SC-200 is about to be updated, with two new items being added to the Investigate threats by using audit features in Microsoft 365 Defender and Microsoft Purview section.
Investigate threats by using audit features in Microsoft 365 Defender and Microsoft Purview (pre-Jan 23, 2024)
- Perform threat hunting by using unified audit log
- Perform threat hunting by using Content Search
Investigate threats by using audit features in Microsoft 365 Defender and Microsoft Purview (from Jan 23, 2024)
- Perform threat hunting by using unified audit log
- Perform threat hunting by using Content Search
- Use the guided hunting mode in Microsoft 365 Defender
- Use the advanced hunting mode in Microsoft 365 Defender
This is one my favorite exams to recommend for someone who wants to get into Microsoft cybersecurity technologies and exams, due the Defender and Sentinel skills you need to pass the exam. If you’ve already passed MS-500 (recently retired) and AZ-500, this is an excellent choice as your next exam, because there will be some overlap in the technologies, but expect this exam to go deeper into understanding the Defender family of technologies, and it also goes deeper into Sentinel than you will have seen on previous exams. You will definitely need to spend some time with Kusto and Log Analytics, not just for the Microsoft Sentinel portion of the exam, but Microsoft 365 Defender and Microsoft Defender for Cloud as well.
Mitigate threats using Microsoft 365 Defender (25-30%)
Mitigate threats to the productivity environment by using Microsoft 365 Defender
- Investigate, respond, and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive
- Investigate, respond, and remediate threats to email by using Microsoft Defender for Office 365
- Investigate and respond to alerts generated from Data Loss Prevention (DLP)_policies
- Investigate and respond to alerts generated from insider risk policies
- Discover and manage apps by using Microsoft Defender for Cloud Apps
- Identify, investigate, and remediate security risks by using Defender for Cloud Apps
Mitigate endpoint threats by using Microsoft Defender for Endpoint
- Manage data retention, alert notification, and advanced features
- Recommend attack surface reduction (ASR) for devices
- Respond to incidents and alerts
- Configure and manage device groups
- Identify devices at risk by using the Microsoft Defender Vulnerability Management
- Manage endpoint threat indicators
- Identify unmanaged devices by using device discovery
Mitigate identity threats
- Identify and remediate security risks related to events for Microsoft Entra ID
- Identify and remediate security risks related to Microsoft Entra Identity Protection events
- Identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity
Manage extended detection and response (XDR) in Microsoft 365 Defender
- Manage incidents and automated investigations in the Microsoft 365 Defender portal
- Manage actions and submissions in the Microsoft 365 Defender portal
- Identify threats by using Kusto Query Language (KQL)
- Identify and remediate security risks using Microsoft Secure Score
- Analyze threat analytics in the Microsoft 365 Defender portal
- Configure and manage custom detections and alerts
Investigate threats by using audit features in Microsoft 365 Defender and Microsoft Purview
- Perform threat hunting by using the unified audit log
- Perform threat hunting by using Content Search
- Use the guided hunting mode in Microsoft 365 Defender
- Use the advanced hunting mode in Microsoft 365 Defender
Mitigate threats using Microsoft Defender for Cloud (15-20%)
Implement and maintain cloud security posture management
- Assign and manage regulatory compliance policies, including Microsoft cloud security benchmark (MCSB)
- Improve the Defender for Cloud secure score by applying recommended remediations
- Configure plans and agents for Microsoft Defender for Servers
- Configure and manage Microsoft Defender for DevOps
- Configure and manage Microsoft Defender External Attack Surface Management (EASM)
Configure environment settings in Defender for Cloud
- Plan and configure Microsoft Defender for Cloud settings, including selecting target subscriptions and workspaces
- Configure Microsoft Defender for Cloud roles
- Assess and recommend cloud workload protection
- Enable plans for Microsoft Defender for Cloud
- Configure automated onboarding of Azure resources
- Connect compute resources by using Azure Arc
- Connect multi-cloud resources by using Environment settings
Respond to alerts and incidents in Microsoft Defender for Cloud
- Set up email notifications
- Create and manage alert suppression rules
- Design and configure workflow automation in Microsoft Defender for Cloud
- Remediate alerts and incidents by using Microsoft Defender for Cloud recommendations
- Manage security alerts and incidents
- Analyze Microsoft Defender for Cloud threat intelligence reports
Mitigate threats using Microsoft Sentinel (50-55%)
Design and configure an Microsoft Sentinel workspace
- Plan a Microsoft Sentinel workspace
- Configure Microsoft Sentinel roles
- Design and configure Microsoft Sentinel data storage
Plan and Implement the use of data connectors for ingestion of data sources in Microsoft Sentinel
- Identify data sources to be ingested for Microsoft Sentinel
- Configure and use Microsoft Sentinel data connectors for Azure resources, including Azure Policy and diagnostic settings
- Configure Microsoft Sentinel connectors for Microsoft 365 Defender and Microsoft Defender for Cloud
- Design and configure Syslog and Common Event Format (CEF) event collections
- Design and Configure Windows Security events collections
- Configure threat intelligence connectors
- Create custom log tables in the workspace to store ingested data
Manage Microsoft Sentinel analytics rules
- Configure the Fusion rule
- Configure Microsoft security analytics rules
- Configure built-in scheduled query rules
- Configure custom scheduled query rules
- Configure near-real-time (NRT) query rules
- Manage analytics rules from Content hub
- Manage and use watchlists
- Manage and use threat indicators
Perform data classification and normalization
- Classify and analyze data by using entities
- Query Microsoft Sentinel data by using Advanced SIEM Information Model (ASIM) parsers
- Develop and manage ASIM parsers
Configure Security Orchestration Automation and Response (SOAR) in Microsoft Sentinel
- Create and configure automation rules
- Create and configure Microsoft Sentinel playbooks
- Configure analytics rules to trigger automation rules
- Trigger playbooks manually from alerts and incidents
Manage Microsoft Sentinel Incidents
- Configure an incident generation
- Triage incidents in Microsoft Sentinel
- Investigate incidents in Microsoft Sentinel
- Respond to incidents in Microsoft Sentinel
- Investigate multi-workspace incidents
Use Microsoft Sentinel workbooks to analyze and interpret data
- Activate and customize Microsoft Sentinel workbook templates
- Create custom workbooks
- Configure advanced visualizations
Hunt for threats using Microsoft Sentinel
- Analyze attack vector coverage by using MITRE ATT&CK in Microsoft Sentinel
- Customize content gallery hunting queries
- Create custom hunting queries
- Use hunting bookmarks for data investigations
- Monitor hunting queries by using Livestream
- Retrieve and manage archived log data
- Create and manage search jobs
Manage threats by using entity behavior analytics
- Configure User and Entity Behavior Analytics settings
- Investigate threats by using entity pages
- Configure anomaly detection analytics rules