SC‐200_flashcards_v2 - itnett/FTD02H-N GitHub Wiki

SC-200 Flashcards v1

Objective 1: Mitigate threats using Microsoft 365 Defender

1.1 Describe the capabilities of Microsoft Defender for Endpoint

  • 🛡️ Capability: Endpoint detection and response (EDR)
    • Definition: Monitors endpoints to detect and respond to advanced threats.
    • Example: Detects and blocks malicious files and suspicious activities.
  • 🛡️ Capability: Attack surface reduction (ASR)
    • Definition: Reduces the attack surface of your devices by enforcing strict policies.
    • Example: Blocks executable content from email and webmail clients.
  • 🛡️ Capability: Automated investigation and response (AIR)
    • Definition: Automates the investigation process and applies remediations.
    • Example: Automatically isolates compromised devices from the network.

1.2 Investigate alerts and incidents in Microsoft Defender for Endpoint

  • 🔍 Action: Review and analyze alerts
    • Definition: Examine alerts generated by Defender for Endpoint to determine severity and scope.
    • Steps: Access the security portal, navigate to alerts, review alert details.
  • 🔍 Action: Investigate incidents and entities
    • Definition: Investigate incidents by examining the related alerts and affected entities.
    • Steps: View incident graph, analyze the timeline, investigate impacted assets.
  • 🔍 Action: Use advanced hunting queries
    • Definition: Create custom queries using KQL to proactively hunt for threats.
    • Example: Use KQL to find suspicious process creations or network connections.

1.3 Mitigate incidents using Microsoft Defender for Office 365

  • 📧 Capability: Threat protection for emails and documents
    • Definition: Protects email and documents from malware, phishing, and other threats.
    • Example: Scans email attachments for malware.
  • 📧 Capability: Safe attachments and safe links
    • Definition: Checks attachments and links in emails to ensure they are safe.
    • Example: Detonates attachments in a sandbox environment.
  • 📧 Capability: Anti-phishing policies
    • Definition: Detects and prevents phishing attempts.
    • Example: Identifies and blocks impersonation attempts.

1.4 Mitigate incidents using Microsoft Defender for Identity

  • 👤 Capability: Identity threat detection
    • Definition: Monitors and analyzes user activities to detect identity threats.
    • Example: Detects brute force attacks against user accounts.
  • 👤 Capability: Lateral movement path analysis
    • Definition: Identifies potential lateral movement paths within the network.
    • Example: Detects unusual login attempts from one user to another.
  • 👤 Capability: Anomalous activities and user behavior analytics
    • Definition: Uses analytics to detect anomalous user behaviors.
    • Example: Detects abnormal login times or locations.

1.5 Investigate and respond to incidents using Microsoft Defender for Cloud Apps

  • ☁️ Capability: Cloud app security and governance
    • Definition: Provides visibility and control over cloud applications.
    • Example: Monitors usage patterns and detects shadow IT.
  • ☁️ Capability: Investigate and remediate alerts
    • Definition: Investigates alerts related to cloud app activities and takes action.
    • Steps: Review alert details, investigate user activities, apply remediation steps.
  • ☁️ Capability: Use of policies and anomaly detection
    • Definition: Create and enforce policies to detect and respond to anomalies.
    • Example: Policy to detect excessive downloads from a cloud storage service.

Objective 2: Mitigate threats using Microsoft Sentinel

2.1 Design and configure a Microsoft Sentinel workspace

  • 🛠️ Task: Configure data connectors
    • Definition: Set up data connectors to ingest data from various sources.
    • Example: Connect to Azure Activity logs, Office 365, and custom logs.
  • 🛠️ Task: Set up workbooks and dashboards
    • Definition: Create visualizations to monitor and analyze security data.
    • Example: Custom workbooks to visualize security alerts and incidents.
  • 🛠️ Task: Manage retention settings
    • Definition: Configure data retention policies to comply with organizational requirements.
    • Steps: Access Sentinel settings, adjust retention period, save changes.

2.2 Query, visualize, and monitor data in Microsoft Sentinel

  • 📊 Task: Use KQL for querying data
    • Definition: Write KQL queries to search and analyze data in Sentinel.
    • Example: Query to find all failed logon attempts in the last 24 hours.
  • 📊 Task: Create and customize workbooks
    • Definition: Design workbooks to display important security metrics.
    • Example: Workbook to monitor alert trends and incident responses.
  • 📊 Task: Set up and manage alerts and incidents
    • Definition: Configure alert rules and manage incidents in Sentinel.
    • Example: Alert rule to notify when a specific threat is detected.

