Microsoft SC-200 考試要點

考試範圍 :

1. Manage a security operations environment
   考試比重20–25%
2. Configure protections and detections
   考試比重15–20%
3. Manage incident response
   考試比重35–40%
4. Perform threat hunting
   考試比重14–20 %

現代化SOC運作模型

Manage a security operations environment-考試比重20–25%

1. Configure settings in Microsoft Defend XDR
2. Manage assets and environments
3. Design and configure a Microsoft Sentinel workspace
4. Ingest data sources in Microsoft Sentinel

Configure settings in Microsoft Defender XDR

Configure a connection from Microsoft Defender XDR to a Sentinel workspace

You configure the Microsoft Sentinel and Microsoft Defender XDR data connector.
The configuration has three parts:

1. Connect incidents and alerts
   Enables integration between Defender XDR and Microsoft Sentinel, synchronizing incidents and their alerts between the two platforms.
2. Connect entities
   Enables the integration of on-premises Active Directory user identities into Microsoft Sentinel through Defender XDR for Identity
3. Connect events
   Enables the collection of raw advanced hunting events from Defender components

Configure Microsoft Defender for Endpoint advanced features and endpoint rules settings, including indicators and web content filtering

Configuring Endpoint Security Policies

1. Sign in to Defender XDR using at least a security admin role.
2. Select Endpoints > Configuration management > Endpoint security policies and select Create new Policy.
3. Select a platform and template, then select Create policy.
4. On the Basics page, enter name and description and choose Next.
5. On the Settings page, configure the settings you want to manage with this profile and select Next.
6. On the Assignments page, select the groups that will receive this profile and select Next.
7. On the Review + create page, select Save.

The new profile is displayed in the list when you select the policy type for the profile you created.

Enabling advanced features like Live Response, Custom Network Indicators, Tamper Protection, Web Content Filtering and others

1. Log in to Defender XDR using an account with the Security administrator or Global administrator role assigned.
2. In the navigation pane, select Settings > Endpoints > Advanced features.
3. Select the advanced feature you want to configure and toggle the setting between On and Off.
4. Select Save preferences.

Configuring automatic attack disruption in Microsoft Defender XDR

1. Review or change the automation level for device groups.
2. Review the prerequisites
3. Review or change the automated response exclusions for users.

Manage automated investigation and response capabilities in Microsoft Defender XDR

Defender XDR has AIR(automated investigation and response) for efficient threat handling. With self-healing capabilities, it operates across devices, email and content, and identities.

The automated investigation process

An alert triggers an incident, initiating an automated investigation and producing verdicts for each evidence piece. Verdicts can be:

• Malicious
• Suspicious
• No threats found

Remediation actions for malicious or suspicious entities are identified. Examples of remediation actions include:

• Sending a file to quarantine
• Stopping a process
• Isolating a device
• Blocking a URL
• Other actions

Review or change the automation level for device groups

• AIR actions for devices depend on settings like the organization’s device group policies.
• Check the configured automation level; global or security administrator rights are required for the procedure:

1. In the Microsoft Defender portal, go to Settings > Endpoints > Device groups under Permissions.
2. Review your device group policies or look at the Automation level column.

Review security and alert policies in Office 365
Alerts and security policies trigger automated investigations, but no automatic remediation happens for email and content. Approval in the Action Center by your security team is needed for all email-related remediation actions.

Manage assets and environments

Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint

Creating and managing device groups:

1. In the navigation pane, select Settings > Endpoints > Permissions > Device groups.
2. Click Add device group.
3. Enter the group name, automation settings, and the matching rule defining group membership for devices.
4. Assign the user groups that can access the device group and select Close.

Permissions options

• View data
• Active remediation actions
• Security baselines
• Alerts investigation
• Manage portal system settings
• Manage security settings in the Security Center
• Live response capabilities

Automation levels

• Full automation
• Semi-automation
• Semi-automation (requires approval for core folders remediation)
• Semi-automation (requires approval for non-temp folders remediation)
• No automated response

Identify and remediate unmanaged devices in Microsoft Defender for Endpoint

The device discovery capability allows you to discover:

• Enterprise endpoints (workstations, servers, and mobile devices) that aren’t yet onboarded to Microsoft Defender for Endpoint
• Network devices like routers and switches
• loT devices like printers and cameras

Two modes of discovery:

1. Basic discovery:
   Endpoints passively collect events in your network and extract device information from them.
2. Standard discovery (recommended):
   Allows endpoints to actively find devices to enrich collected data and discover more devices.

