SC-200 had a refresh in late January, which was mostly to incorporate the renaming of Azure Sentinel to Microsoft Sentinel, and the renaming of Azure Security Center and Azure Defender to Microsoft Defender for Cloud. In other words, the exam is going to be better aligned with current material you will be using for your exam preparation.

As I’ve mentioned in the previous preparation guides for Microsoft’s security and compliance exams, they are targeting those who have broad exposure across both Azure and Microsoft 365 technologies. If you take a look at the weighting of this exam, 65-75% of it could be categorised as mostly Azure related, while only 25-30% of the exam is Microsoft 365 focused. What does this mean for those of you planning on taking this exam?

If you are starting your exam preparation already having exposure to Microsoft Defender for Cloud, Microsoft Sentinel, Log Analytics, Kusto Query Language and Logic Apps, as well as an understanding of other related Azure services, you are going to be in pretty good shape to fill in the Microsoft 365 Defender gaps and pass the exam. However, you can also easily figure out that the opposite is true – if you’ve only been working with the Microsoft 365 Defender components, there is going to be much study and learning to have a good chance at passing on your first attempt.

The good news is that regardless of which of these categories you fall under, the exam doesn’t expect you to have a deep understanding of the workloads that you are trying to protect, and instead focuses on the skills and tools needed to perform those tasks, not how to remediate the underlying issues that might be identified on a workload by workload basis. This is where this exam is quite different to exams such as MS-500 and AZ-500, as they expect you to know the workloads you are trying to protect as well as how to protect them.

This means that the candidates for this exam get a very different recommendation from me versus those targeting one of the 500 series exams just mentioned, I usually don’t recommend those as someone’s first exam, as they tend to reward those who have done other exams in the lead up to them, in the case of MS-500 for example, I highly recommend that someone has already passed MS-100, MS-101 and MD-101 for example, as they’ve traditionally done a good job of covering a great deal of overlapping content with MS-500.

Now, if you’ve already passed MS-500 and AZ-500, this is an excellent choice as your next exam, because there will be some overlap in the technologies, but expect this exam to go much deeper into understanding the Defender family of technologies, and it also goes deeper into Sentinel than you will have seen on previous exams. You will definitely need to spend some time with Kusto and Log Analytics, not just for the Microsoft Sentinel portion of the exam, but Microsoft Defender for Cloud as well.

Mitigate threats using Microsoft 365 Defender (25-30%)

Detect, investigate, respond, and remediate threats to the productivity environment by using Microsoft Defender for Office 365

Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender for Endpoint

Detect, investigate, respond, and remediate identity threats

Detect, investigate, respond, and remediate application threats

Manage cross-domain investigations in Microsoft 365 Defender portal

Mitigate threats using Microsoft Defender for Cloud (25-30%)

Design and configure an Microsoft Defender for Cloud implementation

Plan and implement the use of data connectors for ingestion of data sources in Microsoft Defender for Cloud

Manage Microsoft Defender for Cloud alert rules 

Configure automation and remediation 

Investigate Microsoft Defender for Cloud alerts and incidents

Mitigate threats using Microsoft Sentinel (40-45%)

Design and configure an Microsoft Sentinel workspace

Plan and Implement the use of Data Connectors for Ingestion of Data Sources in Microsoft Sentinel

Manage Microsoft Sentinel analytics rules

Configure Security Orchestration Automation and Response (SOAR) in Microsoft Sentinel

Manage Microsoft Sentinel Incidents

Use Microsoft Sentinel workbooks to analyze and interpret data

Hunt for threats using the Microsoft Sentinel portal