Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide E-Book

Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide

Manage, monitor, and respond to threats using Microsoft Security Stack for securing IT systems

Trevor Stuart

Joe Anich

BIRMINGHAM—MUMBAI

Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Mohd Riyan Khan

Senior Editor: Shazeen Iqbal

Content Development Editor: Rafiaa Khan

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Project Coordinator: Ajesh Devavaram

Proofreader: Safis Editing

Indexer: Subalakshmi Govindhan

Production Designer: Alishon Mendonca

Marketing Coordinator: Hemangi Lotlikar

First published: April 2022

Production reference: 1140222

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80323-189-1

www.packt.com

I want to dedicate this book to the love of my life, Iveth. Thank you for always supporting me, encouraging me, and allowing me to live out my dreams. Most of all, thank you for your love!

– Trevor Stuart

I want to dedicate this book to the boys, John, Jeff, Trent, and Bgriz. John, hoping you can read by the time this comes out, it'll be so exciting!

– Joe Anich

Contributors

About the authors

Trevor Stuart has over 15 years of experience in IT. He started with SMS and Active Directory and maintained exposure in the field through various naming changes and technical additions. Trevor has a passion for IT but more so for cybersecurity. Trevor swiftly moved into cybersecurity and focused on securing privileged access, hardening operating systems, implementing tiering within AD, tying identities to modern authentication mechanisms, scaling out identities to the hybrid world, carrying out application migration in a secure manner in Azure, and leveraging built-in security controls in multiple clouds and platforms to secure workloads. Trevor is a technology enthusiast at heart and the world of cybersecurity lights the fire of passion inside of him.

Joe Anich has 13 years of experience in the IT industry ranging from endpoint management with a focus on Microsoft Endpoint Configuration Manager (MECM, formerly SCCM) and Intune to endpoint security and incident response. As Joe dug deeper into security, he realized where his passion resided, and that was in incident response working with the Microsoft Detection and Response Team (DART). Working in incident response has given Joe insight into SOC operations and how to help teams around the world improve their security posture within the Microsoft 365 security stack. Outside of IR, he is in constant pursuit of continued education, whether that be SANS courses such as the GCED or GCFA or internal threat hunting training.

About the reviewers

Nitish Anand, CISSP, is a cybersecurity analyst at Microsoft. Nitish has been actively working in the cybersecurity domain for the past 7 years, primarily in a Security Operations Center. His career in cybersecurity began at Wipro Technologies working in the financial domain as a security analyst, and then working with Value Labs LLP for one of the healthcare clients. For the last 3 years, Nitish has been working for Microsoft and has focused primarily on SIEM use case development and tuning and malware and phishing analysis. Nitish received his bachelor's degree in computer science and engineering in 2014 from Cochin University, Kochi. He holds CCNA, ITIL, CEH, and other security certifications. In his free time, he loves photography and traveling.

Rafik Gerges is a highly successful security and compliance professional, with 12 years of experience in cybersecurity and compliance. He holds an information risk management master's degree, in addition to a machine learning diploma and 30+ international certifications.

Rafik has successfully created new IPs, product enhancement, and readiness and go-to-market materials, led consulting teams, and much more.

Besides being an innovative engineer, Rafik spends his free time working out at the gym, practicing boxing, being his own mechanic, and hanging out with friends.

Chris Smith spent 8 years in the United States Marine Corps serving in all disciplines of IT, including system administration, network administration, and defensive cyber operations. Upon discharge from the Marine Corps, Chris joined Microsoft and now supports organizations through their security journey. He has since developed skillsets in Azure, Microsoft 365, security operations, and incident response. Using these skills, Chris assists organizations in the deployment and operation of tools such as Defender for Endpoint, Defender for Identity, and Defender for Cloud.

My greatest thanks to the authors of this book and the Packt team for affording me the opportunity to help develop this content.

