
Chart a Microsoft cybersecurity career from AZ 900 and SC 900 foundations through AZ 500 and SC 200 to SC 100, with hands-on labs and specialization like SC 300/SC 400.
Review the May 2022 update for SC-200, noting rebranding from cloud app security to Defender for Cloud Apps (MCAS) and that modules two and three remain unchanged.
Explore how Microsoft 365 Defender enables cross-domain threat detection and response, correlating signals from identities, endpoints, and apps into incidents, with autohealing and advanced hunting.
Explore how attackers perform reconnaissance, credential theft, and privilege escalation, then trace patient zero and long undetected breaches along a cybersecurity incident timeline.
Microsoft 365 Defender correlates and aggregates data from cloud apps, endpoints, and identities, triggers alerts, and surfaces incidents for analysis, with a 30-day default retention.
Explore MITRE attack framework and the cyber kill chain, and learn how Microsoft 365 Defender aligns with them to investigate incidents using alerts, assets, and automated investigations.
Explore the advanced hunting schema in Microsoft 365 Defender, learn to navigate tables and columns, use view references and sample queries in Kusto Language, and prepare for custom detection rules.
Discover Microsoft Defender for Office 365's threat tracker, threat explorer, and attack simulator to anticipate threats, analyze real-time data, and simulate spear phishing, credential harvesting, and password spray.
Learn to safeguard your organization with Defender for Office 365 by configuring threat policies, anti phishing rules, impersonation protection, and responding to attacks through policy driven actions and attack simulation.
Investigate alerts in Microsoft 365 Defender by tracing timelines, device and user activity, then use advanced hunting in the Kusto platform to uncover threats and risk.
Discover cloud app security as a cloud access security broker, gain visibility and control over data travel, and learn cloud discovery plus conditional access app control policies.
Protect your organization's data with conditional access app controls that enforce access and session policies, integrate with Azure Active Directory and cloud app security, and prevent data exfiltration.
Explore four phases of Microsoft Cloud App Security—discover data, classify sensitive information with labels, apply real-time file policies, and monitor via the dashboard; includes hands-on lab activities.
Learn the four cloud app security phases—discovery, classifying sensitive information, protecting data, and monitoring—using Microsoft Defender for Cloud Apps to configure policies, sensitivity labels, and data loss prevention alerts.
Create and customize DLP policies in the Microsoft 365 compliance portal, selecting HIPAA configurations for PII and medical terms, configure protection actions, and monitor alerts.
Explore insider risk management in microsoft 365, using defender to detect, investigate, and contain risky activities, with built-in templates, prerequisites for policies, and actions on cases.
Assign precise insider risk management permissions in the compliance portal by selecting six roles: insider risk management, admins, investigators, analysts, auditors, and approvers, to control alerts, cases, and templates.
Learn to reduce the Windows 10 attack surface without sacrificing productivity, while writing and configuring attack surface reduction rules for Defender for Endpoint as a soc analyst.
Create attack surface reduction rules in Microsoft Endpoint Manager for Windows 10 and later, configuring block, audit, or disabled modes, exclusions, and scoped assignments.
Explore the device inventory in Microsoft 365 Defender for Endpoint, viewing onboarded devices, risk and exposure levels, operating system details, and downloadable data in Excel or CSV for remediation.
Client behavioral blocking detects suspicious actions and automatically blocks and remediates them. Defender Antivirus uses protection service and ML to classify artifacts and alert in Defender Security Center, preventing attacks.
Discover how EDR in block mode automatically blocks and remediates malicious artifacts detected post-breach. Learn its integration with threat management and how recommendations prompt enabling block mode.
Explore live response workflows in Microsoft security operations. Initiate remote access to a Windows device, run commands, analyze processes, remediate threats, and review command history for real-time containment.
Learn to perform evidence and entities investigations in Microsoft Defender for Endpoint by gathering forensics artifacts and analyzing changes to files, IP addresses, domains, and user accounts.
Explore how to investigate a user in Microsoft 365 Defender, analyzing alerts, timelines, and MCAS activity to detect compromises and assess user exposure, including suspending the user or requiring reauthentication.
Automation folder exclusion lets you specify folders, extensions, and file names to skip during automated investigations, including folder and subfolder scope, to prevent attackers from hiding exploits.
Configure advanced features in Defender for Endpoint, including live response sessions, unsigned script execution, and custom network indicators, via the Microsoft 365 Defender portal.
