Microsoft SC-200 Exam: Security Operations Analyst Associate

Contoso Ltd Case Study

• Contoso Ltd has a main office in Seattle and five branch offices in North America
• Contoso has a subsidiary named Fabrikam, Ltd. with offices in New York and San Francisco
• All Contoso users use Windows 10 devices and are licensed for Microsoft 365
• Contoso applications are deployed to Azure, and Microsoft Cloud App Security is enabled
• Fabrikam has a separate Azure AD tenant and has enabled Azure Defender for all supported resource types

Security Challenges

• Contoso's security team receives a large number of cybersecurity alerts and spends too much time identifying legitimate threats
• The sales team uses only iOS devices and exchanges files with customers using various third-party tools, leading to attacks on their devices
• The marketing team collaborates with external vendors using Microsoft SharePoint Online sites, which have experienced malware uploads
• The executive team suspects a security breach and requests identification of files with more than five activities in the past 48 hours for Microsoft Cloud App Security-protected applications

Planned Changes

• Contoso plans to integrate security operations between Contoso and Fabrikam and manage them centrally
• Technical requirements include:
  • Receiving alerts for Azure virtual machine brute force attacks
  • Using Azure Sentinel to reduce organizational risk
  • Implementing Azure Sentinel queries that correlate data across both Azure AD tenants
  • Developing a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam
  • Identifying users who failed to sign in to an Azure resource for the first time from a given country

Litware Inc Case Study

• Litware Inc is a renewable company with offices in Boston and Seattle, and remote users across the United States
• Litware has an Azure subscription, and resources in the East US Azure region
• Litware plans to implement Azure Sentinel and validate its functionality using Azure AD test user accounts
• Business requirements include:
  • Using the principle of least privilege
  • Minimizing costs
  • Providing a full audit trail of user activities
  • Protecting domain controllers with Microsoft Defender for Identity
• Technical requirements include:
  • Integrating Azure Sentinel and Cloud App Security
  • Ensuring a user named admin1 can configure Azure Sentinel playbooks
  • Creating an Azure Sentinel analytics rule based on a custom query

Azure Information Protection Requirements

• All files with security labels on Windows 10 computers must be available from the Azure Information Protection – Data discovery dashboard

Microsoft Defender for Endpoint Requirements

• All Cloud App Security unsanctioned apps must be blocked on Windows 10 computers using Microsoft Defender for Endpoint### Anomaly Detection Policy
• Activity from a country/region that could indicate malicious activity
• Triggers alerts when activity is detected from a location that was not recently or was never visited by any user in the organization
• Useful in detecting credential breaches or masked locations (e.g., using a VPN)

Data Loss Prevention (DLP) Policy

• Azure Information Protection (AIP) is used to detect sensitive documents
• AIP can be used to protect sensitive documents containing customer account numbers (e.g., 32 alphanumeric characters)

Office VBA Macros

• Two commands can be used to identify which Office VBA macros might be affected by protection against downloading and running additional payloads:
  • Option B
  • Option C

Microsoft Defender for Endpoint

• Allows hiding false positive alerts in the Alerts queue while maintaining existing security posture
• Three actions to perform:
  1. Resolve the alert automatically
  2. Hide the alert
  3. Create a suppression rule scoped to a device group

Cloud App Security Portal

• Used to remediate risks for the Launchpad app
• Four actions to perform in sequence:
  1. (Answer)
  2. (Answer)
  3. (Answer)
  4. (Answer)

Microsoft 365 Defender

• Advanced hunting query can be used to identify devices affected by a malicious email attachment
• Useful in performing cross-domain investigations

Advanced Hunting Query

• Can be used to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours
• Two actions to perform:
  1. Create a detection rule
  2. Add | order by Timestamp to the query

Device Groups

• Can be used to perform automated actions on a group of highly valuable machines that contain sensitive information
• Three actions to perform:
  1. Add a tag to the device group
  2. Create a new device group that has a rank of 1
  3. Add a tag to the machines

Microsoft Defender for Identity

• Can be used to configure several accounts for attackers to exploit
• Solution: From Entity tags, add the accounts as Honeytoken accounts

Azure Security Center

• Used to view recommendations to resolve an alert
• Solution: From Security alerts, select the alert, select Take Action, and then expand the Prevent future attacks section

Common Vulnerabilities and Exposures (CVE)

• Used to remediate a new CVE vulnerability that affects the environment
• Three actions to perform in sequence:
  1. (Answer)
  2. (Answer)
  3. (Answer)

Azure Key Vault

• Used to reduce the potential of Key Vault secrets being leaked while investigating an issue
• First action to perform: Enable the Key Vault firewall### Azure Security Center and Sentinel
• Azure Security Center provides security alerts, and from these alerts, you can take action to resolve the issue by expanding the "Mitigate the threat" section.
• To view recommendations to resolve an alert in Azure Security Center, select the alert, then "Take Action", and finally expand the "Mitigate the threat" section.

Azure Sentinel Queries

• To create a custom Azure Sentinel query that tracks anomalous Azure Active Directory (Azure AD) sign-in activity, use the "bin" function to present the activity as a time chart aggregated by day.
• To create a query that provides a visual representation of security alerts generated by Azure Security Center, use the "count" function to display a bar graph.

Azure Sentinel Playbooks

• To send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected, add a playbook and associate it with an incident in Azure Sentinel.
• To modify an existing Azure logic app to use as a playbook in Azure Sentinel, modify the trigger in the logic app.

Azure Sentinel Visualizations

• To visualize Azure Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC), use notebooks in Azure Sentinel.
• To provide a custom visualization to simplify the investigation of threats and to infer threats by using machine learning, use notebooks in Azure Sentinel.

Azure Sentinel Incidents

• To group alerts into incidents, you can use the user and resource group components.
• To run a playbook on-demand in Azure Sentinel, you can do so from the Incidents section.

Azure Sentinel Data Connectors

• To perform hunting queries in Azure Sentinel to search across all Log Analytics workspaces of all subscriptions, add the Security Events connector to the Azure Sentinel workspace and create a query that uses the workspace expression and the union operator.

Azure Sentinel Roles

• To assign the correct role to a security analyst to allow them to assign and dismiss incidents in Azure Sentinel, use the Azure Sentinel Responder role.

Azure Defender

• To identify all devices that contain files in emails sent by a known malicious email sender, use an advanced hunting query in Microsoft 365 Defender that matches the SHA256 hash.
• To configure the continuous export of high-severity alerts to enable their retrieval from a third-party security information and event management (SIEM) solution, export the alerts to Azure Event Hubs.

Azure Key Vault

• To mitigate the threat of unauthorized attempts to access a key vault from a Tor exit node, configure Key Vault firewalls and virtual networks.

Azure Resource Manager Templates

• To create a workflow automation that will trigger an automatic remediation when specific security alerts are received by Azure Security Center, use an Azure Resource Manager template to provision the required Azure resources.

Azure Defender Enablement

• To enable just-in-time (JIT) VM access and network detections for Azure resources, enable Azure Defender at the subscription level.

Azure Storage

• To run a PowerShell script if someone accesses the storage account from a suspicious IP address, create an Azure logic app that has an Azure Security Center alert trigger.

Azure Sentinel Fusion Rule

• To ensure that the Fusion rule can generate alerts in Azure Sentinel, verify that the rule is enabled and add data connectors.