SC-200 just received a major update, including weighting changes, new topics being added, including a section on Copilot for Security, as well as some topics being removed. Along with this there was some restructuring, merging some sections and consolidating topics
Let’s start by taking a look at the new sections and weightings.
October 2024
- Manage a security operations environment (20–25%)
- Configure protections and detections (15–20%)
- Manage incident response (25–30%)
- Manage security threats (15–20%)
July 2024
- Manage a security operations environment (25–30%)
- Configure protections and detections (15–20%)
- Manage incident response (35–40%)
- Perform threat hunting (15–20%)
The thing to notice here is that the update reduces the weighting for the first and third objective domains, and there seems to be an issue because the maximum total only adds up to 95%. I guess this is something we will see corrected at some point soon.
If we take a look at what’s been added to the exam, you will notice that the majority of them are related to Copilot for Security, which is a new section that has been added to the exam.
- Mitigate risk by using Exposure Management in Microsoft Defender XDR
- Monitor and optimize data ingestion
- Implement behavioral analytics
- Create and use promptbooks
- Manage sources for Copilot for Security, including plugins and files
- Integrate Copilot for Security by implementing connectors
- Manage permissions and roles in Copilot for Security
- Monitor Copilot for Security capacity and cost
- Identify threats and risks by using Copilot for Security
- Investigate incidents by using Copilot for Security
- Create and manage hunts
This isn’t a comprehensive list of what’s been removed, and I use the word removed loosely because most of these topics could still be included as parts of some of the other topics. This is a common phenomenon in exams, and the best way to understand it is that the baseline knowledge expectations change over time, so some items don’t need to listed specifically. I’ve moved any of the links from previous exam resource guides into other topics that they align with.
- Manage multiple workspaces by using workspace manager and Azure Lighthouse
- Manage resources by using Azure Arc
- Connect environments to Microsoft Defender for Cloud (by using multi-cloud management)
- Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender XDR
- Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive
- Manage actions and submissions in the Microsoft Defender portal
- Hunting topics consolidation
All up, if we look at everything else the exam still includes, this exam description update is definitely a major restructure, but not necessarily a major change to the skills the exam expects you to have.
This is one my favorite exams to recommend for someone who wants to get into Microsoft cybersecurity technologies and exams, due the Defender and Sentinel skills you need to pass the exam. If you’ve already passed MS-500 (now retired) and AZ-500, this is an excellent choice as your next exam, because there will be some overlap in the technologies, but expect this exam to go deeper into understanding the Defender family of technologies, and it also goes deeper into Sentinel than you will have seen on previous exams. You will definitely need to spend time with Kusto and Log Analytics, not just for the Microsoft Sentinel questions in the exam, but Microsoft Defender XDR as well.
Manage a security operations environment (20–25%)
Configure settings in Microsoft Defender XDR
- Configure alert and vulnerability notification rules
- Configure Microsoft Defender for Endpoint advanced features
- Configure endpoint rules settings
- Manage automated investigation and response capabilities in Microsoft Defender XDR
- Configure automatic attack disruption in Microsoft Defender XDR
Manage assets and environments
- Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
- Identify unmanaged devices in Microsoft Defender for Endpoint
- Discover unprotected resources by using Defender for Cloud
- Identify and remediate devices at risk by using Microsoft Defender Vulnerability Management
- Mitigate risk by using Exposure Management in Microsoft Defender XDR
Design and configure a Microsoft Sentinel workspace
- Plan a Microsoft Sentinel workspace
- Design your Microsoft Sentinel workspace architecture
- Create a Log Analytics workspace in the Azure portal
- Design a workspace deployment
- Security baseline
- Microsoft Defender XDR integration with Microsoft Sentinel
- Verify data storage location and update data retention settings
- Work with incidents in multiple workspaces
- Manage Microsoft Sentinel workspaces at scale
- Configure Microsoft Sentinel roles
- Specify Azure RBAC roles for Microsoft Sentinel configuration
- Design and configure Microsoft Sentinel data storage, including log types and log retention
Ingest data sources in Microsoft Sentinel