Table of Contents

Preface

Section 1 – Exam Overview and Evolution of Security Operations

Chapter 1: Preparing for Your Microsoft Exam and SC-200 Objectives

Technical requirements

Preparing for a Microsoft exam

Introducing the resources available and accessing Microsoft Learn

Microsoft Defender for Endpoint

Microsoft 365 Defender

Microsoft Defender for Cloud

Microsoft Sentinel

KQL

Creating a Microsoft demo tenant

Summary

Chapter 2: The Evolution of Security and Security Operations

A quick introduction to the terminology

Feed

Alert

Understanding the traditional approach to security

Introducing the modern approach to security

Getting to know traditional SOC issues

Exploring modern ways to resolve traditional SOC issues

Summary

Section 2 – Implementing Microsoft 365 Defender Solutions

Chapter 3: Implementing Microsoft Defender for Endpoint

Technical requirements

Understanding the prerequisites

Deployment options – onboarding

Troubleshooting

Sensor status and verification

Summary

Chapter 4: Implementing Microsoft Defender for Identity

Technical requirements

Understanding the prerequisites

Deployment options

A troubleshooting guide

Service status and verification

Summary

Chapter 5: Understanding and Implementing Microsoft Defender for Cloud (Microsoft Defender for Cloud Standard Tier)

Technical requirements

Introduction to Microsoft Defender for Cloud and ASC

What is ASC?

What is Microsoft Defender for Cloud?

Implementing ASC

Prerequisites

Implementation steps

Implementing Microsoft Defender for Cloud

Prerequisites

Implementation steps (single subscription)

Implementation steps (multiple subscriptions)

Configuring automatic provisioning for agents and extensions from ASC

How do ASC and Microsoft Defender for Cloud fit into the security of an enterprise?

Summary

Section 3 – Familiarizing Yourself with Alerts, Incidents, Evidence, and Dashboards 

Chapter 6: An Overview: Microsoft Defender for Endpoint Alerts, Incidents, Evidence, and Dashboards

Before we get started – acronyms and creating your lab!

Creating your lab environment

General portal navigation

Alerts and incidents

Alert suppression

How to suppress an alert and create a new suppression rule

Incident Graph

Daily tasks

Monthly tasks

Quarterly tasks

Annual tasks

Summary

Chapter 7: Microsoft Defender for Identity, What Happened, Alerts, and Incidents

Technical requirements

MDI concepts

Navigating the portal

MDI alert categories and phases

Entity profiles

Monitored activities

Network name resolution

Understanding and investigating alerts

Triaging and responding to alerts

Summary

Chapter 8: Microsoft Defender for Office – Threats to Productivity

Technical requirements

Threat protection policies

Anti-phishing

Anti-spam

Anti-malware

Safe attachments

Safe links

Threat investigation and response capabilities

Threat trackers

Threat Explorer (real-time detection)

Attack simulation training

Automated investigation and response capabilities

Data loss prevention and insider risk

DLP

Insider risk

Summary

Chapter 9: Microsoft Defender for Cloud Apps and Protecting Your Cloud Apps

Technical requirements

The MDCA framework

Cloud Discovery

Microsoft Defender for Endpoint (MDE) integration

Log Collector

Secure Web Gateway

Cloud Discovery API

Conditional Access App Control

Classifying and protecting sensitive information

Detecting, investigating, and responding to application threats

Summary

Section 4 – Setting Up and Connecting Data Sources to Microsoft Sentinel

Chapter 10: Setting Up and Configuring Microsoft Sentinel

Pre-deployment activities

Azure tenant-level prerequisites

Enabling and onboarding Microsoft Sentinel

Global requirements and prerequisites for Microsoft Sentinel

Data residency

Enabling Microsoft Sentinel for your organization

Connecting data sources to Microsoft Sentinel

Summary

Section 5 – Hunting Threats within Microsoft 365 Defender and Microsoft Sentinel

Chapter 11: Advanced Threat Hunting, Microsoft 365 Defender Portal, and Sentinel

Technical requirements

Kusto query overview

Applying query best practices

Advanced threat hunting and the M365 Defender portal

Community and shared queries

Custom detections

Hunting for threats in Microsoft Sentinel

Custom hunting queries

Monitor hunting queries with Sentinel Livestream

Working with bookmarks

Advanced hunting with notebooks

Summary

Chapter 12: Knowledge Check

Example exam questions

Answer key

Other Books You May Enjoy

Preface

This book covers in detail all the objectives of the SC-200: Microsoft Security Operations Analyst exam. It offers a blend of theory and practical examples that will help you not only pass this exam but also implement the knowledge in real-world scenarios.