Once devices are discovered, you can:

• Onboard unmanaged endpoints to the service, increasing the security visibility on them.
• Reduce the attack surface by identifying and assessing vulnerabilities and detecting configuration gaps.

Manage resources by using Azure Arc

Identify and remediate devices at risk by using Microsoft Defender Vulnerability Management

Defender Vulnerability Management offers asset visibility, assessments, and remediation for diverse devices. Using Microsoft threat intelligence, it swiftly prioritizes and provides security recommendations for critical assets to mitigate risk.

Features of the Threat and Vulnerability Management solution:

• Bridging the workflow gaps
• Continuous discovery and monitoring
• Risk-based Intelligent prioritization
• Seamless remediation and tracking

The Vulnerability Management area provides:

• Dashboard
• Recommendations
• Inventories
• Weaknesses page
• Event timeline
• Security assessments

The Reports area provides:

• Vulnerable Devices report

Design and configure a Microsoft Sentinel workspace

Plan a Microsoft Sentinel workspace

The Microsoft Sentinel solution is installed in a Log Analytics Workspace, and most implementation considerations are focused on the Log Analytics Workspace creation. The single most important option when creating a new Log Analytics Workspace is the region where the log data will reside.

Configure Microsoft Sentinel roles and Permissions and Specify Azure RBAC roles for Microsoft Sentinel configuration

• Microsoft Sentinel Reader:
  Can view data, incidents, workbooks, and other Microsoft Sentinel resources.
• Microsoft Sentinel Responder :
  Allows all permissions of Reader; and manages incidents by assigning or dismissing them.
• Microsoft Sentinel Contributor :
  Allows Reader and Responder permissions and helps install and update solutions from content hub create/edit workbooks, analytics rules, and other Microsoft Sentinel resources.
• Microsoft Sentinel Playbook Operator :
  Lists, views, and manually run playbooks.

Manage multiple workspaces by using Workspace manager

Features of Microsoft Sentinel’s Workspace manager:

• Enables users to centrally manage multiple Microsoft Sentinel workspaces within one or more Azure tenants
• Central workspace (with Workspace manager enabled) can consolidate content items to be published at scale to Member workspaces

Possible Workspace Manager Architectures

Manage multiple workspaces by using Workspace manager and Azure Lighthouse

if you manage Microsoft Sentinel workspace (and other Azure resource) across multiple Entra ID tenants, Azure Lighthouse:

• provide access to subscription level management tools
• allows you to select all the subscriptions containing workspaces you manage

Ingest data sources in Microsoft Sentinel

Configure and use Microsoft data connectors for Azure resources, including Azure Policy and diagnostic settings

Data is sent to the Microsoft Sentinel workspace by configuring the provided data connectors. Some of the key Azure-native security log sources include:

1. Azure Activity Logs
   A platform log in Azure that offers insight into subscription-level events, such as resource modifications or virtual machine startups.
2. Entra ID
   Includes (but not limited to) Entra Active Directory, Entra ID Identity Protection, Entra DDOS Protection, Cloud App Security, DNS, Windows Firewall, Security Events, and more.
3. Defender for Cloud
   Microsoft Defender for Cloud’s integrated cloud workload protections enables rapid threat detection and response across hybrid and multi-cloud workloads. Alerts from Defender for Cloud can be seamlessly ingested into Sentinel by configuring the connector.

Note:
To collect log data, you need to connect your data sources with Microsoft Sentinel Connectors. You install Content Hub Solutions that include the data connectors.

Plan and configure Syslog and CEF(Common Event Format) event collections

Streaming logs in both the CEF and Syslog format:

1. Avoid data ingestion duplication
2. Create a DCR for your CEF logs
3. Create a DCR for your Syslogs
4. Create a DCR for both Syslog and CEF logs

Note:
To ingest logs over Syslog with the AMA, create a DCR

Plan and configure collection of Windows Security events by using data collection rules, including WEF(Windows Event Forwarding)

You have the following Windows security events connector options to stream events from Windows devices to Microsoft Sentinel.

Option 1:
Based on your requirements, you can install an agent on each windows device to forward events to Microsoft Sentinel. The agent available:

• Windows Security Events via AMA Connector

Option 2:
Configure a Windows Event Collector device to receive events from the Windows devices. The Windows Event Collector device would then forward events to Microsoft Sentinel with the Windows Forwarded Events connector.

