FTK – Free Training Key

Audience Profile
The Microsoft Security Operations Analyst collaborates with organizational stakeholders to secure information technology systems for the organization. Their goal is to reduce organizational risk by rapidly remediating active attacks in the environment, advising on improvements to threat protection practices, and referring violations of organizational policies to appropriate stakeholders.
Responsibilities include threat management, monitoring, and response by using a variety of security solutions across their environment. The role primarily investigates, responds to, and hunts for threats using Microsoft Azure Sentinel, Azure Microsoft Defender for Cloud, Microsoft 365 Defender, and third-party security products. Since the security operations analyst consumes the operational output of these tools, they are also a critical stakeholder in the configuration
and deployment of these technologies.

Skills Measured
NOTE: The bullets that follow each of the skills measured are intended to illustrate how we are assessing that skill. This list is NOT definitive or exhaustive.
NOTE: Most questions cover features that are general availability (GA). The exam may contain questions on Preview features if those features are commonly used.

Mitigate threats using Microsoft 365 Defender (25-30%)
Detect, investigate, respond, and remediate threats to the productivity environment by using Microsoft Defender for Office 365
 detect, investigate, respond, and remediate threats to Microsoft Teams, SharePoint, and OneDrive
 detect, investigate, respond, remediate threats to email by using Defender for Office 365
 manage data loss prevention policy alerts
 assess and recommend sensitivity labels
 assess and recommend insider risk policies

Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender for Endpoint
 manage data retention, alert notification, and advanced features
 configure device attack surface reduction rules
 configure and manage custom detections and alerts
 respond to incidents and alerts
 manage automated investigations and remediations
 assess and recommend endpoint configurations to reduce and remediate vulnerabilities by using the Microsoft’s threat and vulnerability management solution.
 manage Microsoft Defender for Endpoint threat indicators
 analyze Microsoft Defender for Endpoint threat analytics

Detect, investigate, respond, and remediate identity threats
 identify and remediate security risks related to sign-in risk policies
 identify and remediate security risks related to Conditional Access events
 identify and remediate security risks related to Azure Active Directory
 identify and remediate security risks using Secure Score
 identify, investigate, and remediate security risks related to privileged identities
 configure detection alerts in Azure AD Identity Protection
 identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity

Detect, investigate, respond, and remediate application threats
 identify, investigate, and remediate security risks by using Microsoft Cloud Application Security (MCAS)
 configure MCAS to generate alerts and reports to detect threats

Manage cross-domain investigations in Microsoft 365 Defender portal
 manage incidents across Microsoft 365 Defender products
 manage actions pending approval across products
 perform advanced threat hunting

Mitigate threats using Azure Microsoft Defender for Cloud (25-30%)
Design and configure an Azure DefenderMicrosoft Defender for Cloud implementation
 plan and configure Azure DefenderMicrosoft Defender for Cloud settings, including selecting target subscriptions and workspace
 configure Azure DefenderMicrosoft Defender for Cloud roles
 configure data retention policies
 assess and recommend cloud workload protection

Plan and implement the use of data connectors for ingestion of data sources in Azure
DefenderMicrosoft Defender for Cloud
 identify data sources to be ingested for Azure DefenderMicrosoft Defender for Cloud
 configure automated onboarding for Azure resources
 connect on-premises computers
 connect AWS cloud resources
 connect GCP cloud resources
 configure data collection

Manage Azure DefenderMicrosoft Defender for Cloud alert rules
 validate alert configuration
 setup email notifications
 create and manage alert suppression rules

Configure automation and remediation
 configure automated responses in Azure Security CenterMicrosoft Defender for Cloud
 design and configure playbook workflow automation in Azure Security CenterMicrosoft Defender for Cloud
 remediate incidents by using Azure Security CenterMicrosoft Defender for Cloud recommendations
 create an automatic response using an Azure Resource Manager template

Investigate Azure Security CenterMicrosoft Defender for Cloud alerts and incidents
 describe alert types for Azure workloads
 manage security alerts
 manage security incidents
 analyze Azure Security CenterMicrosoft Defender for Cloud threat intelligence
 respond to Azure DefenderMicrosoft Defender Cloud for Key Vault alerts
 manage user data discovered during an investigation