Who this book is for

This SC-series prep book is meant for current or future IT professionals who seek to pass the Microsoft SC-200 exam, but most importantly want to know more about how the Microsoft SC-200 exam and the Microsoft security stack aid in the successful mitigation and threat hunting activities that are required of a security analyst every day!

What this book covers

Chapter 1, Preparing for the Microsoft Exam and SC-200 Objectives, gets you started in your preparation for the exam.

Chapter 2, The Evolution of Security and Security Operations, provides a brief history of the evolution of SOC operations.

Chapter 3, Implementing Microsoft Defender for Endpoint, covers working through Microsoft Defender for Endpoint (MDE) deployments.

Chapter 4, Implementing Microsoft Defender for Identity, covers working through Microsoft Defender for Identity (MDI) deployments.

Chapter 5, Understanding and Implementing Microsoft Defender for Cloud (Microsoft Defender for Cloud Standard Tier), covers working through the setup and configuration of Defender for Cloud deployments.

Chapter 6, An Overview: Microsoft Defender for Endpoint Alerts, Incidents, Evidence, and Dashboards, provides a walk-through of alerts in the M365D portal.

Chapter 7, Microsoft Defender for Identity: Alerts and Incidents, provides a walk-through of alerts in the M365D portal.

Chapter 8, Microsoft Defender for Office: Threats to Productivity, provides a walk-through of alerts in the M365D portal.

Chapter 9, Microsoft Defender for Cloud Apps and Protecting your Cloud Apps, provides a walk-through of alerts in the M365D portal.

Chapter 10, Setting Up and Configuring Microsoft Sentinel, provides a walk-through of alerts in the Sentinel portal.

Chapter 11, Advanced Threat Hunting, Microsoft 365 Defender Portal, and Sentinel, provides a walk-through of KQL, queries, and basic threat hunting skills.

Chapter 12, Knowledge Check, provides a knowledge check.

To get the most out of this book

To get the most of out this book, come with some prior knowledge of the following:

You should also currently be, or aspire to be, working in a security analyst role.

It is important to note that in November 21 some Microsoft Security Services have been renamed. These are renamed as follows:

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781803231891_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "To configure the host side of the network, you need the tunctl command from the User Mode Linux (UML) project."

A block of code is set as follows:

#include <stdio.h>

#include <stdlib.h>

int main (int argc, char *argv[])

{

printf ("Hello, world!\n");

return 0;

}

Any command-line input or output is written as follows:

$ sudo tunctl -u $(whoami) -t tap0

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Click Flash from Etcher to write the image."

Tips or Important Notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Share Your Thoughts

Once you've read Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section 1 – Exam Overview and Evolution of Security Operations

Section 1 will give you an understanding of the exam, as well as providing evolutionary context to how security operations have changed over time.

This part of the book comprises the following chapters:

Chapter 1: Preparing for Your Microsoft Exam and SC-200 Objectives

Welcome to Microsoft SC-200 Exam Prep and Beyond and Chapter 1, Preparing for Your Microsoft Exam and SC-200 Objectives. This chapter is dedicated to ensuring that you are ready for the Microsoft SC-200 exam and that you fully understand the objectives, along with how they apply in the real world. It's one thing to pass an exam but a whole other thing to apply exam topics to your day-to-day job. Let's get into it!

In both traditional and modern enterprises, the Microsoft security operations analyst is the key pivot point and collaborator with both individual contributors and enterprise stakeholders. This role in most organizations has one goal in mind – to protect against, secure against, detect, and respond to threats present in an enterprise as expeditiously as possible. They are responsible for reducing organizational risk by rapidly remediating active attacks in the environment, advising on improvements to threat protection practices, and referring violations of organizational policies to appropriate teams and stakeholders. Historically, this level of responsibility came with a lot of tooling, alert fatigue, manual or human interaction in investigations, and so on.