Identify and manage indicators of compromise using Microsoft 365 Defender to block threats through file hashes, IPs, URLs, and certificates, with configurable actions, expiry, and scope.
The threat and vulnerability management dashboard reduces organizational exposure by identifying, assessing, and remediating endpoint weaknesses using real-time device and software data, with threat analytics.
Discover why your reviews matter in the Microsoft security operations analyst track through the reviews matter lecture.
Defend cloud workloads across Azure and non-Azure resources by enabling Azure Defender, securing workloads such as databases, storage, virtual machines, and networks, and using Azure Security Center features.
Explore how Microsoft Defender for Cloud provides continuous assessment, vulnerability remediation, network map visualization, and threat protection across Azure resources, with native Defender for Endpoint integration and just-in-time access.
Azure Defender for servers unifies Defender for Cloud with Defender for Endpoint to deliver integrated EDR, vulnerability scanning, just-in-time VM access, file integrity monitoring, and adaptive network and application controls.
Create an Azure app service and enable Defender for cloud integration by default, selecting PHP in central US. View all Defender recommendations to guide security and plan storage integration next.
Azure Defender for Storage provides cloud-native, one-click security protecting data in blobs, files, and data lakes, with Microsoft Threat Intelligence-powered detections and automated malware responses.
Explore how Azure Defender for Key Vault provides advanced threat protection for encryption keys and secrets, with alerts and remediation recommendations visible in Defender for Cloud and M365 Defender.
Explore Azure Defender for Kubernetes, a cloud-native security offering that delivers environment hardening, workload protection, and runtime protection for containerized apps on AKS.
Connect Azure assets to Azure Defender and learn automatic and manual provisioning methods to ensure Defender for Cloud automatically protects all Azure resources.
Explore the asset inventory in Microsoft Defender for Cloud, view resource posture, receive vulnerability recommendations, and take action to remediate across subscriptions using Azure Resource Graph and KQL queries.
Onboard non Azure devices to Defender for Cloud using Azure ARC or the Defender portal with the Log Analytics Agent, including AWS, Google, and on premises Windows and Linux.
Onboard a Google Cloud Platform Windows server to Azure Arc, install the Azure Arc agent via script, enable TLS 1.2, register Microsoft.HybridCompute, and onboard to Microsoft Defender for Cloud.
Learn how SOC analysts defend the enterprise perimeter against data theft by organized attackers and how automation with Defender tools enables rapid alerts triage, detection, and response.
Learn how Defender for Cloud generates and prioritizes security alerts, provides remediation recommendations, and uses Cloud Smart Alert Correlation to fuse related alerts into a single incident.
Learn to reduce alert noise by creating suppression rules for false positives, enabling selective dismissal across subscriptions, with custom and all filtering options and viewing dismissed alerts.
Mitigate threats with Microsoft Defender for Cloud, plan and connect Azure and non-Azure assets, remediate security alerts, and preview module four on Kusto Query Language.
Learn to create queries in Microsoft Sentinel using KQL to analyze log data, build analytics and workbooks, and perform threat hunting through hands-on labs.
Render operator creates visualizations from query results using area, bar, column, pie, scatter, and time charts to present data such as account counts and IP activity.
Use the union operator to merge multiple tables, such as SecurityEvent and SecurityAlert, returning all rows. Pipe data, then summarize by type to count events, illustrating wildcard unions like Security*.
Learn to create Kusto queries using let, where, search, extend, order by, and project. Merge data with union to analyze data, build workbooks, and hunt in Microsoft Sentinel.
Explore Microsoft Sentinel, a cloud-native SIEM in Azure that ingests data from AWS, Azure, Google Cloud, and on-prem sources for end-to-end security operations with built-in machine learning and Playbooks.
Connect data sources to trigger automatic ingestion in Microsoft Sentinel, store data in Log Analytics, and use KQL to query and manage log retention for Azure Sentinel, and explore workbooks.
Visualize Microsoft Sentinel data with Workbooks, using built-in dashboards powered by KQL queries, and build or edit custom Workbooks across Sentinel and Azure Monitor.
Explore threat hunting in Azure Sentinel by using built-in and custom queries, and create your own queries; leverage Azure Notebooks for advanced hunting to search through your data.
Automate incident response with Microsoft Sentinel by building playbooks and SOAR workflows using Azure Logic Apps and runbooks to enhance analytics, investigations, and remediations for security operations.
