Domain 1 of 4

Manage a Security Operations Environment

Domain · 20–25% of the SC-200 exam

Two platforms, one job: get the SOC ready before any alert fires

Almost everything an SC-200 analyst touches lives in one of two platforms, and this domain is about standing both of them up. Microsoft Defender XDR is the prebuilt SOC that already correlates endpoint, identity, email, and SaaS signals into incidents the moment you turn its pieces on. Microsoft Sentinel is the build-it-yourself cloud-native SIEM, a Log Analytics workspace you design and then feed. The single idea that ties the four subtopics together is readiness: a detection, an automatic response, or a playbook only works if the upstream environment was configured to allow it, given coverage of the asset, and fed the right log. The classic exam trap is assuming an action ran when an unset toggle, a too-cautious automation level, an unmanaged device, or a missing connector silently disabled it.

The domain unfolds as four readiness layers, in order

Read the subtopics as a build order for the environment. Configure Microsoft Defender XDR Settings sets the XDR control plane: notification rules, the tenant-wide Defender for Endpoint advanced features, automated investigation and response (AIR) automation levels, and automatic attack disruption, the toggles that decide what telemetry and what automatic action you even get. Manage Assets and Environments then closes coverage gaps, because you cannot defend an unmanaged device or an unprotected cloud resource you cannot see, and it scopes visibility and response through device groups while Vulnerability Management and Exposure Management rank what to fix. Design and Configure a Microsoft Sentinel Workspace lays the SIEM foundation: a Log Analytics workspace with Sentinel switched on, the layered Azure RBAC over it, and the per-table log tier and retention. Ingest Data Sources in Microsoft Sentinel finally fills that workspace, choosing the right collection mechanism per source, from native connectors to the Azure Monitor Agent with a data collection rule.

When two options both work, prefer the broadest correlation and the least manual gate

Across the domain the exam rewards the answer that consolidates rather than fragments, and that lets the platform act on its own where Microsoft already trusts it. Centralize into as few Sentinel workspaces as possible and query across them with Azure Lighthouse rather than spawning one workspace per team. Lean on the prebuilt cross-signal correlation of Defender XDR and on full AIR automation, which Microsoft recommends as the default because it is conservative, instead of parking every action for manual approval. The narrow exception is the high-value or break-glass case: keep change-controlled servers in a group that requires approval, and exclude break-glass accounts from attack disruption rather than turning the feature off.

The four readiness layers and what each one owns

Readiness layerPlatformDecidesDrill into
Configure the XDR control planeDefender XDRNotifications, advanced-feature toggles, AIR automation level, attack disruptionConfigure Microsoft Defender XDR Settings
Cover the assetsDefender XDR and Defender for CloudDevice groups, unmanaged-device discovery, vulnerability and exposure rankingManage Assets and Environments
Plan the SIEM foundationMicrosoft SentinelWorkspace count, layered Azure RBAC, per-table log tier and retentionDesign and Configure a Microsoft Sentinel Workspace
Ingest the dataMicrosoft SentinelConnector vs Azure Monitor Agent with a DCR vs custom table, and ingestion costIngest Data Sources in Microsoft Sentinel

Subtopics in this domain