2.3 Investigate and respond to incidents using Microsoft Sentinel

  • 🕵️‍♂️ Task: Use investigation tools
    • Definition: Utilize built-in tools to investigate security incidents.
    • Example: Incident graph to visualize the scope and impact of an incident.
  • 🕵️‍♂️ Task: Apply playbooks for automated responses
    • Definition: Use playbooks to automate response actions.
    • Example: Playbook to isolate a compromised device automatically.
  • 🕵️‍♂️ Task: Analyze and remediate incidents
    • Definition: Thoroughly analyze incidents and apply remediation steps.
    • Example: Investigate root cause, apply patches, and update policies.

2.4 Configure and manage threat intelligence in Microsoft Sentinel

  • 🔐 Task: Integrate threat intelligence sources
    • Definition: Add and manage threat intelligence feeds in Sentinel.
    • Example: Integrate with Microsoft Threat Intelligence, VirusTotal.
  • 🔐 Task: Manage threat intelligence rules
    • Definition: Create and manage rules to leverage threat intelligence.
    • Example: Rule to generate alerts based on known malicious IP addresses.
  • 🔐 Task: Analyze and act on threat intelligence data
    • Definition: Use threat intelligence to enhance incident investigation.
    • Example: Correlate alerts with threat intelligence to identify advanced threats.

Objective 3: Mitigate threats using Microsoft Defender for Cloud

3.1 Enable and manage Microsoft Defender for Cloud

  • ☁️ Task: Configure security policies and settings
    • Definition: Set up and manage security policies in Defender for Cloud.
    • Example: Enable security policies for virtual machines and databases.
  • ☁️ Task: Set up continuous export
    • Definition: Configure continuous export of security alerts and recommendations.
    • Steps: Access settings, enable export, select export destination.
  • ☁️ Task: Monitor and manage security alerts
    • Definition: Continuously monitor and manage security alerts in Defender for Cloud.
    • Example: Review and triage alerts, take remediation actions.

3.2 Monitor and remediate security recommendations and alerts

  • 🔔 Task: Review security recommendations
    • Definition: Regularly review security recommendations provided by Defender for Cloud.
    • Example: Recommendations to apply security patches and configurations.
  • 🔔 Task: Implement remediation steps
    • Definition: Take action on security recommendations to improve security posture.
    • Example: Apply security patches, configure security settings.
  • 🔔 Task: Track and resolve security alerts
    • Definition: Monitor and resolve security alerts generated by Defender for Cloud.
    • Example: Investigate alert details, resolve issues, and close alerts.

3.3 Configure workflow automation in Microsoft Defender for Cloud

  • ⚙️ Task: Set up automated workflows
    • Definition: Create workflows to automate security tasks and responses.
    • Example: Workflow to automatically notify the security team of high-severity alerts.
  • ⚙️ Task: Use logic apps for automation
    • Definition: Utilize Azure Logic Apps to automate security processes.
    • Example: Logic app to trigger remediation actions based on specific alerts.
  • ⚙️ Task: Integrate with other security tools
    • Definition: Connect Defender for Cloud with other security tools for enhanced automation.
    • Example: Integrate with SIEM and SOAR platforms for automated incident response.

Objective 4: Mitigate threats using third-party security products

4.1 Configure third-party security products in Microsoft 365 Defender

  • 🔧 Task: Integrate third-party security solutions
    • Definition: Set up integrations with third-party security products.
    • Example: Integrate with CrowdStrike, Palo Alto Networks.
  • 🔧 Task: Manage data connectors
    • Definition: Configure and manage connectors to ingest data from third-party sources.
    • Example: Configure data connectors

for external threat intelligence feeds.

  • 🔧 Task: Configure alerting and notifications
    • Definition: Set up alerts and notifications for third-party integrations.
    • Example: Alert rule to notify of incidents detected by third-party products.