Configure threat intelligence connectors, including platform, TAXII, upload indicators API, and MISP

Microsoft Sentinel gives you a few different ways to use threat intelligence feeds to enhance your security analysts’ ability to detect and prioritize known threats.

1. Use one of many available integrated threat intelligence platform (TIP) products.
2. Connect to TAXII servers to take advantage of any STIX- compatible threat intelligence source.
3. Connect directly to the Microsoft Defender Threat Intelligence feed.
4. Leverage custom solutions to directly communicate with the Threat Intelligence Upload Indicators API.
5. Connect to threat intelligence sources from playbooks to enrich incidents, aiding in directing investigation and response actions.

Other skills in managing security operations environment

• Configure alert and vulnerability notification rules
• Discover and remediate unprotected resources by using Defender for Cloud
• Design and configure Microsoft Sentinel data storage, including log types and log retention
• Identify data sources to be ingested for Microsoft Sentinel
• Create custom log tables in the workspace to store ingested data

Configure protections and detections-考試比重15–20%

2.1 Configure protections in Microsoft Defender security technologies

2.2 Configure detection in Microsoft Defender XDR

2.3 Configure detections in Microsoft Sentinel

Configure protections in Microsoft Defender security technologies

• Configure policies for Microsoft Defender for Cloud Apps
• Configure policies for Microsoft Defender for Office
• Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules
• Configure cloud workload protections in Microsoft
• Defender for Cloud

Configure detection in Microsoft Defender XDR

• Configure and manage custom detections
• Configure alert tuning
• Configure deception rules in Microsoft Defender XDR

Configure detections in Microsoft Sentinel

• Classify and analyze data by using entities
• Configure scheduled query rules, including KQL
• Configure near-real-time (NRT) query rules, including KQL
• Manage analytics rules from the Content hub Configure anomaly detection analytics rules
• Configure the Fusion rule
• Query Microsoft Sentinel data by using Advanced SIEM Information Model (ASIM) parsers
• Manage and use threat indicators

Configure policies for Microsoft Defender for Cloud Apps

You can use the anomaly detection policies in Microsoft Defender for Cloud Apps to detect a variety of security threats.

Configure an anomaly detection policy

• Go to Control > Policies and set the Type filter to Anomaly detection policy.
• Select the policy and edit the settings: Scope, Advanced configuration, Alerts, and Governance actions.
• You can also create a custom policy using Create policy.

After creating the policies, you can:

• Fine-tune anomaly detection policies for suppression or surfacing alerts
• Adjust the anomaly detection scope policy to users and groups

Configure policies for Microsoft Defender for Office

Use the Microsoft Defender portal to assign Standard and Strict preset security policies to users by selecting Email & Collaboration > Policies & Rules > Threat policies > Preset Security Policies.

1. To turn on/off the preset security policies, toggle the Standard Protection and Strict protection switches.
2. Select the recipients for whom the Exchange Online Protection Policies and Defender for Office 365 policies apply.
3. Add internal and external senders and domains.
4. Add trusted email addresses and domains.
5. Review and confirm your changes.

When a recipient is defined in multiple policies, the policies are applied as follows:

1. The Strict preset security policy.
2. The Standard preset security policy.
3. Defender for Office 365 evaluation policies
4. Custom policies are based on the priority of the policy (a lower number indicates a higher priority).
5. Built-in preset policy includes default settings for Safe Links, Safe Attachments, anti-malware, anti- spam, and anti-phishing.

Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules

Configure Endpoint Security Policies

1. Select Endpoints > Configuration management > Endpoint security policies and then select Create new Policy
2. Select a platform and template, then select Create policy.
3. On the Basics page, enter a name and description, then choose Next.
4. On the Settings page, configure the settings and select Next.
5. On the Assignments page, select the groups that will receive this profile and select Next.
6. On the Review + create page, select Save.

Configure attack surface reduction

1. Enable hardware-based isolation for Microsoft Edge.
2. Enable:
   — attack surface reduction rules
   — application control
   — controlled folder access
   — removable storage protection
3. Turn on network protection.
4. Enable:
   — Web protection
   — exploit protection
5. Set up your network firewall.