What we hope to make clear is that there has been a massive evolution of security operations for most enterprises. Tooling has changed, and the power of the cloud has added great value to tools that Security Operations Team (SOC) analysts are required to use day to day to successfully deliver in the Microsoft security operations analyst position for enterprises today.

This chapter will cover the following topics to get us started:

It is important to note that in November 21 some Microsoft Security Services have been renamed. These are renamed as follows:

Technical requirements

In order to proceed with this chapter, you need to have the following requirements ready:

Preparing for a Microsoft exam

When preparing for a Microsoft exam, there are a few things to keep in mind. First, Microsoft always provides the Skills measured section on the exam page, which will list everything in play for assessment during the exam. In this Skills measured outline, it will also give an estimate of what percentage of the exam will be about that subject. In our experience, those are usually spot on, so it's worth noting that if you're lacking in some of the bigger sections, spend more time studying and practicing in the lab on those subjects.

Another thing worth mentioning is that a lot of the sections mentioned in this Skills measured outline will align with the modules for the SC-200 learning path, so if you incorporate that into your training, you'll find it easy to ramp up in the section of the outline you're looking for. I'll talk more about the learning path modules in the next section. If you're curious about learning more outside of the module links provided on the exam page, go to https://docs.microsoft.com/en-us/learn/ and search for more topics of interest.

Generally, when I prepare for these exams, I'm looking at all resources available, whether that be the product documentation, learning path modules, or testing things out in a lab, with the lab being the most important to me, as that seems to stick out more. We'll cover setting up labs for testing in later sections.

Once you're settled on preparation for the exam, it becomes a lot clearer when considering the resources available, which we will cover in the next section. So, for now, let's focus on diving into what's laid out for us!

Introducing the resources available and accessing Microsoft Learn

When looking at training or studying resources, Microsoft does a great job of giving you structure as it pertains to the exams. The following is the list we're focusing on for resources, starting with the learning paths on the exam page:

When looking into everything available to begin your journey toward taking the SC-200 exam, as well as learning the skills needed to be successful in your career as a SOC analyst specializing in the M365 security stack, it's important to know that it takes time. There is a lot of content for all the features available; therefore, it's beneficial to take your time to pick it all up.

For me, I always start in the order of the bullet list provided at the start of this section, and I'll explain why. I like to go through the learning paths and listen to the content laid out for me. There are some basic knowledge checks to ensure that you're getting the information down. If there are items in the modules that I'm either stuck on or just want additional information on, I start looking for the Docs page that aligns. Once I've completed the learning path, I'll start setting up a lab and essentially starting in the order outlined in the exam.

In the next sections, I will summarize some of the larger portions of the learning paths, as they're critical to ensure that you learn, for both the exam and tasks that you may encounter in your career. As for the third bullet point in the list, we'll discuss that in the next topic of this chapter after learning a little more about what the learning path has to offer!

Microsoft Defender for Endpoint

We will start with Microsoft Defender for Endpoint (MDE), Microsoft's endpoint detection and response platform. Having a basic understanding of this platform will be critical for success, which includes understanding how to create the Defender for Endpoint environment, onboard endpoints to be monitored, and configuring the various settings. So, for example, you will need to be familiar with the rights needed to access the https://securitycenter.windows.com portal for the first time and go through the wizard that guides you through your initial configuration.

Beyond setting up the tenant, you will need to know onboarding devices in your environment quite well. You will want to understand the various operating systems in your environment to ensure they are supported, addressing any down-level devices that may no longer be supported. Make notes, as there are numerous configuration differences as you move down-level, whether that be the type of onboarding method or the state of Microsoft Defender Antivirus, especially if you are running any third-party antivirus software. We will cover that in more depth later in the book.

In Figure 1.1, you can see an example of the onboarding page for MDE, where you'll select the different operating systems and deployment methods. You'll notice that as you change the OS or deployment methods, you're presented with different packages or information to help with onboarding the sensor. Along with this, a command you can run in Command Prompt to throw a test alert is available. This is really just an easy test to see that the sensor is reporting back properly:

Figure 1.1 – Endpoint onboarding

As you onboard your devices, you will want to start defining who can access what device pages and take what actions on those devices. At this point, understanding Role-Based Access Control (RBAC) will be important, as that will help ensure the various roles in your SOC have the right access to perform their job. Creating your device groups will also be extremely critical to ensure that you have the proper remediation settings for your subsets of devices, as you will be applying different auto-remediation settings to different device groups.

