What to Expect in the Microsoft SC-200 Exam
An exam built specifically for cloud security analysts.
Microsoft recently released a new SC series of exams that are designed for more specific security domains in Microsoft cloud security products. The SC-200 is an exam for cybersecurity analysts who are using the Microsoft cloud EDR and SIEM solutions.
This exam is very useful for testing the ability of newer analysts to use the tools they would be working with on a regular basis. It is also a great complement to the AZ-500 exam that we are currently using to train and test our cybersecurity analysts because the AZ-500 is more focused on broad cloud security administration rather than specific analyst tools.
In this blog, we will go over the content in the SC-200 and discuss what to expect when answering questions from each section. We will also discuss ways someone interested in taking the exam could prepare for each of the sections of the exam.
Microsoft 365 Defender Incident Management
All 4 of the Microsoft 365 Defender products are represented in the first section of the exam. You will be asked questions about how to investigate with each of the tools. There will also be questions about how to use some of the built-in tools that help with incident management like AIR, incident response options, and policy configurations.
You can prepare for this section by investigating sample incidents in all 4 Microsoft 365 Defender products. If these resources are not available Microsoft Learn has simulated versions of these environments that can be used to learn the basics of the tools.
Azure Defender Incident Management
Azure’s native EDR solution Azure Defender is important for monitoring Azure resources which is why it has its own section of the exam. You will be asked questions about how to investigate alerts from Azure Defender. There will also be questions about options for responding to alerts like using automations and following alert recommendations.
You can prepare for this section by using a test Azure subscription to generate alerts to investigate and respond to. This practice option is not expensive, so most people can use it without issue. There are also Microsoft Learn modules available for Azure Defender alerts.
Azure Sentinel Incident Management
Azure Sentinel is the SIEM system that cloud security analysts use to monitor the alerts coming out of all the tools in the preceding sections. You will be asked about managing incidents in the Sentinel investigation graph and using Sentinel to find additional incident information.
You can prepare for this section by using a test Azure subscription to generate incidents to investigate and respond to. This practice option is the cheapest because of the tiny amount of data it takes to generate incidents. A series of SC-200 Learn modules (part 3-8) were also created specifically for Azure Sentinel.
Azure Sentinel Security Tools
The Azure Sentinel section also includes content about tools used to respond to and enhance incident management. You will see questions about hunting with queries, running automation with playbooks, and discovering more about the data with workbooks.
Azure Sentinel comes with example versions of most of the security tools built-in, you should be able to practice with all the tools right away aside from playbooks. There are also additional security tools that can be used on the official Azure Sentinel GitHub.
Changes Based on Results from the Beta
The exam is still in beta, meaning that Microsoft will adjust the content based on what they learn from people taking the beta version of the exam. Some of the items on the syllabus right now like threat intelligence (TI) integration and creating playbooks may be removed by the time the exam is released because they are more advanced than what is required to analyze incidents in the cloud security tools.
We will continue to share insights in future posts on Microsoft certification exams. When the SC-200 exam comes out of beta, we will be having our analysts take it so that we can further reinforce their knowledge of Microsoft cloud security products.
In closing, consider these three questions when considering if you would be interested in taking the SC-200 exam:
- Do I need security analyst skills specifically, or should I look for different security skills in one of the other SC series exams?
- Will I have access to the Microsoft cloud security tools the exam is based around or will I have to rely on other online resources?
- What kind of career opportunities would I unlock by getting this certification?