Configure cloud workload protections in Microsoft Defender for Cloud

Microsoft Defender for cloud is a cloud workload protection feature. It provides the following capabilities:

• Generates security alerts in case of threat detection
• Provides advanced protection capabilities
  –Just-in-time (JIT) VM access
  –Adaptive application controls
• Includes vulnerability assessment and management

Configure and manage custom detections

Custom detection is under Defender XDR Advanced threat hunting. Creating custom detection

1. Create a custom detection rule by using KQL query
2. Create new rule and provide alert details
3. Choose the impacted entities
4. Specify actions
5. Set the rule scope
6. Review and turn on the rule

Classify and analyze data by using entities

When alerts are sent to or generated by Microsoft Sentinel, they contain data items that Sentinel can recognize and classify into categories as entities.

• Entity identifiers
  unique labels or attributes associated with entities within the security data that Sentinel collects and analyzes.
• Entity mapping
  associating different entities within the security data to create meaningful relationships and context.
• Entity pages
  a clickable link that has a datasheet full of useful information about that entity

Configure custom scheduled query Analytic rules, including KQL

Create a scheduled query rule

• In the Azure portal, under Microsoft Sentinel, select Analytics. In the header bar, select +Create, and then select Scheduled query rule.
• Configure the settings on tabs/sections such as General tab, Set rule logic tab, and Query Scheduling section.

Configure query scheduling

• In the Query Scheduling section, you can configure how often the query should run, and how far back in history the query should search the data.
• Ensure that you don’t search for data that is older than the query’s run frequency because that can create duplicate alerts.

Config near-real-time query rules, including KQL

1. From the Microsoft Sentinel navigation menu, select Analytics.
2. Select NRT query rule from the Create drop-down list.
3. Follow the instructions of the analytics rule wizard.

Manage analytics rules from the Content hub

Use the Microsoft Sentinel Content hub to centrally discover and install out-of-the-box content.

Search and filter

• In the Content hub, you can filter by categories and other parameters, or use the powerful text search.
• Check the support model for each piece of content, as some content is maintained by partners or the community.

Manage updates

• Manage updates for out-of-the-box content via the Microsoft Sentinel Content hub.
• Use the Repositories page for custom content.

Manage custom content

• Manage custom content in the Microsoft Sentinel workspace, via the Microsoft Sentinel API.
• Manage it in self-owned source control repository. via the Repositories page.

Find, install, and update solutions

• Select a solution to view additional information.
• Select Install, or Update and use the solution wizard to complete the steps.

Configure anomaly detection analytics rules

Steps to configure anomaly detection analytics rules:

1. To change the configuration of an anomaly rule, select the rule from the list in the Anomalies tab.
2. Right-click the required rule and select Duplicate.
3. Select Edit to customize the rule and change the parameters of the rule.
4. Allow some time to enable the customized rule to generate results.
5. Go back to the Anomalies table in Logs to assess the new rule.

Configure the Fusion rule

Steps to configure Fusion rule:

1. Select Analytics from the Microsoft Sentinel navigation menu.
2. Select Fusion from the Run Type drop-down menu.
3. Select Edit, on the Advanced Multistage Attack Detection preview pane.
4. In the Analytics rule wizard, note the status or change it if you want and select Save or Next: Configure Fusion.

Query Microsoft Sentinel data by using ASIM(Advanced SIEM Information Model) parsers

By using ASIM parsers instead of table names in the queries, you can view data in a normalized format and include all data relevant to the schema in your query.

Use built-in ASIM parsers and workspace-deployed parsers

• Built in: Use in most cases that you need ASIM parsers (recommended).
• Workspace-deployed:
  Use when deploying new parsers, or for parsers not yet available out of the box.

ASIM includes two levels of parsers: Unifying and source-specific parsers

• For your queries, use unifying parsers to combine all sources, normalized to the same schema, and query them using normalized fields.

Optimize parsing using parameters: When invoking the parser, optimize ASIM parser performance by using available filtering parameters with one or more named parameters.

The following query uses the built-in unifying DNS parser to query DNS events using the ResponseCodeName, SrclpAddr, and TimeGenerated normalized fields:

KOL

_Im_Dns(starttime=ago(1d), responsecodename='NXDOMAIN' ) | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)

Manage and use threat indicators

You can view, sort, filter, and search your imported threat indicators without even writing a Logs query.