Onboard devices to Microsoft Sentinel using data connectors for Microsoft 365, Azure, and non-Azure sources. Learn about permissions, connector pages, CEF and syslog formats, vendor connectors, and dashboards and queries.
Onboard a Windows host to Sentinel, ingesting events with the legacy security event connector, then tailor streaming options and query the Log Analytics workspace with Crystal queries.
Learn to create a threat hunting query in Azure Sentinel using a watchlist, KQL scripting, and live stream alerts to detect Tor-based activity and monitor Azure resources in real time.
Watch hunting queries run in real time with Microsoft Sentinel livestream; add queries to livestream and simulate alerts using Tor Browser in an Azure portal lab on a virtual machine.
Configure security solutions connected to Microsoft Sentinel to automatically create incidents. Ingest alerts from MCAS, Defender for Identity, and Defender for Endpoint to support SIEM and XDR concepts.
Explore analytical rule types in microsoft security operations: anomaly based, scheduled alerts, and near real time rules. Create rules from templates or with a wizard using kusto queries.
Create threat indicators in the azure portal by adding domain names, tagging them as malicious, and setting revoked status, then query the threat intelligence indicator table in log analytics.
Connect Microsoft Defender for Office 365 to Sentinel to ingest email and URL threats using the data connector, tracking alerts like malicious URLs and phish URLs in emails.
Explore UEBA, or user entity behavior analytics, which uses AI and ML to establish baselines and detect anomalies across users and entities like routers, servers, and IoT devices.
Learn to clone Microsoft Sentinel notebook templates, create an Azure Machine Learning workspace, and attach compute power to run and train notebooks within the Sentinel environment.
There is no short cut to learning Azure security. This course teaches you how to learn it the right way with tons of labs excercises and the right volume of labs .
The Microsoft Security Operations Analyst works with organizational stakeholders to secure the organization's information technology systems. Their mission is to reduce corporate risk by quickly resolving active attacks in the environment, advising on threat protection practices, and reporting policy violations to the proper stakeholders.
Threat management, monitoring, and response using a variety of security technologies across their environment are among their responsibilities. Using Microsoft Azure Sentinel, Azure Defender, Microsoft 365 Defender, and third-party security tools, the position primarily investigates, responds to, and hunts for threats. The security operations analyst is a key stakeholder in the configuration and implementation of these technologies since they consume the operational output of these solutions.
The following topics needs to be completed in order to achieve SC - 200 Certification.
Module 1 Mitigate threats using Microsoft 365 Defender
Module 2 Mitigate threats using Microsoft Defender for Endpoint
Module 3 Mitigate threats using Azure Defender
Module 4 Create queries for Azure Sentinel using Kusto Query Language
Module 5 Microsoft Sentinel Environment - Configuration
Module 6 Microsoft Sentinel Environment - Connecting Logs
Module 7 Microsoft Sentinel Environment - Incidents,Threat Response , UEBA and Monitoring
Module 8 Module 8 Perform Threat Hunting with Microsoft Sentinel
You will learn and prepare to Implement the Microsoft Defender for Endpoint platform to detect, investigate, & respond to advanced threats.
This learning path aligns with exam SC-200: Microsoft Security Operations Analyst Exam.
Reviews from Participants -
In the beginning I was a little intimidated by the immensity of Microsoft security environment, but getting along with the course it all clicked in my head. The concepts are presented at a very good pace and I like that the information is on point. Segmenting the videos in small chunks is also beneficial for time management. I really appreciate and recommend this course! - Adrian Carbune
Great course. I learned a lot about Defender and Sentinel. I especially liked the module on KQL. IMO, it's the best tutorial on Kusto that I've found on the web. If Anand were to create a course that went in-depth on KQL I would certainly purchase it.
-Bill Jones
Anand has structured the course well, so that anyone, irrespective of their experience in Security, would be able to follow with ease. The course aligns very well with the Certification track. I strongly recommend this course to anyone who is interested in understanding Security.
-Moses M
am truley satisfied with this course. Anand nails the security features of M 365 defender suite. The graphics , narration and worlkflows are commendable. Just labs, labs and labs . Its all about getting straight to the point. Great Job!!!
-Gaurav
Great course, congratulations to teacher! Help me a lot to gain very knowledge about Defender and Sentinel. I appreciate it!!!
-Alexandre Gammaro
It was one of the The best course .Your are an amazing Instructor.
-Navid
This course is Awsome! One of the best I've ever made over here in Udemy platform.
-Mauricio Kobayashi