- Identify data sources to be ingested for Microsoft Sentinel
- Implement and use Content hub solutions
- Configure and use Microsoft connectors for Azure resources, including Azure Policy and diagnostic settings
- Plan and configure Syslog and Common Event Format (CEF) event collections
- Plan and configure collection of Windows Security events by using data collection rules, including Windows Event Forwarding (WEF)
- Create custom log tables in the workspace to store ingested data
- Monitor and optimize data ingestion
Configure protections and detections (15–20%)
Configure protections in Microsoft Defender security technologies
- Configure policies for Microsoft Defender for Cloud Apps
- Configure policies for Microsoft Defender for Office 365
- Configure security policies for Microsoft Defender for Endpoint, including attack surface reduction (ASR) rules
- Configure cloud workload protections in Microsoft Defender for Cloud
- Reference list of recommendations
- Feature coverage for Azure PaaS resources
- Coverage by OS, machine type, and cloud
- Integrate security solutions and data sources
- Organize management groups and subscriptions
- Export to a Log Analytics workspace
- Change the data retention period
- User roles and permissions
- Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud
- Select a Defender for Servers plan
- Protect servers with Defender for Servers
- Connect GitHub repositories
- Connect Azure DevOps repositories
- Configure the Microsoft Security DevOps GitHub action
- Configure the Microsoft Security DevOps Azure DevOps extension
- Deploying the Defender EASM Azure resource
Configure detection in Microsoft Defender XDR
- Configure and manage custom detection rules
- Manage alerts, including tuning, suppression, and correlation
- Configure deception rules in Microsoft Defender XDR
Configure detections in Microsoft Sentinel
- Classify and analyze data by using entities
- Configure and manage analytics rules
- Query Microsoft Sentinel data by using ASIM parsers
- Implement behavioral analytics
Manage incident response (25–30%)
Respond to alerts and incidents in the Microsoft Defender portal
- Investigate and remediate threats by using Microsoft Defender for Office 365
- Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption
- Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies
- Investigate and remediate threats identified by Microsoft Purview insider risk policies
- Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud workload protections
- Security alerts and incidents
- How are alerts classified?
- Set up email notifications
- Create and manage alerts suppression rules
- Automate responses to recommendations
- What is a security recommendation?
- Automate responses to alerts
- Investigate and respond to security alerts
- Manage security incidents
- Generate threat intelligence reports
- Access and track your secure score
- Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
- Investigate and remediate compromised identities that are identified by Microsoft Entra ID
- Investigate and remediate security alerts from Microsoft Defender for Identity
Respond to alerts and incidents identified by Microsoft Defender for Endpoint
- Investigate device timelines
- Perform actions on the device, including live response and collecting investigation packages
- Perform evidence and entity investigation
Investigate Microsoft 365 activities
- Investigate threats by using unified audit Log
- Investigate threats by using Content Search
- Investigate threats by using Microsoft Graph activity logs
Respond to incidents in Microsoft Sentinel
- Investigate and remediate incidents in Microsoft Sentinel
- Create and configure automation rules
- Create and configure Microsoft Sentinel playbooks
- Run playbooks on on-premises resources
Implement and use Copilot for Security
- Create and use promptbooks
- Manage sources for Copilot for Security, including plugins and files
- Integrate Copilot for Security by implementing connectors
- Manage permissions and roles in Copilot for Security
- Monitor Copilot for Security capacity and cost
- Identify threats and risks by using Copilot for Security
- Investigate incidents by using Copilot for Security
Manage security threats (15–20%)
Hunt for threats by using Microsoft Defender XDR
- Identify threats by using Kusto Query Language (KQL)
- Interpret threat analytics in the Microsoft Defender portal
- Create custom hunting queries by using KQL
Hunt for threats by using Microsoft Sentinel
- Analyze attack vector coverage by using the MITRE ATT&CK matrix
- Manage and use threat indicators
- Create and manage hunts
- Create and monitor hunting queries
- Use hunting bookmarks for data investigations
- Retrieve and manage archived log data
- Create and manage search jobs
Create and configure Microsoft Sentinel workbooks
- Activate and customize workbook templates
- Create custom workbooks that include KQL
- Configure visualizations
intunedin.net 