Two most common tasks in managing threat indicators:

1.Create new threat indicators

• In Microsoft Sentinel, choose the workspace to which you have imported threat indicators.
• Go to Threat management > Threat intelligence and select Add new button.
• Choose the indicator type and complete the required fields marked with a red asterisk (*) on the New indicator panel.

2.Tag threat indicators

• Apply a tag to indicators related to a particular incident/threats from a known actor or an attack campaign.
• Tag threat indicators individually or multi-select indicators and tag them all at once.
• Create standard naming conventions for tags.
• You can apply multiple tags to each indicator.

Manage incident response 考試比重 35–40%

1. Respond to alerts and incidents in Microsoft Defender XDR
2. Respond to alerts and incidents identified by Microsoft Defender for Endpoint
3. Enrich investigations by using other Microsoft tools
4. Manage incidents in Microsoft Sentinel
5. Configure security orchestration, automation, and response (SOAR) in Microsoft Sentinel

Respond to alerts and incidents in Microsoft Defender XDR

• Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive
• Investigate and remediate threats in email by using Microsoft Defender for Office
• Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption Investigate and remediate compromised entities identified by Microsoft Purview DLP policies
• Investigate and remediate threats identified by Microsoft Purview insider risk policies
• Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud
• Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
• Investigate and remediate compromised identities in Microsoft Entra ID Investigate and remediate security alerts from Microsoft Defender for Identity
• Manage actions and submissions in the Microsoft Defender portal

Respond to alerts and incidents identified by Microsoft Defender for Endpoint

• Investigate the timeline of compromised devices
• Perform actions on the device, including live response and collection investigation packages
• Perform evidence and entity investigation

Enrich investigations by using other Microsoft tools

• Investigate threats by using unified audit Log
• Investigate threats by using Content Search
• Perform threat hunting by using Microsoft Graph activity logs

Manage incidents in Microsoft Sentinel

• Triage incidents in Microsoft Sentinel
• Investigate incidents in Microsoft Sentinel
• Respond to incidents in Microsoft Sentinel

Configure security orchestration, automation, and response (SOAR) Microsoft Sentinel

• Create and configure automation rules
• Create and configure Microsoft Sentinel playbooks
• Configure analytic rules to trigger automation
• Trigger playbooks manually from alerts and incidents
• Run playbooks on On-premises resources

Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive

Automated investigation and response (AIR) capabilities include a set of security playbooks that can be launched automatically or manually. For Teams, SharePoint, and OneDrive, safe attachments ensure protection.

1. An alert that is triggered, and a security playbook is initiated.
2. Depending on the alert and security playbook, automated investigation begins immediately.
3. While an automated trigger runs, its scope can increase as new or related alerts are triggered.
4. During and after an automated investigation, details and results are available to view
5. Security operations team review the results and recommendations and approves remediation actions

Investigate and remediate threats in email by using Micriosoft Defender for office

• Email & collaboration Investigations Graph displays automatically investigated entities, including emails.
• Microsoft Defender for Office 365 also performs auto remediations, including deleting relevant emails in mailboxes associated with the URL and initiating AAD workflows for password reset and MFA.
• Whenever an automated investigation is running or has been completed, you will see remediation actions that require approval to proceed. It includes:

–Soft delete email messages or clusters

–Block URL (time-of-click)

–Turn off external mail forwarding

–Turn off delegation

Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption

Automatic attack disruption operates in three key stages:

1. Uses Defender XDR to correlate signals from multiple sources into a high- confidence incident using insights from endpoints, identities, email, collaboration tools, and SaaS apps.
2. Identifies assets controlled by attacker used to spread the attack
3. Automatically responds across Microsoft Defender products to contain attacks in real-time by isolating affected assets.

Automatic attack disruption response actions:

• Device contain
• Disable user
• Contain user

Investigate and remediate compromised entities identified by Microsoft Purview DLP policies

With DLP policy, you can

• Identify sensitive information Prevent accidental sharing of sensitive information
• Monitor and protect sensitive information in the desktop versions of applications
• Help users learn how to stay compliant without interrupting their workflow

Investigate and remediate threats identified by Microsoft Purview insider risk policies

Microsoft Purview Insider Risk Management helps identify and resolve internal risk activities and compliance issues and follows this workflow:

• Policies: Determine which employees are in scope and the types of risk indicators configured.
• Alerts: Give an all-up view of the risk status.
• Triage: Identify insider risk alerts and examine them to evaluate and triage.
• Investigate: Create cases manually when further action is needed.
• Action: Send the employee notice, resolve the case as benign, or escalate.

Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud

Refer to the Recommendations page to proactively remediate possible issues and incidents.

Remediation steps

• From the list, select a recommendation.
• Follow the instructions in the Remediation steps section.
• A notification appears to inform you whether the issue is resolved.

Fix button

• Fix helps you quickly remediate a recommendation on multiple resources.
• Select the recommendation that has the Fix action icon.
• From the Unhealthy resources tab, select the resources you want, and select Remediate.

Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps

• To safeguard the security posture for your cloud environment, use the Alerts pane of Microsoft Defender XDR. It provides full visibility into any suspicious activity or violation of Microsoft Defender for Cloud Apps established policies.
• When you select an alert, various remediation options are displayed.

Investigate and remediate security alerts from Microsoft Defender for Identity

This product identifies, detects, and investigates advanced threats, compromised identities, and malicious insider actions with the following alert types:

Manage actions and submissions in the Microsoft Defender portal

Managing actions

The Action Center has two tabs:

• Pending
• History

You can perform these actions in the Action Center:

• Review pending actions
• Review completed actions
• Undo completed actions
• Remove a file from quarantine across multiple devices
• View action source details

Managing submissions

The two types of admin submissions:

• Admin-originated submissions
• Admin submission of use- reported messages

After submission, the following actions are performed:

• Email authentication check
• Policy hits
• Payload reputation/detonation
• Grader analysis

Investigate the timeline of compromised devices, perform actions on the device, including live response and collecting investigation packages and evidence and entity investigation

Investigating timelines of compromised devices

1. Analyzing incident details
2. Going through the evidence
3. Visualizing associated cybersecurity threats

Performing actions

• Verify that you’re running a supported version of Windows
• Familiarize yourself with the Live response dashboard overview
• Initiate a live response session on a device
• Run basic or advanced live response commands
• Use live response commands
• Upload and run a script
• Apply command parameters
• Use supported output types and pipes
• View the command log

Evidence and entity investigation

• Microsoft Defender for Endpoint automatically investigates all supported events and suspicious entities in alerts, offering auto- response and crucial details about files, processes, services, and more.
• Each of the analyzed entities will be marked as infected, remediated, or suspicious.

Investigate threats by using a unified audit Log

Users and admin activities performed in Microsoft 365 services and solutions are captured, recorded, and retained in the Unified Audit Log (UAL). Audit records for these events are searchable using the Microsoft Purview or Microsoft Defender portal Audit Search

Microsoft Purview provides two auditing solutions: Audit (Standard) Audit (Premium)

The process of searching the audit log within the Microsoft Purview compliance portal includes the following steps:

1. Run an audit log search.
2. View the search results.
3. Export the search results to a file.

Investigate threats by using Content Search

A key feature in the Microsoft Purview compliance portal is Content Search. It’s ideal for quick searches across content in Microsoft 365 when full-fledged eDiscovery isn’t needed.

Organizations can use Content search in the Microsoft Purview compliance portal to search for in-place content, such as:

• Email
• Documents
• Instant messaging conversations

Investigation threats using Content Search

• Create and run a search
• Configure search permissions filtering
• View the search results and statistics
• Search for and delete email messages
• Export the search results and search report

Perform threat hunting by using Microsoft Graph activity logs

Threat investigation with Microsoft Security Graph API:

• Is an intermediary service (or broker) that provides programmatic connections to multiple Microsoft Graph security providers
• Is a RESTful web API
• After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API
• There are two API versions — 1.0 and beta
• You can use the Graph Explorer to call the Security API (you must have the required permissions, and be authenticated)

Triage, investigate and respond to incidents in Microsoft Sentinel

Triage incidents

• Overview Page
• Incidents Page
• Investigation Graph

Investigate incidents

• Select and open an incident
• Select the Investigate button or select the Investigate in Defender XDR link
• View the Investigation graph

Respond to incidents

• Set and track incident status
• Set and review severity
• Assign and track ownership for the incident
• Perform Incident actions

Note:
Perform automated investigation and remediation actions using Security Orchestration, Automation, and Response (SOAR) playbook

Create and configure automation rules and analytic rules to trigger automation

To create and configure an automation rule:

1. In Microsoft Sentinel, go to the Automation blade. Go to Create > Automation rule.
2. Enter a name for your rule.
3. Choose the actions you want this automation rule to take.
4. If needed, add a Run playbook action.
5. Set an expiration date for the rule.
6. Enter a number under Order to determine where in the sequence this rule will run.