Mitigate threats using Azure SentinelMicrosoft Sentinel (40-45%)
Design and configure an Azure SentinelMicrosoft Sentinel workspace
 plan an Azure SentinelMicrosoft Sentinel workspace
 configure Azure SentinelMicrosoft Sentinel roles
 design Azure SentinelMicrosoft Sentinel data storage
 configure security settings and access for Azure Microsoft Sentinel service security

Plan and Implement the use of data connectors for ingestion of data sources in Azure SentinelMicrosoft Sentinel
 identify data sources to be ingested for Azure SentinelMicrosoft Sentinel
 identify the prerequisites for a data connector
 configure and use Azure SentinelMicrosoft Sentinel data connectors
 configure data connectors by using Azure Policy
 design and configure Syslog and CEF event collections
 design and Configure Windows Security events collections
 configure custom threat intelligence connectors
 create custom logs in Azure Log Analytics to store custom data

Manage Azure SentinelMicrosoft Sentinel analytics rules
 design and configure analytics rules
 create custom analytics rules to detect threats
 activate Microsoft security analytics rules
 configure connector provided scheduled queries
 configure custom scheduled queries
 define incident creation logic

Configure Security Orchestration Automation and Response (SOAR) in Azure SentinelMicrosoft Sentinel
 create Azure Microsoft Sentinel playbooks
 configure rules and incidents to trigger playbooks
 use playbooks to remediate threats
 use playbooks to manage incidents
 use playbooks across Microsoft Defender solutions

Manage Azure SentinelMicrosoft Sentinel Incidents
 investigate incidents in Azure SentinelMicrosoft Sentinel
 triage incidents in Azure SentinelMicrosoft Sentinel
 respond to incidents in Azure SentinelMicrosoft Sentinel
 investigate multi-workspace incidents
 identify advanced threats with User and Entity Behavior Analytics (UEBA)

Use Azure SentinelMicrosoft Sentinel workbooks to analyze and interpret data
 activate and customize Azure SentinelMicrosoft Sentinel workbook templates
 create custom workbooks
 configure advanced visualizations
 view and analyze Azure Microsoft Sentinel data using workbooks
 track incident metrics using the security operations efficiency workbook

Hunt for threats using the Azure SentinelMicrosoft Sentinel portal
 create custom hunting queries
 run hunting queries manually
 monitor hunting queries by using Livestream
 perform advanced hunting with notebooks
 track query results with bookmarks
 use hunting bookmarks for data investigations
 convert a hunting query to an analytical

QUESTION 1
The issue for which team can be resolved by using Microsoft Defender for Endpoint?

A. executive
B. sales
C. marketing

Answer: B

QUESTION 2
The issue for which team can be resolved by using Microsoft Defender for Office 365?

A. executive
B. marketing
C. security
D. sales

Answer: B

QUESTION 3
Your company uses Microsoft Defender for Endpoint.
The company has Microsoft Word documents that contain macros. The documents are used frequently on the
devices of the company’s accounting team.
You need to hide false positive in the Alerts queue, while maintaining the existing security posture.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Resolve the alert automatically.
B. Hide the alert.
C. Create a suppression rule scoped to any device.
D. Create a suppression rule scoped to a device group.
E. Generate the alert.

Answer: B,C,E


QUESTION 4
You are investigating a potential attack that deploys a new ransomware strain.
You have three custom device groups. The groups contain devices that store highly sensitive information.
You plan to perform automated actions on all devices.
You need to be able to temporarily group the machines to perform actions on the devices.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Assign a tag to the device group.
B. Add the device users to the admin role.
C. Add a tag to the machines.
D. Create a new device group that has a rank of 1.
E. Create a new admin role.
F. Create a new device group that has a rank of 4.

Answer: A,C,D

Examkingdom Microsoft SC-200 Exam pdf, Certkingdom Microsoft SC-200 PDF

Best Microsoft SC-200 Certification, Microsoft SC-200 Training at certkingdom.com