A few weeks ago, I took and passed the SC-200 exam – Microsoft Certified: Security Operations Analyst Associate.
In this short post, I wanted to share the resources I used to help me prepare for the exam. This is not an exhaustive list – just a few elements to help out!
This exam is mainly focused around the tasks and technologies those actively working within security operations would be using and undertaking regularly – for example responding to incidents, and setting up tooling like Defender XDR, Security Copilot, Sentinel and more. One of the key aspects to this certification, in my opinion, is its breadth – and a wide range of areas and knowledge are tested. In particular, in the exam brief (see here), a range of areas to be familiar with are suggested:
“As a candidate, you should be familiar with:
- Microsoft 365
- Azure cloud services
- Windows, Linux, and mobile operating systems”
Overall – I found this to be a broad exam that tested a range of areas (within the learning objectives), and one that I definitely needed to brush up on various areas for!
Resources
- MSFT Study Guide for SC-200 – as always, this is invaluable, and a great place to start. This guide takes you through all of the exam content, learning objectives, and study material available. https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/sc-200
- As always, the Microsoft Learn GitHub repositories are helpful – and include lab guides: https://github.com/MicrosoftLearning/SC-200T00A-Microsoft-Security-Operations-Analyst
- Getting some hands on and deployment time with the solutions tested in the exam also really helped me: https://learn.microsoft.com/en-us/training/courses/sc-200t00.
- The labs from the SC-200 GitHub repo were also very handy: https://microsoftlearning.github.io/SC-200T00A-Microsoft-Security-Operations-Analyst/
- Previous exams and their respective practice tests and learning material were also really helpful – in this case, SC-100 experience was great. See my previous post about SC-100 here: https://jakewalsh.co.uk/resources-to-help-study-for-the-sc-100-exam-with-a-hint-of-iac/.
Just for a change… what about Infrastructure as Code (IAC)?
It really wouldn’t be a blog post from myself without some reference to Infrastructure as Code (IAC), and whenever I take an exam, I usually try and apply this element (as it is a focus area for me) to my own learning and experience. The reason for this, is that typically in my role, all deployments are made in code, and managed in this way moving forward too. So for me, it makes a huge amount of sense to apply this to my own learning – as this will provide a basis for me to continue using the skills learned.
In my own development and learning, I found the use of IAC was most appropriate and relevant when configuring and securing Infrastructure Resources, or setting up key elements for security – for example configuring monitoring settings, or integrating Defender services to IAC practices.
During my own learning for this exam, I spent some time working with the following resources and methods – this list is not exhaustive by any means, and is simply to share my own learning experience:
- AzureRM Terraform Provider – Sentinel Configuration: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sentinel_alert_rule_anomaly_built_in
- Overview of Microsoft Defender for Cloud DevOps security – this in particular is very relevant for those working with IAC, and brings Defender code scanning and analysis to Azure DevOps – https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-devops-introduction
- Overview of Microsoft Defender for Storage – and it’s configuration/deployment via Terraform: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-introduction and https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_storage_defender.
- Overview of Common tasks with KQL for Microsoft Sentinel – https://learn.microsoft.com/en-us/kusto/query/tutorials/common-tasks-microsoft-sentinel
In summary, there is a huge range of IAC options – and many will be unique to your own environments, learning, and experience, so please do consult the relevant material to support your own learning.
Conclusion
[ Insert standard Jake exam disclaimer here… ] As always, real experience and using your own Lab environment was hugely helpful for this exam – I found creating some of the scenarios outlined in the Learn Modules in my own lab helped massively. I’d also recommend spending time running through the Microsoft Learn Practice Questions, these give a great idea of the type and style of question you can expect on the exam. Good luck!