Training: Defend against cyberthreats with Microsoft’s security operations platform (SC-200)

Ref. SC-200T00

Download PDF

Duration:

jours

Exam:

Optionnel

Level:

Intermédiaire

Funding:

Eligible

Home > Trainings > IT Pro > Audit and Cybersecurity > Defend against cyberthreats with Microsoft’s security operations platform (SC-200)

Defend against cyberthreats with Microsoft's security operations platform Training (SC-200)

Targeted attacks, malicious use of generative AI and increasing regulatory pressure are reshaping the Security Operations Analyst role. This SC-200 training prepares you to operate a modern SOC powered by the Microsoft ecosystem: Microsoft Sentinel for scalable detection, Microsoft Defender XDR for cross-domain correlation, and Microsoft Security Copilot to accelerate investigation.

Over four days, you learn to configure Microsoft Sentinel data connectors, write advanced KQL queries, conduct proactive threat hunting and orchestrate incident response with SOAR playbooks. You also work on Microsoft Defender for Cloud to protect multi-cloud and hybrid workloads. The training is delivered in Geneva and Lausanne by Microsoft Certified Trainers.

Participant Profiles

Cybersecurity analysts
Systems technicians and engineers
IT security consultants
Cloud and network administrators
IT risk management professionals

Objectives

Configure Microsoft Sentinel and integrate critical data sources via native connectors and Codeless Connector
Detect threats by writing analytic rules and hunting queries in KQL (Kusto Query Language)
Investigate and respond to incidents with Microsoft Defender XDR, Defender for Endpoint, Defender for Office 365 and Defender for Identity
Protect cloud and hybrid workloads with Microsoft Defender for Cloud and its CSPM plan
Automate incident response with Logic Apps playbooks and Sentinel automation rules
Use Microsoft Security Copilot to accelerate alert analysis and prioritization

Prerequisites

Understand the fundamental concepts of cybersecurity and incident management
Master the basics of Microsoft Azure and cloud environments
Know how to use IT administration and monitoring tools

Course Content

Module 1 : Introduction to Microsoft Defender XDR threat protection

Explore Extended Detection & Response (XDR) response use cases
Understand Microsoft Defender XDR in a Security Operations Center (SOC)
Explore Microsoft Security Graph
Investigate security incidents in Microsoft Defender XDR
Module assessment

Module 2 : Mitigate incidents using Microsoft Defender

Use the Microsoft Defender portal
Manage incidents
Investigate incidents
Manage and investigate alerts
Manage automated investigations
Use the action center
Explore advanced hunting
Investigate Microsoft Entra sign-in logs
Understand Microsoft Secure Score
Analyze threat analytics with the Security Copilot Threat Intelligence Briefing Agent
Analyze reports
Configure the Microsoft Defender portal
Module assessment

Module 3 : Remediate threats using Microsoft Defender

Automate, investigate, and remediate
Configure, protect, and detect
Microsoft Security Copilot Phishing Triage Agent in Microsoft Defender
Simulate attacks

Module 4 : Manage Microsoft Entra Identity Protection

Review identity protection basics
Implement and manage user risk policy
Monitor, investigate, and remediate elevated risky users
Implement security for workload identities
Explore Microsoft Defender for Identity
Explore the Identity Risk Management Agent
Module assessment

Module 5 : Safeguard your environment with Microsoft Defender for Identity

Configure Microsoft Defender for Identity sensors
Review compromised accounts or data
Integrate with other Microsoft tools

Module 6 : Secure your cloud apps and services with Microsoft Defender for Cloud Apps

Understand the Defender for Cloud Apps Framework
Explore your cloud apps with Cloud Discovery
Protect your data and apps with Conditional Access App Control
Walk through discovery and access control with Microsoft Defender for Cloud Apps
Classify and protect sensitive information
Detect Threats
Module assessment

Module 7 : Introduction to generative AI and agents

Large language models (LLMs)
Prompts
AI agents
Module assessment

Module 8 : Describe Microsoft Security Copilot

Get acquainted with Microsoft Security Copilot
Describe Microsoft Security Copilot terminology
Describe how Microsoft Security Copilot processes prompt requests
Describe the elements of an effective prompt
Describe how to enable Microsoft Security Copilot
Module assessment

