SC-200 just received the largest restructure since it was introduced just over three years ago. Has the restructure changed what you need to know for the exam, or is it mostly an adjustment to focus on role skills as the grouping for objective domains, rather than the objective domains being grouped by technology? Let’s start by taking a look at the new sections and weightings.
- Manage a security operations environment (25–30%)
- Configure protections and detections (15–20%)
- Manage incident response (35–40%)
- Perform threat hunting (15–20%)
If we compare it to the previous version, you can immediately see that it is very different indeed.
- Mitigate threats by using Microsoft 365 Defender (25–30%)
- Mitigate threats by using Defender for Cloud (15–20%)
- Mitigate threats by using Microsoft Sentinel (50–55%)
Taking a look at the new additions that don’t completely overlap with, previous objectives, we end up with the following list. I’m not suggesting that these are the only changes, instead they are the things that stood out to me when I was updating this guide.
- Configure automatic attack disruption in Microsoft Defender XDR
- Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender XDR
- Configure policies for Microsoft Defender for Office
- Configure deception rules in Microsoft Defender XDR
- Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
- Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption
- Investigate timeline of compromised devices
- Perform actions on the device, including live response and collecting investigation packages
- Perform evidence and entity investigation
- Perform threat hunting by using Microsoft Graph activity logs
- Run playbooks on On-premises resources
All up, if we look at everything else the exam still includes, this exam description update is definitely a major restructure, but not necessarily a major change to the skills the exam expects you to have.
This is one my favorite exams to recommend for someone who wants to get into Microsoft cybersecurity technologies and exams, due the Defender and Sentinel skills you need to pass the exam. If you’ve already passed MS-500 (now retired) and AZ-500, this is an excellent choice as your next exam, because there will be some overlap in the technologies, but expect this exam to go deeper into understanding the Defender family of technologies, and it also goes deeper into Sentinel than you will have seen on previous exams. You will definitely need to spend time with Kusto and Log Analytics, not just for the Microsoft Sentinel questions in the exam, but Microsoft 365 Defender and Microsoft Defender for Cloud as well.
Manage a security operations environment (25–30%)
Configure settings in Microsoft Defender XDR
- Configure a connection from Defender XDR to a Sentinel workspace
- Configure alert and vulnerability notification rules
- Configure Microsoft Defender for Endpoint advanced features
- Configure endpoint rules settings, including indicators and web content filtering
- Manage automated investigation and response capabilities in Microsoft Defender XDR
- Configure automatic attack disruption in Microsoft Defender XDR
Manage assets and environments
- Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
- Identify and remediate unmanaged devices in Microsoft Defender for Endpoint
- Manage resources by using Azure Arc
- Connect environments to Microsoft Defender for Cloud (by using multi-cloud account management)
- Discover and remediate unprotected resources by using Defender for Cloud
- Identify and remediate devices at risk by using Microsoft Defender Vulnerability Management
Design and configure a Microsoft Sentinel workspace
- Plan a Microsoft Sentinel workspace
- Configure Microsoft Sentinel roles
- Specify Azure RBAC roles for Microsoft Sentinel configuration
- Design and configure Microsoft Sentinel data storage, including log types and log retention
- Manage multiple workspaces by using Workspace manager and Azure Lighthouse
Ingest data sources in Microsoft Sentinel
- Identify data sources to be ingested for Microsoft Sentinel
- Implement and use Content hub solutions
- Configure and use Microsoft connectors for Azure resources, including Azure Policy and diagnostic settings
- Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender XDR
- Plan and configure Syslog and Common Event Format (CEF) event collections
- Plan and configure collection of Windows Security events by using data collection rules, including Windows Event Forwarding (WEF)
- Configure threat intelligence connectors, including platform, TAXII, upload indicators API, and MISP
- Create custom log tables in the workspace to store ingested data
Configure protections and detections (15–20%)
Configure protections in Microsoft Defender security technologies
- Configure policies for Microsoft Defender for Cloud Apps
- Configure policies for Microsoft Defender for Office
- Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules
- Configure cloud workload protections in Microsoft Defender for Cloud
- Reference list of recommendations
- Feature coverage for Azure PaaS resources
- Coverage by OS, machine type, and cloud
- Integrate security solutions and data sources
- Organize management groups and subscriptions
- Export to a Log Analytics workspace
- Change the data retention period
- User roles and permissions
- Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud
- Select a Defender for Servers plan
- Protect servers with Defender for Servers
- Connect GitHub repositories
- Connect Azure DevOps repositories
- Configure the Microsoft Security DevOps GitHub action
- Configure the Microsoft Security DevOps Azure DevOps extension
- Deploying the Defender EASM Azure resource
Configure detection in Microsoft Defender XDR
- Configure and manage custom detections
- Configure alert tuning
- Configure deception rules in Microsoft Defender XDR
Configure detections in Microsoft Sentinel
- Classify and analyze data by using entities
- Configure scheduled query rules, including KQL
- Configure near-real-time (NRT) query rules, including KQL
- Manage analytics rules from Content hub
- Configure anomaly detection analytics rules
- Configure the Fusion rule
- Query Microsoft Sentinel data by using ASIM parsers
- Manage and use threat indicators
Manage incident response (35–40%)
Respond to alerts and incidents in Microsoft Defender XDR
- Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive
- Investigate and remediate threats in email by using Microsoft Defender for Office
- Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption
- Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies
- Investigate and remediate threats identified by Microsoft Purview insider risk policies
- Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud
- Security alerts and incidents
- How are alerts classified?
- Set up email notifications
- Create and manage alerts suppression rules
- Automate responses to recommendations
- What is a security recommendation?
- Automate responses to alerts
- Investigate and respond to security alerts
- Manage security incidents
- Generate threat intelligence reports
- Access and track your secure score
- Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
- Investigate and remediate compromised identities in Microsoft Entra ID
- Investigate and remediate security alerts from Microsoft Defender for Identity
- Manage actions and submissions in the Microsoft Defender portal
Respond to alerts and incidents identified by Microsoft Defender for Endpoint
- Investigate timeline of compromised devices
- Perform actions on the device, including live response and collecting investigation packages
- Perform evidence and entity investigation
Enrich investigations by using other Microsoft tools
- Investigate threats by using unified audit Log
- Investigate threats by using Content Search
- Perform threat hunting by using Microsoft Graph activity logs
Manage incidents in Microsoft Sentinel
- Triage incidents in Microsoft Sentinel
- Investigate incidents in Microsoft Sentinel
- Respond to incidents in Microsoft Sentinel
Configure security orchestration, automation, and response (SOAR) in Microsoft Sentinel
- Create and configure automation rules
- Create and configure Microsoft Sentinel playbooks
- Configure analytic rules to trigger automation
- Trigger playbooks manually from alerts and incidents
- Run playbooks on On-premises resources
Perform threat hunting (15–20%)
Hunt for threats by using KQL
- Identify threats by using Kusto Query Language (KQL)
- Interpret threat analytics in the Microsoft Defender portal
- Create custom hunting queries by using KQL
Hunt for threats by using Microsoft Sentinel
- Analyze attack vector coverage by using the MITRE ATT&CK in Microsoft Sentinel
- Customize content gallery hunting queries
- Use hunting bookmarks for data investigations
- Monitor hunting queries by using Livestream
- Retrieve and manage archived log data
- Create and manage search jobs
Analyze and interpret data by using workbooks
- Activate and customize Microsoft Sentinel workbook templates
- Create custom workbooks that include KQL
- Configure visualizations