Microsoft has recently announced a new series of certifications, the SC series which are the following :
SC-200 | Microsoft Security Operations Analyst |
SC-300 | Microsoft Identity and Access Administrator |
SC-400 | Microsoft Information Protection Administrator |
SC-900 | Microsoft Security, Compliance, and Identity Fundamentals |
The above certifications are focusing on Microsoft Security products.In this article we are going to review the SC-200 exam, I will share with you my experience and some useful tips.
Skills Measured
Microsoft Security Operations Analyst exam is about :
Microsoft 365 Defender | 25-30% |
Azure Defender | 25-30% |
Azure Sentinel | 40-45% |
Microsoft 365 Defender
It contains all Microsoft 365 Defender products and some more security products and services like:
- Defender for endpoint
- Defender for Identity
- Defender for Office 365
- Cloud App Security
- Identity Protection
- Data Loss Prevention
For each one of those you have to know how to deploy and configure them.You also have to know the whole cycle of detect,investigate,respond and remediate the alerts.Be very familiar with the portals,available options and the integration between them.
Some examples:
- Differences between risk policies
- Alerts configuration
- Threat investigation steps
- Creating Policies
- Log Analytics Tables
- Security event types
Azure Defender
It contains all the functions of Azure Security Center.You have to know how to deploy and configure it.You also have to know the types of resources that can be on-boarded and the remediation steps for the alerts.
Some examples:
- Alert settings
- Auto-remediation
- Multi-Cloud environments
- Data sources
- Key vault alerts
Azure Sentinel
This part have the higher number of questions.You have to know how to deploy and configure the workspace,collecting logs and manage data connectors.You also have to know every component of Sentinel,how to create rules and alerts,create incidents,manage and investigate them.Off course KQL (Kusto Query Language) is a requirement, it does not demand expert knowledge of the language but you will need the basic operators.
Some examples:
- Multiple Workspaces
- On-premise logs
- Playbooks
- KQL Queries (sum,bin,top,extend)
- Bookmarks creation
- Understanding workbooks and notebooks
Very Important
Because it is a Security exam you have to keep in mind all the security principles for all your answers.Least privilege to every solution is one of them so it is mandatory to know the different roles that these products have.
Resources
All of the above are including in the exam skills outline.The only material that I used was from Microsoft Learn.The SC-200 Learning path contains all the necessary theory that you need.
You can find the exam skills outline and the learning path here .
Conclusion
In my personal opinion you must have hands-on experience in order to take this exam.It is very difficult to answer all these questions without hands-on.So, if you do not have hands-on experience at all the products try at least to gain some through a lab environment.
This was all about my experience for this exam.I hope that the above information will help you!