Exam SC-200:
Candidates for this role should be familiar with attack vectors, cyber threats, incident management, and Kusto Query Language (KQL). Candidates should also be familiar with Microsoft 365 and Azure services.
Skills measured as of May 5, 2023
- The English language version of this exam will be updated on May 5, 2023. Review the study guide linked in the preceding “Tip” box for details about the skills measured and upcoming changes.
- Mitigate threats using Microsoft 365 Defender (25-30%)
- Mitigate threats using Microsoft Defender for Cloud (20-25%)
- Mitigate threats using Microsoft Sentinel (50-55%)
Pre-requisite
-
Mitigate threats to the Microsoft 365 environment by using Microsoft 365 Defender
- Investigate, respond, and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive
- Investigate, respond, and remediate threats to email by using Microsoft Defender for Office 365
- Investigate and respond to alerts generated from data loss prevention (DLP) policies
- Investigate and respond to alerts generated from insider risk policies
- Discover and manage apps by using Microsoft Defender for Cloud Apps
- Identify, investigate, and remediate security risks by using Defender for Cloud Apps
-
Mitigate endpoint threats by using Microsoft Defender for Endpoint
- Manage data retention, alert notification, and advanced features
- Recommend attack surface reduction (ASR) for devices
- Respond to incidents and alerts
- Configure and manage device groups
- Identify devices at risk by using the Microsoft Defender Vulnerability Management
- Manage endpoint threat indicators
- Identify unmanaged devices by using device discovery
-
Mitigate identity threats
- Mitigate security risks related to events for Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra
- Mitigate security risks related to Azure AD Identity Protection events
- Mitigate security risks related to Active Directory Domain Services (AD DS) by using Microsoft Defender for Identity
-
Manage extended detection and response (XDR) in Microsoft 365 Defender
- Manage incidents and automated investigations in the Microsoft 365 Defender portal
- Manage actions and submissions in the Microsoft 365 Defender portal
- Identify threats by using KQL
- Identify and remediate security risks by using Microsoft Secure Score
- Analyze threat analytics in the Microsoft 365 Defender portal
- Configure and manage custom detections and alerts
-
Investigate threats by using audit features in Microsoft 365 Defender and Microsoft Purview
-
Implement and maintain cloud security posture management
-
Configure environment settings in Defender for Cloud
- Plan and configure Defender for Cloud settings, including selecting target subscriptions and workspaces
- Configure Defender for Cloud roles
- Assess and recommend cloud workload protection
- Enable Microsoft Defender plans for Defender for Cloud
- Configure automated onboarding for Azure resources
- Connect compute resources by using Azure Arc
- Connect multicloud resources by using Environment settings
-
Respond to alerts and incidents in Defender for Cloud
-
Design and configure a Microsoft Sentinel workspace
-
Plan and implement the use of data connectors for ingestion of data sources in Microsoft Sentinel
- Identify data sources to be ingested for Microsoft Sentinel
- Configure and use Microsoft Sentinel connectors for Azure resources, including Azure Policy and diagnostic settings
- Configure Microsoft Sentinel connectors for Microsoft 365 Defender and Defender for Cloud
- Design and configure Syslog and Common Event Format (CEF) event collections
- Design and configure Windows security event collections
- Configure threat intelligence connectors
- Create custom log tables in the workspace to store ingested data
-
Manage Microsoft Sentinel analytics rules
-
Perform data classification and normalization
-
Configure security orchestration automated response (SOAR) in Microsoft Sentinel
-
Manage Microsoft Sentinel incidents
-
Use Microsoft Sentinel workbooks to analyze and interpret data
-
Hunt for threats by using Microsoft Sentinel
- Analyze attack vector coverage by using MITRE ATT&CK in Microsoft Sentinel
- Customize content gallery hunting queries
- Create custom hunting queries
- Use hunting bookmarks for data investigations
- Monitor hunting queries by using Livestream
- Retrieve and manage archived log data
- Create and manage search jobs
-
Manage threats by using entity behavior analytics