Manage Security Threats
This is the proactive arm of SC-200: go find the threat before any alert fires
Most of this exam is about reacting well, tuning detections, working incidents, running playbooks. This domain is the opposite instinct: you have a hypothesis ("is a credential-theft technique already running in here?") and you go looking for the answer in the raw telemetry yourself, before any rule has flagged it. The one skill that makes that possible across every task here is Kusto Query Language (KQL), the read-only query language you use to search Microsoft Defender XDR telemetry and the Microsoft Sentinel workspace. Learn KQL once and it drives all three subtopics. The classic trap the exam sets is offering a detection rule or an automated response when the scenario actually describes proactive, human-driven hunting (or vice versa): hunting finds the threat a rule was never written for, it does not create incidents or remediate on its own.
The domain unfolds in three steps: hunt in Defender XDR, hunt in Sentinel, then visualize in a workbook
Read the three subtopics as one workflow built on the shared KQL engine. First, Hunt for Threats by Using Microsoft Defender XDR is the analyst-facing search over roughly 30 days of raw endpoint, email, identity, app, and cloud telemetry in the Defender portal, plus threat analytics, Microsoft's curated intel reports that overlay an active campaign onto your own tenant's exposure. Second, Hunt for Threats by Using Microsoft Sentinel scales the same idea to your whole Log Analytics workspace and longer time spans: you map hunts to the MITRE ATT&CK matrix to find coverage gaps, pivot on threat indicators (IOCs), and reach old or cheap-tier data with search jobs. Third, Create and Configure Microsoft Sentinel Workbooks turns those same KQL results into an interactive, reusable visual report so an analyst can monitor an environment at a glance rather than re-running a query by hand.
When two surfaces both work, pick the one whose JOB matches the goal: search, visualize, or expose gaps
The exam rewards matching the tool to the job rather than to the portal. Hunting (in either Defender XDR or Sentinel) is for searching and validating a hypothesis; a workbook is for visualizing and monitoring and never detects or responds on its own; the MITRE ATT&CK page is for revealing where you have no coverage so you know what to go hunt next. Inside the Sentinel hunt, the same discipline picks among three tools for three jobs: a bookmark captures a single interesting query row so a fleeting finding survives, a hunt organizes a whole investigation and its collaborators, and a search job runs asynchronously over archived or low-cost-tier data your live queries cannot reach. Name the job first and the surface follows, the same way naming the layer first picks the service in the design domains.
The proactive workflow: one KQL engine, three jobs (and where each is covered)
| Step | Job it does | Reach for it when | Drill into |
|---|---|---|---|
| Hunt in Defender XDR | Search raw endpoint, email, identity, app, and cloud telemetry (~30 days); read curated threat-analytics intel | The entity is a device, mailbox, or sign-in and the lookback is recent | Hunt for Threats by Using Microsoft Defender XDR |
| Hunt in Sentinel | Search the whole workspace; map coverage on MITRE ATT&CK; pivot on IOCs; reach archived data via search jobs | Scope is workspace-wide, the question is about coverage gaps or IOCs, or the data is aged | Hunt for Threats by Using Microsoft Sentinel |
| Visualize in a workbook | Turn KQL results into an interactive, reusable report; monitor at a glance (never detects or responds) | Someone reads the same view repeatedly: a dashboard, attack map, or coverage report | Create and Configure Microsoft Sentinel Workbooks |