Module 9 : Describe the core features of Microsoft Security Copilot

Describe the features available in the standalone experience of Microsoft Security Copilot
Describe the features available in a session of the standalone experience
Describe workspaces
Describe Security Copilot plugins
Describe custom promptbooks
Describe knowledge base connections
Module assessment

Module 10 : Describe the embedded experiences of Microsoft Security Copilot

Describe Copilot in Microsoft Defender XDR
Copilot in Microsoft Purview
Copilot in Microsoft Entra
Copilot in Microsoft Intune
Copilot in Microsoft Defender for Cloud
Module assessment

Module 11 : Explore use cases of Microsoft Security Copilot

Explore the first run experience
Explore the standalone experience
Explore Security Copilot workspaces
Configure the Microsoft Sentinel plugin
Enable a custom plugin
Explore file uploads as a knowledge base
Create a custom promptbook
Explore the capabilities of Copilot in Microsoft Defender XDR
Explore the capabilities of Copilot in Microsoft Purview
Explore the capabilities of Copilot in Microsoft Entra
Module assessment

Module 12 : Investigate and respond to Microsoft Purview Data Loss Prevention alerts

Understand data loss prevention (DLP) alerts
Understand the DLP alert lifecycle
Configure DLP policies to generate alerts
Investigate DLP alerts in Microsoft Purview
Investigate DLP alerts in Microsoft Defender XDR
Investigate DLP alerts with Security Copilot and AI agents
Respond to DLP alerts
Module assessment

Module 13 : Investigate insider risk alerts and related activity

Understand insider risk alerts and investigations
Manage alert volume in insider risk management
Investigate and triage insider risk alerts in Microsoft Purview
Investigate insider risk alerts with Security Copilot and AI agents
Analyze alert context with the All risk factors tab
Investigate activity details with the Activity explorer tab
Review patterns over time with the User activity tab
Investigate insider risk alerts in Microsoft Defender XDR
Manage and take action on insider risk cases
Module assessment

Module 14 : Search and investigate with Microsoft Purview Audit

Microsoft Purview Audit overview
Configure and manage Microsoft Purview Audit
Conduct searches with Audit (Standard)
Audit Microsoft Copilot for Microsoft 365 interactions
Investigate activities with Audit (Premium)
Export audit log data
Configure audit retention with Audit (Premium)
Module assessment

Module 15 : Search for content with Microsoft Purview eDiscovery

Understand eDiscovery and content search capabilities
Prerequisites for using eDiscovery in Microsoft Purview
Create an eDiscovery search
Conduct an eDiscovery search
Export eDiscovery search results
Module assessment

Module 16 : Protect against threats with Microsoft Defender for Endpoint

Practice security administration
Hunt threats within your network

Module 17 : Deploy the Microsoft Defender for Endpoint environment

Create your environment
Understand operating systems compatibility and features
Onboard devices
Manage access
Create and manage roles for role-based access control
Configure device groups
Configure environment advanced features
Module assessment

Module 18 : Implement Windows security enhancements with Microsoft Defender for Endpoint

Understand attack surface reduction
Enable attack surface reduction rules
Module assessment

Module 19 : Perform device investigations in Microsoft Defender for Endpoint

Use the device inventory list
Investigate the device
Use behavioral blocking
Detect devices with device discovery
Module assessment

Module 20 : Perform actions on a device using Microsoft Defender for Endpoint

Explain device actions
Run Microsoft Defender antivirus scan on devices
Collect investigation package from devices
Initiate live response session
Module assessment

Module 21 : Perform evidence and entities investigations using Microsoft Defender for Endpoint

Investigate a file
Investigate a user account
Investigate an IP address
Investigate a domain
Module assessment

Module 22 : Configure and manage automation using Microsoft Defender for Endpoint

Configure advanced features
Manage automation upload and folder settings
Configure automated investigation and remediation capabilities
Block at risk devices
Module assessment

Module 23 : Configure for alerts and detections in Microsoft Defender for Endpoint