Create and configure Microsoft Sentinel playbooks and trigger playbooks manually from alerts and incidents

Perform the following high-level tasks:

Work with Microsoft Sentinel playbooks

• Go to Microsoft Sentinel > Configuration > Automation.
• Select Create and Add new playbook.
• Configure settings in the tabs/panels that follow.

Invoke an incident and review the associated actions

• Based on the analytics rules you have created, perform an action to invoke an incident.

Assign the playbook to an existing incident

• Go to Microsoft Sentinel > Overview page > Threat management > 1 Incidents.
• Configure the settings in the:
  - Incident page
  -Alert playbook page

Reasons for triggering playbook manually:

• Before deploying a new playbook, it’s essential to test it thoroughly.
• In certain cases, you may prefer to have more control and human input regarding when and if a specific playbook executes.

Perform threat hunting考試比重14–20 %

4.1 Hunt for threats by using KQL

• Identify threats by using Kusto Query Language (KQL)
• Interpret threat analytics in the Microsoft Defender portal
• Create custom hunting queries by using KQL

4.2 Hunt for threats by using Microsoft Sentinel

• Analyze attack vector coverage by using the MITRE ATT&CK in Microsoft Sentinel
• Customize content gallery hunting queries
• Use hunting bookmarks for data investigations
• Monitor hunting queries by using Livestream
• Retrieve and manage archived log data Create and manage search jobs

4.3 Plan and implement privileged access

• Activate and customize Microsoft Sentinel workbook templates
• Create custom workbooks that include KQL
• Configure visualizations

Identify threats by using KQL and create custom hunting queries by using KQL

Create a custom detection rule

1. Prepare the query.
2. Create new rule and provide alert details.
3. Choose the impacted entities.
4. Specify actions.
5. Set the rule scope.
6. Review and turn on the rule.

Manage existing custom detection rules

• View existing rules.
• View rule details, modify rule, and run rule.
• View and manage triggered alerts.
• Review actions.

Interpret threat analytics in the Microsoft Defender portal

Each Threat Analytics report provides an analysis of a tracked threat and extensive guidance on how to defend against that threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable protections in place.

Sections in Threat analytics dashboard

• Latest threats
• High-impact threats
• Highest exposure threats

Sections in a Threat Analytics report

• Overview
• Analyst report
• Related incidents
• Impacted assets
• Prevented email attempts
• Exposure & mitigations

Analyze attack vector coverage by using the MITRE ATT&CK in Microsoft Sentinel

MITRE ATT&CK is a publicly accessible knowledge base of tactics and techniques that are commonly used by attackers and is created and maintained by observing real-world observations.

1. Use the Legend to understand how many detections are currently active
2. Use the Search bar to search for a specific technique in the matrix
3. Select a specific technique in the matrix to view more details

Customize content gallery hunting queries

• You can modify a query in the details pane and run the new query.
• You can save it as a new query to be reused in your Microsoft Sentinel workspace.
• You can also create your own custom queries by using KQL code to hunt for threats.

Custom queries enable you to define the following query parameters:

• Name
• Description
• Entity mapping
• Tactics

Use hunting bookmarks for data investigations

Bookmarks in Microsoft Sentinel can help you hunt for threats by preserving the queries you ran in Microsoft Sentinel, along with the query results that you deem relevant.

Monitor hunting queries by using Livestream

Use hunting livestream to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations, if necessary.

1. Create a livestream session
2. View livestream sessions
3. Receive notifications when events occur
4. Elevate a livestream session to an alert

Activate and customize Microsoft Sentinel workbook templates

Customizing workbook templates:

• The header bar in the editing mode contains several editing options.
• In the Settings page, you can provide additional resources. You can also change the style of the workbook, provide tagging, or pin an item in the workbook.
• You can rearrange the placement of different tables in the workbook by selecting Show Pin Options.
• For advanced customization, use Advanced editor.

Create custom workbooks that include KQL

Build your workbook by selecting Edit on the New Workbook page, and then again select the Edit option to change the text that appears in the new workbook template.

You can design your workbook with the following visualization types and elements:

• Text visualizations
• Query item
• Parameters
• Links/tabs
• Metric steps