The SC-200 study guide just received a major update, with changes in weightings, new topics being added, topics being removed and more, so let’s jump in and take a look at what these changes are.
First of all, it has been reduced to three main sections with the following weightings.
- Manage a security operations environment (40–45%)
- Respond to security incidents (35–40%)
- Perform threat hunting (20–25%)
Previously it was
- Manage a security operations environment (20–25%)
- Configure protections and detections (15–20%)
- Manage incident response (25–30%)
- Manage security threats (15–20%)
The main things to notice with these changes are the increase in the manage a security operations environment, effectively doubling its weighting, and the removal of configure and protections and detections, but elements of this are incorporated into the other parts of the exam.
A few topics have been consolidated, including Security Copilot being reduced to one item, as well as Sentinel workspace planning being rolled in to other areas. A few specific Sentinel and Defender XDR items have been removed, but it’s better to work on the assumption that these have just become expected base knowledge that the candidate profile addresses. Defender for Cloud workload protections have been deemphasized, but integration into Defender XDR is still present.
In terms of what’s new, we now see that Sentinel additions include data lake, MCP server, summary rules, KQL jobs on data lake, and Sentinel graph as the most prominent. On the Defender side, we see the addition of hunting graph, custom data collection in Microsoft Defender for Endpoint, new case management, and threat analytics as the obvious entries new Configure custom data collection in Microsoft Defender for Endpoint
This is one my favorite exams to recommend for someone who wants to get into Microsoft cybersecurity technologies and exams, due the Defender and Sentinel skills you need to pass the exam. If you’ve already passed MS-500 (now retired) and AZ-500 (soon to be retired and replaced by SC-500), this is an excellent choice as your next exam, because there will be some overlap in the technologies, but expect this exam to go deeper into understanding the Defender family of technologies, and it also goes deeper into Sentinel than you will have seen on previous exams. You will definitely need to spend time with KQL and Log Analytics, not just for the Microsoft Sentinel questions in the exam, but Microsoft Defender XDR as well, especially with the unified SecOps experience, with less of a focus on Defender for Cloud capabilities in the Azure portal.
Manage a security operations environment (40–45%)
Configure automation for Microsoft Defender XDR and Microsoft Sentinel
- Configure email notifications in Microsoft Defender XDR, including incidents, actions, and threat analytics
- Configure alert notifications in Microsoft Defender XDR, including tuning, suppression, and correlation
- Configure Microsoft Defender for Endpoint advanced features
- Configure rules settings in Microsoft Defender for Endpoint
- Configure custom data collection in Microsoft Defender for Endpoint
- Configure security policies for Microsoft Defender for Endpoint, including attack surface reduction (ASR) rules
- Manage automated investigation and response capabilities in Microsoft Defender XDR
- Configure automatic attack disruption in Microsoft Defender XDR
- Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
- Create and configure automation rules in Microsoft Sentinel
- Create and configure Microsoft Sentinel playbooks
Configure the Microsoft Sentinel SIEM and platform
- Specify Microsoft Sentinel roles
- Manage data retention for XDR and Microsoft Sentinel tables, including Analytics, Data lake, and XDR tiers
- Create and configure Microsoft Sentinel workbooks
- Optimize the Microsoft Sentinel platform, including SOC optimization recommendations
Ingest data into the Microsoft Sentinel SIEM and platform
- Select data connectors based on data source requirements, including Windows logs and security events
- Configure collection of Windows Security events by using Windows Security Events via AMA, including data collection rules
- Plan and configure collection of Windows Security events by using Windows Event Forwarding (WEF)
- Plan and configure Syslog via AMA and Common Event Format (CEF) via AMA connectors
- Configure collection of Azure activities by using Azure Policy and resource diagnostic settings
- Ingest threat indicators into Microsoft Sentinel
- Create custom log tables in the workspace to store ingested data
Configure detections
- Create custom detection rules by using Advanced Hunting in Microsoft Defender XDR
- Manage custom detection rules in Microsoft Defender XDR
- Configure and manage analytics rules in Microsoft Sentinel SIEM, including scheduled, near-real time (NRT), threat intelligence, and machine learning
- Analyze attack vector coverage by using the MITRE ATT&CK matrix
- Configure anomalies in Microsoft Sentinel
Respond to security incidents (35–40%)
Respond to alerts and incidents in Microsoft Defender XDR
- Investigate and remediate threats by using Microsoft Defender for Office 365, including automatic attack disruption
- Investigate and remediate threats or compromised entities identified by Microsoft Purview
- Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud workload protections
- Security alerts and incidents
- How are alerts classified?
- Set up email notifications
- Create and manage alerts suppression rules
- Automate responses to recommendations
- What is a security recommendation?
- Automate responses to alerts
- Investigate and respond to security alerts
- Manage security incidents
- Generate threat intelligence reports
- Access and track your secure score
- Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
- Investigate and remediate compromised identities that are identified by Microsoft Entra ID
- Investigate and remediate security alerts from Microsoft Defender for Identity
- Investigate and remediate alerts and incidents identified by Microsoft Sentinel
- Investigate incidents by using agentic AI, including embedded Copilot for Security
- Investigate complex attacks, such as multi-stage, multi-domain, and lateral movement
- Manage security incidents by using case management
Respond to alerts and incidents in Microsoft Defender for Endpoint
- Investigate device timelines
- Perform actions on the device, including live response and collecting investigation packages
- Perform evidence and entity investigation
- Investigate and remediate incidents identified by automatic attack disruption
Investigate Microsoft 365 activities to identify threats
- Investigate threats by using Audit from Microsoft Purview
- Investigate threats by using Content Search in Microsoft Purview
- Investigate threats by using Microsoft Graph activity logs
Perform threat hunting (20–25%)
Detect threats by using Microsoft Defender XDR
- Identify the appropriate table to use in a KQL query
- Identify threats by using Kusto Query Language (KQL)
- Create Advanced Hunting queries
- Interpret threat analytics in Microsoft Defender XDR
- Create hunting graphs, including blast radius
- Analyze relationships between entities by using Sentinel Graph
Detect threats by using the Microsoft Sentinel platform
- Create and monitor hunting queries
- Create and manage KQL jobs in Data lake
- Create and manage Summary rule tables for querying
- Hunt for threats by using Notebooks, including connection to the Sentinel MCP Server
intunedin.net 