates and authorization steps to automate responses.

Microsoft Sentinel playbooks run automation on premises via a hybrid runbook worker linked to an Azure Automation account, enabling on-premises tasks through a cloud-based logic app.

Understand security compute units powering Microsoft Security Copilot, including provisioned capacity billed hourly and on-demand overage, managed via an Azure subscription and a usage monitor dashboard.

Configure anomaly-based analytics rules in Microsoft Sentinel, exploring the anomalies tab and UEBA anomalies, then build near real-time KQL rules to detect failed logon attempts with baseline and threshold.

Trigger and analyze security incidents in a Defender for Endpoint lab by using attack surface reduction demonstrations, PowerShell scripts, and synchronized logs to study threat activity.

Explore the incident investigation workflow in Microsoft Defender, view incidents, analyze attack stories, and review file, URL, and evidence and response details across a compromised device.

Explore Microsoft Purview auditing capabilities, comparing standard and premium licenses (E3/E5, E5 compliance, and the eDiscovery and audit add-on), with retention up to 10 years and intelligent insights.

Explore auditing in Microsoft Purview by navigating admin.microsoft.com, accessing audit, applying filters by dates, activities, users, and workloads to investigate events, view details, and export results.

Explore content search in Microsoft Purview to conduct eDiscovery for forensics, create cases, place holds, undelete deleted data, and run queries with sources and keywords to discover and preserve information.

Pull Microsoft Graph activity logs into Azure by creating a log analytics workspace and enabling diagnostic settings, then use Kusto query language to analyze the ingested data.

Learn how the Kusto query language (KQL) analyzes security data across Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Purview using table-based queries, pipes, filters, and time-based aggregations.

Explore the Microsoft KQL demo environment, download the provided resources, and use AI copilots to craft and run KQL queries on the security event table.

Explore kql in azure’s demo environment, querying the security event table with where and event id 4624, using pipes and intellisense to filter by computer, user, and process.

Learn to summarize kcl results and filter by time ranges in security events. Use where, summarize, dcount, and by to count and surface top event sources.

Learn to use KQL to display security event data by columns, perform time-based calculations, and sort results. Project time generated and filter by IP and keywords like PowerShell.

Use let to declare temporary variables in KQL, such as logon events, and append counting by account, then merge data with union and join for integrated security outputs.

Learn to perform advanced hunting in Defender with KQL, query device and email events, apply filters, and interpret alert evidence for security insights.

Explore Microsoft Sentinel hunting queries from the Microsoft Defender repository, including device inventory, copy these KCL queries, and paste them into Defender advanced hunting to run and customize time ranges.