The last topic to familiarize yourself with during that initial tenant setup and device onboarding will be configuring the advanced features. Here, you will switch settings on and off depending on what you want to light up in the environment. These include features such as integration with Microsoft Defender for Identity, Cloud App Security, Azure Information Protection, Secure Score, and Intune.

Being able to detect, investigate, and respond to threats in your environment will be at the forefront of your thinking.

Microsoft 365 Defender

When focusing on the other aspects of Microsoft 365 Defender, you will need to know about protections such as Identity Protection within Azure AD. This means understanding how to configure Azure AD Identity Protection policies such as sign-in risk and user risk, as well as investigating and remediating risks detected by the policies you have put into place.

Another aspect of the Microsoft 365 Defender umbrella is Microsoft Defender for Office (MDO) 365, the set of protections that help safeguard your organization against malware and viruses as they come in through email or malicious links. With MDO, you will need to understand how to configure various policies such as Safe Links or Safe Attachments, as well as policies such as anti-malware, anti-phishing, and anti-spam.

Continuing down the list of capabilities within Microsoft 365 Defender, Microsoft Defender for Identity (MDI) will be especially important to know; I would say more so for real-world skills, as the exam will not go very deep into it. We will cover MDI in much more depth later in the book, as we feel it is one of the, if not the, most important security tools in the suite. For the exam though, have a good understanding of configuring the sensors on your servers, reviewing alerts in the portal, and how MDI integrates into other tools such as Microsoft Defender for Cloud Apps.

Next up is Microsoft Defender for Cloud Apps (MDCA), which we alluded to earlier in the chapter. With MDCA, you will want to have a good understanding of the cloud app security framework, how to explore apps that are discovered within Cloud Discovery, how to protect your data and apps with Conditional Access with App Control policies, classifying and protecting sensitive information, and detecting threats.

Lastly, we need to know about Data Loss Prevention (DLP) and insider risk. Being able to understand and describe the different data loss prevention components in Microsoft 365, such as investigating DLP alerts in the compliance center (a dedicated DLP dashboard), as well as within Microsoft Defender for Cloud Apps where you'll see file policy violation alerts if you have file policies created, will be necessary.

When it comes to insider risk, you will need to be able to understand and explain how to use insider risk management with the Microsoft 365 framework to prevent, detect, and contain internal risks. This will help with scenario-based questions where you need to choose solutions that meet the need. Most of these things we can do with pre-defined policy templates and insider risk policies. With those, knowing and understanding the types of actions you can take on cases within risk management cases will be good to know.

Microsoft Defender for Cloud

Microsoft Defender will be one of the lengthier sections, primarily because you need to understand a good chunk of the Azure services that can be protected. Starting with Microsoft Defender for Cloud, which will be the primary portal for Microsoft Defender for Cloud, you will learn to assess your environment and understand the resources you have that need protection. The integrations available make it quite easy to see the risk and take action to bring that workload into a protected state. Beyond connecting workloads, Azure assets, and non-Azure resources, you will need to understand remediating security alerts within Microsoft Defender for Cloud.

Microsoft Sentinel

Microsoft Sentinel is Microsoft's cloud-native Security Information and Events Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution. While it is new in the SIEM space, it has quickly gained much traction within the cybersecurity space due to its scalability, cost benefits as compared to traditional on-premises SIEMS (such as SPLUNK), and its quick integration capabilities to existing systems.

Microsoft Sentinel topics end up being about 20% of the SC-200 exam from a content perspective, and due to that, be prepared to cover the following topics – we will dive a bit deeper than the requirements to merely pass this section of the exam so that you are prepared to immediately apply the knowledge in your enterprise today.

Topics covered in KQL and data analysis are as follows:

Topics covered in Setup and configuration are as follows: