SC-200 Microsoft Security Operations Analyst

Microsoft Security Operations Analyst -koulutuksessa perehdytään Microsoftin pilvipohjaisiin tietoturvatyökaluihin Koulutus kattaa Microsoftin koko XDR-paletin, sisältäen Defender-tuoteperheen, Azure Active Directory Identity Protectionin sekä Microsoft Sentinelin.

Tavoite

Opi käyttöönottamaan, määrittämään sekä käyttämään Microsoftin Sentinel, Microsoft Defender for Cloud sekä Microsoft 365 Defender -palveluita uhkien tunnistamiseen sekä analysointiin ja niihin vastaamiseen ja erilaisten uhkien metsästämiseen.

Kenelle

Koulutus sopii mm. tietoturvan ammattilaiselle, tietoturvapainotteiselle järjestelmänvalvojalle ja SOC -analyytikolle.

Koulutukseen osallistujalla on hyvä olla seuraavat taidot:

• Microsoft 365 -palveluiden perusosaaminen
• Microsoftin tietoturva-, compliance- ja identiteettiratkaisuiden tuntemus
• Windows 10/11 tekninen osaaminen
• Azure-palveluiden tunteminen
• Automatisoinnin ml. skriptaus perusosaaminen

Lisätiedot

Koulutus valmentaa Microsoftin viralliseen SC-200 Microsoft Security Operations Analyst -sertifiointitestiin.

Koulutuksen sisältö

• Configure a connection from Defender XDR to a Sentinel workspace
• Configure alert and vulnerability notification rules
• Configure Microsoft Defender for Endpoint advanced features
• Configure endpoint rules settings, including indicators and web content filtering
• Manage automated investigation and response capabilities in Microsoft Defender XDR
• Configure automatic attack disruption in Microsoft Defender XDR

• Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
• Identify and remediate unmanaged devices in Microsoft Defender for Endpoint
• Manage resources by using Azure Arc
• Connect environments to Microsoft Defender for Cloud (by using multi-cloud account management)
• Discover and remediate unprotected resources by using Defender for Cloud
• Identify and remediate devices at risk by using Microsoft Defender Vulnerability Management

• Plan a Microsoft Sentinel workspace
• Configure Microsoft Sentinel roles
• Specify Azure RBAC roles for Microsoft Sentinel configuration
• Design and configure Microsoft Sentinel data storage, including log types and log retention
• Manage multiple workspaces by using Workspace manager and Azure Lighthouse

• Identify data sources to be ingested for Microsoft Sentinel
• Implement and use Content hub solutions
• Configure and use Microsoft connectors for Azure resources, including Azure Policy and diagnostic settings
• Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender XDR
• Plan and configure Syslog and Common Event Format (CEF) event collections
• Plan and configure collection of Windows Security events by using data collection rules, including Windows Event Forwarding (WEF)
• Configure threat intelligence connectors, including platform, TAXII, upload indicators API, and MISP
• Create custom log tables in the workspace to store ingested data

• Configure policies for Microsoft Defender for Cloud Apps
• Configure policies for Microsoft Defender for Office
• Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules
• Configure cloud workload protections in Microsoft Defender for Cloud

• Configure and manage custom detections
• Configure alert tuning
• Configure deception rules in Microsoft Defender XDR

• Classify and analyze data by using entities
• Configure scheduled query rules, including KQL
• Configure near-real-time (NRT) query rules, including KQL
• Manage analytics rules from Content hub
• Configure anomaly detection analytics rules
• Configure the Fusion rule
• Query Microsoft Sentinel data by using ASIM parsers
• Manage and use threat indicators

• Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive
• Investigate and remediate threats in email by using Microsoft Defender for Office
• Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption
• Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies
• Investigate and remediate threats identified by Microsoft Purview insider risk policies
• Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud
• Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
• Investigate and remediate compromised identities in Microsoft Entra ID
• Investigate and remediate security alerts from Microsoft Defender for Identity
• Manage actions and submissions in the Microsoft Defender portal

• Investigate timeline of compromised devices
• Perform actions on the device, including live response and collecting investigation packages
• Perform evidence and entity investigation

• Investigate threats by using unified audit Log
• Investigate threats by using Content Search
• Perform threat hunting by using Microsoft Graph activity logs

• Triage incidents in Microsoft Sentinel
• Investigate incidents in Microsoft Sentinel
• Respond to incidents in Microsoft Sentinel

• Create and configure automation rules
• Create and configure Microsoft Sentinel playbooks
• Configure analytic rules to trigger automation
• Trigger playbooks manually from alerts and incidents
• Run playbooks on On-premises resources

• Identify threats by using Kusto Query Language (KQL)
• Interpret threat analytics in the Microsoft Defender portal
• Create custom hunting queries by using KQL

• Analyze attack vector coverage by using the MITRE ATT&CK in Microsoft Sentinel
• Customize content gallery hunting queries
• Use hunting bookmarks for data investigations
• Monitor hunting queries by using Livestream
• Retrieve and manage archived log data
• Create and manage search jobs

• Activate and customize Microsoft Sentinel workbook templates
• Create custom workbooks that include KQL
• Configure visualizations

Avainsanat

Microsoft, Security, Tietoturva, Microsoft 365 Defender, Microsoft Sentinel, Riskien torjunta