4.2 Investigate and respond to incidents using third-party security products

  • 🕵️‍♀️ Task: Use third-party tools for incident investigation
    • Definition: Leverage third-party tools for comprehensive incident analysis.
    • Example: Use a third-party EDR solution to investigate endpoint incidents.
  • 🕵️‍♀️ Task: Apply automated responses
    • Definition: Automate responses to incidents using third-party integrations.
    • Example: Automatically block malicious IP addresses detected by third-party tools.
  • 🕵️‍♀️ Task: Correlate data across multiple sources
    • Definition: Combine data from multiple sources for a holistic view of incidents.
    • Example: Correlate alerts from Microsoft Defender and third-party products.

Objective 5: Mitigate threats using Azure Defender

5.1 Configure and manage Azure Defender

  • 🌐 Task: Enable Azure Defender
    • Definition: Turn on Azure Defender to protect Azure resources.
    • Steps: Access security center, enable Azure Defender, select resources to protect.
  • 🌐 Task: Configure security policies
    • Definition: Set up policies to govern the security of Azure resources.
    • Example: Policies for virtual machines, SQL databases, and storage accounts.
  • 🌐 Task: Monitor security alerts and incidents
    • Definition: Continuously monitor security alerts and incidents in Azure Defender.
    • Example: Review alert details, investigate incidents, take remediation actions.

5.2 Investigate and respond to alerts using Azure Defender

  • 🔍 Task: Investigate security alerts
    • Definition: Examine alerts to understand the scope and impact of potential threats.
    • Example: Investigate alerts related to SQL injection attempts.
  • 🔍 Task: Remediate vulnerabilities
    • Definition: Apply remediation steps to address identified vulnerabilities.
    • Example: Patch vulnerabilities in virtual machines and applications.
  • 🔍 Task: Apply best practices for securing Azure resources
    • Definition: Implement security best practices to protect Azure resources.
    • Example: Use network security groups, configure role-based access control.

Objective 6: Create queries for Microsoft Sentinel using Kusto Query Language (KQL)

6.1 Write KQL statements to query logs in Microsoft Sentinel

  • 🖋️ Skill: Basic KQL syntax and operators
    • Definition: Understand the fundamentals of KQL, including syntax and operators.
    • Example: SecurityEvent | where TimeGenerated > ago(1h)
  • 🖋️ Skill: Filter and sort data
    • Definition: Use KQL to filter and sort log data.
    • Example: SecurityEvent | where EventID == 4624 | sort by TimeGenerated desc
  • 🖋️ Skill: Aggregate and summarize data
    • Definition: Aggregate and summarize data using KQL functions.
    • Example: SecurityEvent | summarize count() by Account

6.2 Write KQL statements to correlate data in Microsoft Sentinel

  • 🔗 Skill: Join multiple tables
    • Definition: Combine data from multiple tables using join operations.
    • Example: SecurityEvent | join kind=inner (SigninLogs | where EventID == 4624) on Account
  • 🔗 Skill: Use subqueries and unions
    • Definition: Utilize subqueries and unions to enhance data analysis.
    • Example: SecurityEvent | union SigninLogs
  • 🔗 Skill: Apply advanced KQL functions
    • Definition: Use advanced functions like extend, parse, and mv-expand.
    • Example: SigninLogs | mv-expand AuthDetails = parse_json(AuthenticationDetails)

6.3 Write KQL statements to visualize data in Microsoft Sentinel

  • 📈 Skill: Create charts and graphs
    • Definition: Use KQL to create visual representations of data.
    • Example: SecurityEvent | summarize count() by bin(TimeGenerated, 1h) | render timechart
  • 📈 Skill: Customize visualizations
    • Definition: Customize visualizations to meet specific requirements.
    • Example: Customize time range and data points in a chart.
  • 📈 Skill: Build and share workbooks
    • Definition: Create and share workbooks with customized visualizations.
    • Example: Workbook to monitor login activities and alerts.

Icons Legend

  • 🛡️ Capability
  • 🔍 Action
  • 📧 Capability
  • 👤 Capability
  • ☁️ Capability
  • 🛠️ Task
  • 📊 Task
  • 🕵️‍♂️ Task
  • 🔐 Task
  • 🔔 Task
  • ⚙️ Task
  • 🔧 Task
  • 🕵️‍♀️ Task
  • 🌐 Task
  • 🖋️ Skill
  • 🔗 Skill
  • 📈 Skill

This comprehensive set of flashcards is designed to cover the SC-200 objectives in detail, providing definitions, examples, and steps where applicable to ensure thorough understanding and preparation.