Configure advanced features
Configure alert notifications
Manage alert suppression
Manage indicators
Module assessment

Module 24 : Utilize Vulnerability Management in Microsoft Defender for Endpoint

Understand vulnerability management
Explore vulnerabilities on your devices
Manage remediation
Module assessment

Module 25 : Plan for cloud workload protections using Microsoft Defender for Cloud

Explain Microsoft Defender for Cloud
Describe Microsoft Defender for Cloud workload protections
Enable Microsoft Defender for Cloud
Module assessment

Module 26 : Connect Azure assets to Microsoft Defender for Cloud

Explore and manage your resources with asset inventory
Configure auto provisioning
Manual agent provisioning
Module assessment

Module 27 : Connect non-Azure resources to Microsoft Defender for Cloud

Protect non-Azure resources
Connect non-Azure machines
Connect your AWS accounts
Connect your GCP accounts
Module assessment

Module 28 : Manage your cloud security posture management

Explore Secure Score
Explore Recommendations
Measure and enforce regulatory compliance
Understand Workbooks
Module assessment

Module 29 : Explain cloud workload protections in Microsoft Defender for Cloud

Understand Microsoft Defender for servers
Understand Microsoft Defender for App Service
Understand Microsoft Defender for Storage
Understand Microsoft Defender for SQL
Understand Microsoft Defender for open-source databases
Understand Microsoft Defender for Key Vault
Understand Microsoft Defender for Resource Manager
Understand Microsoft Defender for DNS
Understand Microsoft Defender for Containers
Understand Microsoft Defender additional protections
Module assessment

Module 30 : Remediate security alerts using Microsoft Defender for Cloud

Understand security alerts
Remediate alerts and automate responses
Suppress alerts from Defender for Cloud
Generate threat intelligence reports
Respond to alerts from Azure resources
Module assessment

Module 31 : Construct KQL statements for Microsoft Sentinel

Understand the Kusto Query Language statement structure
Use the search operator
Use the where operator
Use the let statement
Use the extend operator
Use the order by operator
Use the project operators
Module assessment

Module 32 : Analyze query results using KQL

Use the summarize operator
Use the summarize operator to filter results
Use the summarize operator to prepare data
Use the render operator to create visualizations
Module assessment

Module 33 : Build multi-table statements using KQL

Use the union operator
Use the join operator
Module assessment

Module 34 : Work with data in Microsoft Sentinel using Kusto Query Language

Extract data from unstructured string fields
Extract data from structured string data
Integrate external data
Create parsers with functions
Module assessment

Module 35 : Introduction to Microsoft Sentinel

What is Microsoft Sentinel?
How Microsoft Sentinel works
When to use Microsoft Sentinel
Module assessment

Module 36 : Create and manage Microsoft Sentinel workspaces

Plan for the Microsoft Sentinel workspace
Create a Microsoft Sentinel workspace
Manage workspaces across tenants using Azure Lighthouse
Understand Microsoft Sentinel permissions and roles
Manage Microsoft Sentinel settings
Configure logs
Module assessment

Module 37 : Query logs in Microsoft Sentinel

Query logs in the logs page
Understand Microsoft Sentinel tables
Understand common tables
Understand Microsoft Defender XDR tables
Module assessment

Module 38 : Use watchlists in Microsoft Sentinel

Plan for watchlists
Create a watchlist
Manage watchlists
Module assessment

Module 39 : Utilize threat intelligence in Microsoft Sentinel

Define threat intelligence
Manage your threat indicators
View your threat indicators with KQL
Module assessment

Module 40 : Integrate Microsoft Defender XDR with Microsoft Sentinel

Understand the benefits of integrating Microsoft Sentinel with Defender XDR
Explore the capability differences between Microsoft Defender XDR and Microsoft Sentinel portals
Onboarding Microsoft Sentinel to Microsoft Defender XDR
Explore Microsoft Sentinel features in Microsoft Defender XDR
Module assessment

Module 41 : Connect data to Microsoft Sentinel using data connectors

Ingest log data with data connectors
Understand data connector providers
View connected hosts
Module assessment

Module 42 : Connect Microsoft services to Microsoft Sentinel

Plan for Microsoft services connectors
Connect the Microsoft 365 connector
Connect the Microsoft Entra connector
Connect the Microsoft Entra ID Protection connector
Connect the Azure Activity connector
Module assessment

Module 43 : Connect Microsoft Defender XDR to Microsoft Sentinel

Plan for Microsoft Defender XDR connectors
Connect the Microsoft Defender XDR connector
Connect Microsoft Defender for Cloud connector
Connect Microsoft Defender for IoT
Connect Microsoft Defender legacy connectors
Module assessment

Module 44 : Connect Windows hosts to Microsoft Sentinel

Plan for Windows hosts security events connector
Connect using the Windows Security Events via AMA Connector
Connect using the Security Events via Legacy Agent Connector
Collect Sysmon event logs
Module assessment

Module 45 : Connect Common Event Format logs to Microsoft Sentinel

Plan for Common Event Format connector
Connect your external solution using the Common Event Format connector
Module assessment

Module 46 : Connect syslog data sources to Microsoft Sentinel

Plan for syslog data collection
Collect data from Linux-based sources using syslog
Configure the Data Collection Rule for Syslog Data Sources
Parse syslog data with KQL
Module assessment

Module 47 : Connect threat indicators to Microsoft Sentinel

Plan for threat intelligence connectors
Connect the Defender Threat Intelligence connector
Connect the threat intelligence TAXII connector
Connect the threat intelligence Upload API connector
View your threat indicators with KQL
Module assessment

Module 48 : Threat detection with Microsoft Sentinel analytics

What is Microsoft Sentinel Analytics?
Types of analytics rules
Create an analytics rule from templates
Create an analytics rule from wizard
Manage analytics rules

Module 49 : Automation in Microsoft Sentinel

Understand automation options
Create automation rules
Module assessment

Module 50 : Threat response with Microsoft Sentinel playbooks

What are Microsoft Sentinel playbooks?
Trigger a playbook in real-time
Run playbooks on demand

Module 51 : Security incident management in Microsoft Sentinel

Understand incidents
Incident evidence and entities
Incident management

Module 52 : Identify threats with Behavioral Analytics

Understand behavioral analytics
Explore entities
Display entity behavior information
Use Anomaly detection analytical rule templates
Module assessment

Module 53 : Data normalization in Microsoft Sentinel

Understand data normalization
Use ASIM Parsers
Understand parameterized KQL functions
Create an ASIM Parser
Configure Azure Monitor Data Collection Rules
Module assessment

Module 54 : Query, visualize, and monitor data in Microsoft Sentinel

Monitor and visualize data
Query data using Kusto Query Language
Use default Microsoft Sentinel Workbooks
Create a new Microsoft Sentinel Workbook

Module 55 : Manage content in Microsoft Sentinel

Use solutions from the content hub
Use repositories for deployment
Module assessment

Module 56 : Explain threat hunting concepts in Microsoft Sentinel

Understand cybersecurity threat hunts
Develop a hypothesis
Explore MITRE ATT&CK
Module assessment

Module 57 : Threat hunting with Microsoft Sentinel

Explore creation and management of threat-hunting queries
Save key findings with bookmarks
Observe threats over time with livestream

Module 58 : Use Search jobs in Microsoft Sentinel

Hunt with a Search Job
Restore historical data
Module assessment

Module 59 : Hunt for threats using notebooks in Microsoft Sentinel

Access Azure Sentinel data with external tools
Hunt with notebooks
Create a notebook
Explore notebook code
Module assessment

Documentation

Access to Microsoft Learn, Microsoft’s online learning platform, offering interactive resources and educational content to deepen your knowledge and develop your technical skills.

Lab / Exercises

This course provides you with exclusive access to the official Microsoft lab, enabling you to practice your skills in a professional environment.

Exam

This course prepares you to the SC-200: Microsoft Security Operations Analyst exam.

Complementary Courses

Eligible Funding

ITTA is a partner of a continuing education fund dedicated to temporary workers. This fund can subsidize your training, provided that you are subject to the “Service Provision” collective labor agreement (CCT) and meet certain conditions, including having worked at least 88 hours in the past 12 months.

Additional Information

Why take the Microsoft Security Operations Analyst (SC-200) training now

Security Operations Centers (SOCs) face unprecedented alert volume and pressure on mean time to detect (MTTD) and respond (MTTR). Consolidation around Microsoft Sentinel and Microsoft Defender XDR answers this equation: a cloud-native scalable SIEM coupled with an XDR platform that correlates endpoint, identity, email, cloud apps and cloud infrastructure signals. The SC-200 training prepares you to operate this set within an Azure / Microsoft 365 / multi-cloud environment.

Microsoft Sentinel: the cloud-native SIEM at the core

Microsoft Sentinel concentrates log ingestion (Azure, AWS, GCP, third-party sources via syslog or API), detection via analytics rules and hunting, visual investigation of entities and response orchestration via playbooks. During the training, you work on workspace design, retention costs, Fusion and machine learning rules, and the creation of custom workbooks for CISO reporting.

Microsoft Defender XDR: cross-domain correlation

Defender XDR (formerly Microsoft 365 Defender) unifies Defender for Endpoint, Defender for Identity, Defender for Office 365 and Defender for Cloud Apps in a single console. You learn to investigate multi-domain incidents, leverage the attack graph, manage exclusions and configure Attack Surface Reduction on Windows and Linux endpoints.

KQL: the indispensable cross-cutting skill

Kusto Query Language is the key to efficient operation of Sentinel and Defender. The training covers syntax (where, project, summarize, join, mv-expand), advanced analytical functions (parse, extend, lookup) and detection patterns (rare process, lateral movement, beaconing C2). You leave the training able to write your own hunting queries.

Microsoft Security Copilot and AI in the SOC

Microsoft Security Copilot is integrated into the program: promptbooks to automate recurring investigations, KQL generation in natural language, incident summaries for tier 1 analysts, and integration with Sentinel and Defender XDR. The SC-200 program reflects the SOC evolution toward analyst augmentation through generative AI, without replacing human judgment.

Audience and prerequisites

This training targets tier 1 and 2 SOC analysts, security engineers, threat hunters and system administrators in charge of operational security. Basic Azure knowledge (equivalent to AZ-900) and Microsoft security fundamentals (equivalent to SC-900) are recommended. Mastery of a query language (SQL, Splunk SPL) is a plus but not required.

Microsoft Certified: Security Operations Analyst Associate exam

The SC-200 course prepares you for the SC-200: Microsoft Security Operations Analyst exam, which leads to the Microsoft Certified: Security Operations Analyst Associate certification. The exam evaluates skills on Microsoft Sentinel, Microsoft Defender XDR, Microsoft Defender for Cloud and Microsoft Security Copilot. The certification is among the most sought-after credentials in SOC managed services in Switzerland and France.

FAQ Microsoft Security Operations Analyst (SC-200)

What is the difference between SC-200 and AZ-500 training?

SC-200 focuses on SOC operations: detection, investigation, threat hunting and response. AZ-500 covers Azure infrastructure security from a cloud security engineer perspective (identity, network, platform). Both are complementary in a Microsoft security career path.

Does the SC-200 course cover Microsoft Security Copilot?

Yes. The latest program update integrates Security Copilot use cases in Sentinel and Defender XDR: promptbooks, KQL generation, incident summaries and AI-augmented investigation.

Do I need to be a developer to follow the SC-200 training?

No, the training is operational. KQL is a query language, not a development language. You learn to read and write analytic rules and hunting queries, not develop applications.

Does the SC-200 training include hands-on labs?

Yes. Microsoft Learn labs allow you to configure a Sentinel workspace, ingest Azure and endpoint logs, write analytic rules, create SOAR playbooks and investigate simulated incidents on Defender XDR.

What jobs lead to the Microsoft Security Operations Analyst Associate certification?

SOC analyst tier 1 to 3, Microsoft Sentinel engineer, threat hunter, incident responder, Microsoft security consultant, managed services SOC architect.